tags:bluetoothhypervisorvmware original link: Chaining N-days to Compromise All: Part 4 — VMware Workstation Information leakage newsletter link: exploits.club Weekly Newsletter 17
Exploits Club Summary:
It wouldn’t be a newsletter these days if we didn’t have a Theori post, and they are back with the 4th part of their N-day full chain. The posts up to this point have detailed compromising the browser and privesc-ing on the virtual host. Now the team discusses the first step in escaping from the virtual machine to the host. If you have read the other 3 posts up to this point, you will be familiar with the format of this one, but the explanation walks you through the necessary background knowledge on Virtual Bluetooth devices and USB Request Blocks. It then jumps into the vulnerability (and a botched patch resulting in a variant) followed by some notes on exploitation.