exploit the possibilities

VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory

VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory
Posted May 8, 2012
Authored by Derek Soeder

The vulnerability described in this document could hypothetically be exploited by unprivileged code running in a VMware virtual machine (guest) in order to execute code in the host VMX process, thereby breaking out of the virtual machine; however, such exploitation has not been proven.

tags | advisory
advisories | CVE-2012-1517
MD5 | 23a15e8e5f4e8c749191a128067b6a74

VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory

Change Mirror Download
VMware Backdoor ghi.guest.trashFolder.state Uninitialized Memory
Potential VM Break

Derek Soeder
ds.adv.pub@gmail.com

Reported: December 5, 2011
Published: May 3, 2012


AFFECTED VENDOR
---------------
VMware, Inc.


AFFECTED ENVIRONMENTS
---------------------
The following VMware product versions are known to be affected:
VMware Workstation 7.0.0
VMware Workstation 7.1.5 and earlier
VMware Player 3.1.5 and earlier
VMware ESXi 4.1.0 Update 2 Build 502767 and earlier
Other related versions not tested due to unavailability


UNAFFECTED ENVIRONMENTS
-----------------------
VMware Server 1.0.x
VMware Server 2.0.x
VMware Workstation 8.0.x
VMware Player 4.0.x
VMware ESXi 3.5.0
VMware ESXi 4.0.0
VMware ESXi 5.0.0
Other related versions not tested due to unavailability


IDENTIFIERS
-----------
CVE-2012-1517


IMPACT
------
The vulnerability described in this document could hypothetically be
exploited by unprivileged code running in a VMware virtual machine
(guest) in order to execute code in the host VMX process, thereby
breaking out of the virtual machine; however, such exploitation has
not been proven.


VULNERABILITY DETAILS
---------------------
The VMware backdoor interface consists of a number of operations
issued via I/O instructions executed in the guest with a command
number in CX and data or "magic" values in a number of other
registers. Command 0x1E / 30 (BDOOR_CMD_MESSAGE) and its subcommands
(MESSAGE_TYPE_*) allow messages to be exchanged between the guest and
host.

Messages from the guest take the form of a command string followed by
any number of arguments. When the guest issues a command message, the
command dispatcher in the host VMX process calls a handler function
associated with the given command that is prototyped roughly as
follows:

bool __cdecl CommandHandler(
void * unknown,
short channel,
char * args,
unsigned int args_len,
char * * preply,
unsigned int * preply_len)

The handler for the "ghi.guest.trashFolder.state" command, available
in newer versions of VMware products, checks for an empty argument
string by comparing 'args' to null and 'args_len' to zero, and if
either matches, the function fails with the error message "Invalid
parameters". However, this particular failure path skips a call that
initializes a local variable, an XDR structure. Before the handler
function returns--even in the event of failure--it retrieves the
'x_ops' pointer from the structure at offset +0x04 (32-bit) / +0x08
(64-bit), which points to a table of function pointers, and it then
calls the eighth function pointer, 'x_destroy', at offset +0x1C
(32-bit) / +0x38 (64-bit) within the table.


EXPLOITATION
------------
Since the stack memory that constitutes the structure remains
uninitialized when the handler function processes a
"ghi.guest.trashFolder.state" command with no arguments, the guest
could hypothetically proffer an arbitrary function pointer table
pointer by first causing some other operation to be performed by the
thread that will execute the handler function, thereby seeding that
portion of stack memory. Successful exploitation would then depend on
being able to find or establish a useful function pointer table and
code to execute.

At least on a Windows host, procurement of a function pointer table
might be facilitated by the fact that the VMX executable cannot be
relocated. Furthermore, the VMX process often features PAGE_READWRITE
mappings of guest physical memory at predictable addresses. It might
also be possible to fill the VMX process's heap by issuing other
backdoor commands.


MITIGATION
----------
None known.


CONCLUSION
----------
This document discloses a vulnerability in more recent versions of
VMware products that could potentially allow a guest to execute
arbitrary code on the host system, although an unsuccessful
exploitation attempt will likely crash the guest.

The exploitability of this vulnerability is most contingent on the
ability to control the contents of the relevant, uninitialized stack
memory from the guest, which has not yet been demonstrated. If that
proves to be possible, eventual reliable exploitation should be
considered likely.


GREETINGS
---------
www.ftmband.com
www.ridgewayis.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close