VMWare Workstation Guest Escape via Shared Printers on COM1
Last Updated: 2015-06-11 00:47:48 UTC
by Johannes Ullrich (Version: 1)
Shared hardware has always been a weakness of virtualization products. In some cases side channel attacks can be exploited to collect information from other virtual machines, or bugs in drivers can be exploited to fully escape a virtual machines, like recently with floppy disk drivers.  
The latest variation of this is an attack against VMWare Workstation taking advantage of "COM1". This serial port is configured by default and used for printer sharing. Using printer sharing, the user can access a printer connected to the host .
To implement this feature, VMWare uses "vprintproxy.exe". This executable receives the file to be printed from the guest, and passes it to the host's printer. The guest uses the serial port COM1 to send data vprintproxy.exe. The data is sent to vprintproxy.exe as an "Enhanced Metafile Spool Format" file, or "EMFSPOOL" file for short. Sadly, vprintproxy.exe does not parse these files safely, and crafted files can lead to exploits against vprintproxy.exe, which runs as whatever user started VMWare.
This is a threat to VMWare Workstation. In particular if you are using VMWare Workstation to analyze malicious code, you should be extra careful. VMWare released a patch yesterday, but you may have missed it among other patch Tuesday issues.