Brian Gorenc, Abdul-Aziz Hariri, Jasiel Spelman

L'art de l'évasion: Modern VMWare Exploitation Techniques


Virtual machines play a crucial role in modern computing. They are often used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. An assumption is made that they are a way of securely containing and isolating potentially malicious code, however we now know this to be incorrect.

Over the past year, the Zero Day Initiative (ZDI) program has begun to see submissions targeting VMware Workstation and Fusion that result in guest-to-host escapes. Additionally, at the Pwn2Own 2017 competition earlier this year, two separate teams managed to exploit a guest operating system, escape the virtual environment, and execute code on the host operating system. This represents the first time such a VMware escape was demonstrated at the contest and earned the contestants the highest cash prizes of the competition.

This talk will dive deep into modern exploitation techniques of VMware vulnerabilities. We start by examining the VMware guest-to-host communications, which occur through the Backdoor channel (yes, it's really called Backdoor). Next, we take an in-depth look at the available attack surfaces on a virtual machine. These include components such as third-party software, remote procedure calls, and graphics drivers.

Finally, we will dive into the exploitation of different types vulnerabilities on VMware that result in guest-to-host escapes, including the two award-winning entries from Pwn2Own that resulted in $205,000 USD of payouts to the contestants.


Brian Gorenc is the directory of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world's largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world's most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch

Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations.