Sergey Bliznyuk: 2 articles published

Windows has supported computer telephony integration for decades, providing applications with the ability to manage phone devices, lines, and calls. While modern deployments increasingly rely on cloud-based telephony solutions, classic telephony services remain available out of the box in Windows and continue to be used in specialized environments. As a result, legacy telephony components still form part of the default Windows attack surface.

This research explores a vulnerability I discovered in the Telephony Service’s server mode, which allows low-privileged client to write arbitrary data to files accessible by the service and, under certain conditions, achieve remote code execution.

VMWare Tools provides a rich set of drivers and services that enhance manageability of virtual machines and enable guest-host communication. While the host-to-guest RPC mechanisms have long been attractive targets for vulnerability research due to their potential for VM escapes, the other components – especially guest-only services – are often overlooked. One such component is the VMware Guest Authentication Service, also known as the VMware Alias Manager and Ticket Service, or simply VGAuth. It ships with the default VMware Tools installation and is present on most guest VMs (both Windows and *nix) in ESXi-managed environments. This article details a set of vulnerabilities we discovered in the Windows implementation of this service, as found in VMware Tools 12.5.0 (build 24276846).

Who’s on the Line? Exploiting RCE in Windows Telephony Service

The Guest Who Could: Exploiting LPE in VMWare Tools