-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                         VSR Security Advisory
                       http://www.vsecurity.com/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: VMware Tools Multiple Vulnerabilities
 Release Date: 2011-06-03
  Application: VMware Guest Tools
     Severity: High
       Author: Dan Rosenberg <drosenberg (at) vsecurity.com>
Vendor Status: Patch Released [2]
CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146
    Reference: http://www.vsecurity.com/resources/advisory/20110603-1/

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
- -------------------
- From [1]:

 "VMware Tools is a suite of utilities that enhances the performance of the
  virtual machine's guest operating system and improves management of the
  virtual machine. Without VMware Tools installed in your guest operating
  system, guest performance lacks important functionality."


Vulnerability Overview
- ----------------------
On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a
suite of utilities shipped by VMware with multiple product offerings, as well
as by open-source distributions as the open-vm-tools package.  The first of
these issues results in a minor information disclosure vulnerability, while the
second two issues may result in privilege escalation in a VMware guest with
VMware Tools installed.

Product Background
- ------------------
VMware Tools includes mount.vmhgfs, a setuid-root utility that allows
unprivileged users in a guest VM to mount HGFS shared folders.  Also shipped
with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which
handles initial setup to prepare for running vmware-user, which grants users
access to other utilities included with VMware Tools.

Vulnerability Details
- ---------------------

CVE-2011-2146:

The mount.vmhgfs utility makes a call to stat() to check for the existence and
type (file, directory, etc.) of the user-supplied mountpoint, and provides an
error message if the provided argument does not exist or is not a directory.
Because mount.vmhgfs is setuid-root, a local attacker can leverage this
behavior to identify if a given path exists in the guest operating system and
whether it is a file or directory, potentially violating directory permissions.

CVE-2011-1787:

The mount.vmhgfs utility checks that the user-provided mountpoint is owned by
the user attempting to mount an HGFS share prior to performing the mount.
However, a race condition exists between the time this checking is performed
and when the mount is performed.  Successful exploitation allows a local
attacker to mount HGFS shares over arbitrary, potentially root-owned
directories, subsequently allowing privilege escalation within the guest.

CVE-2011-2145:

The vmware-user-suid-wrapper utility attempts to create a directory at
/tmp/VMwareDnD.  Next, it makes calls to chown() and chmod() to make this
directory root-owned and world-writable.  By placing a symbolic link at the
location of this directory, vmware-user-suid-wrapper will cause the symbolic
link target to become world-writable, allowing local attackers to escalate
privileges within the guest.  Only FreeBSD and Solaris versions of VMware Tools
are affected.

Versions Affected
- -----------------

VMware's advisory [2] indicates the following product versions are affected:

       VMware      Product     Running     Replace with/
       Product     Version     on          Apply Patch
       =========   ========    =======     =================
       vCenter     any         Windows     not affected

       Workstation 7.1.x       Linux       7.1.4 or later*
       Workstation 7.1.x       Windows     7.1.4 or later*

       Player      3.1.x       Linux       3.1.4 or later*
       Player      3.1.x       Windows     3.1.4 or later*

       AMS         any         any         not affected

       Fusion      3.1.x       OSX         Fusion 3.1.3 or later*

       ESXi        4.1         ESXi        ESXi410-201104402-BG*
       ESXi        4.0         ESXi        ESXi400-201104402-BG*
       ESXi        3.5         ESXi        ESXe350-201105402-T-SG*

       ESX         4.1         ESX         ESX410-201104401-SG*
       ESX         4.0         ESX         ESX400-201104401-SG*
       ESX         3.5         ESX         ESX350-201105406-SG*
       ESX         3.0.3       ESX         not affected

The open-vm-tools package prior to version 2011.02.23-368700 is also affected.

Vendor Response
- ---------------
The following timeline details VMware's response to the reported issue:

2011-02-17    VMware receives initial vulnerability report
2011-02-17    VMware security team acknowledges receipt
2011-03-04    VMware provides status update
2011-03-04    VSR initiates discussion of disclosure date
2011-03-10    VMware responds, indicates internal coordination underway
2011-03-11    VSR acknowledges response
2011-03-15    VMware indicates internal coordination still ongoing
2011-03-15    VSR acknowledges response
2011-03-20    VMware proposes disclosure date of late Q3
2011-03-21    VSR agrees to disclosure date
2011-03-30    VMware provides status update
2011-04-28    VMware provides status update
2011-05-05    VMware provides status update
2011-05-06    VSR acknowledges receipt of status updates
2011-06-03    Coordinated disclosure

VMware's advisory may be obtained at:
  http://www.vmware.com/security/advisories/VMSA-2011-0009.html

Recommendation
- --------------
Apply VMware-supplied updates to affected products, or download
distribution-supplied security updates if using the opem-vm-tools package.


Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers
CVE-2011-1787, CVE-2011-2145, and CVE-2011-2146 to these issues.  These are
candidates for inclusion in the CVE list (http://cve.mitre.org), which
standardizes names for security problems.


Acknowledgements
- ----------------
Thanks for VMware for their prompt response, frequent status updates, and fix.

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

References:

1. Overview of VMware Tools
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=340

2. VMSA-2011-0009
  http://www.vmware.com/security/advisories/VMSA-2011-0009.html

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This advisory is distributed for educational purposes only with the sincere 
hope that it will help promote public safety.  This advisory comes with 
absolutely NO WARRANTY; not even the implied warranty of merchantability or 
fitness for a particular purpose.  Virtual Security Research, LLC nor the author 
accepts any liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure
practices:
  http://www.vsecurity.com/company/disclosure

- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
     Copyright 2011 Virtual Security Research, LLC.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk3pNGcACgkQQ1RSUNR+T+iowQCgkdOfJOwQRyAMz2bTIRYnU3NP
5eIAnAv2x6MbVe5TcfwS36P/eY8VcEaW
=0Y7v
-----END PGP SIGNATURE-----