exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMWare Tools Binary Planting

VMWare Tools Binary Planting
Posted Sep 5, 2012
Authored by Moshe Zioni

VMWare Tools is susceptible to binary planting / DLL hijacking.

tags | exploit
systems | windows
advisories | CVE-2012-1666
SHA-256 | a5afa2cae5897fae7262a3d6b11dc9f82588dd140249726ec6121a847aca0b9a

VMWare Tools Binary Planting

Change Mirror Download
Security Advisory - VMWare Tools susceptible to binary planting by hijack
=========================================================================
Summary : VMWare Tools susceptible to binary planting
Date : 4 September 2012
Affected versions : Product versions prior to -
Workstation 8.0.4
Player 4.0.4
Fusion 4.1.2
View 5.1
ESX 5.0 P03
ESX 4.1 U3
Not affected: ESX 4.0, ESX 3.5
CVE reference : CVE-2012-1666

Details
================
VMWare Tools handles many functions involved with host-guest interactivity,
providing a richer environment for the end-user and server administrators alike.
Part of VMWare Tools responsibilities is handling printer services through host
and is called by a third-party acquired tool (ThinPrint).

During initiation, which occurs during many steps throughout printer comm.
negotiation, a non-existent dynamic-link library is called, resulting in an
unqualified dynamic-link library call to 'tpfc.dll'.

A user with local disk access can carefuly construct a DLL that suits the
pattern that is being traversed by the client and implement it somewhere along
the search path and the client will load it seamlessly.

Impact
================
After the DLL has been implemented, an unsuspected user that will run printer
services, for example, will cause it to load, resulting in arbitrary code
execution under user's privilege level.

This vector of attack is mainly used in a local privilege escalation scenarios,
user credential harvesting and can be used by malware to disguise itself,
amongst other uses.

Proof of Concept
================

#include <windows.h>

int hijack_poc ()
{
WinExec ( "calc.exe" , SW_NORMAL );
return 0 ;
}

BOOL WINAPI DllMain
( HINSTANCE hinstDLL ,
DWORD dwReason ,
LPVOID lpvReserved )
{
hijack_poc () ;
return 0 ;
}

Solution
================
Official patches were delivered by vendor and can be fetched from www.vmware.com

Credits
================
The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.

Timeline
=================
4 September 2012
Security advisory released by Comsec Consulting
31 August 2012
Vendor finished on deploying fixes to products, release notes published
13 March 2012
Vendor started to implement fixes to products
14 February 2012
First response from vendor
13 February 2012
Bug reported by Moshe Zioni from Comsec Global Consulting
to VMWare and third-party printer driver developers in sync

References
=================
VMWare
http://www.vmware.com
Release notes
https://www.vmware.com/support/vsphere4/doc/vsp_esxi41_u3_rel_notes.html#resolvedissuessecurity

Comsec Global Consulting
http://www.comsecglobal.com/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close