Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: VMWare Workstation Guest Escape via Shared Printers on COM1 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
VMWare Workstation Guest Escape via Shared Printers on COM1

Shared hardware has always been a weakness of virtualization products. In some cases side channel attacks can be exploited to collect information from other virtual machines, or bugs in drivers can be exploited to fully escape a virtual machines, like recently with floppy disk drivers. [1] [2]

The latest variation of this is an attack against VMWare Workstation taking advantage of "COM1". This serial port is configured by default and used for printer sharing. Using printer sharing, the user can access a printer connected to the host [3].

To implement this feature, VMWare uses "vprintproxy.exe". This executable receives the file to be printed from the guest, and passes it to the host's printer.  The guest uses the serial port COM1 to send data vprintproxy.exe. The data is sent to vprintproxy.exe as an "Enhanced Metafile Spool Format" file, or "EMFSPOOL" file for short. Sadly, vprintproxy.exe does not parse these files safely, and crafted files can lead to exploits against vprintproxy.exe, which runs as whatever user started VMWare. 

This is a threat to VMWare Workstation. In particular if you are using VMWare Workstation to analyze malicious code, you should be extra careful. VMWare released a patch yesterday, but you may have missed it among other patch Tuesday issues.

[1] http://arstechnica.com/security/2015/05/extremely-serious-virtual-machine-bug-threatens-cloud-providers-everywhere/
[2] https://eprint.iacr.org/2014/248.pdf
[3] https://docs.google.com/document/d/1sIYgqrytPK-CFWfqDntraA_Fwi2Ov-YBgMtl5hdrYd4/preview?sle=true#heading=h.dv8d1g4lp83q

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3551 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!