what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VMWare Player 7.1.3 DLL Hijacking

VMWare Player 7.1.3 DLL Hijacking
Posted Aug 2, 2018
Authored by Stefan Kanthak

VMWare Player version 7.1.3 suffers from a dll hijacking vulnerability.

tags | exploit
systems | windows
advisories | CVE-2016-7085
SHA-256 | addcd36bab152a4fb435a7853f4b0fce8c524da8267470db669eaea6231daef3

VMWare Player 7.1.3 DLL Hijacking

Change Mirror Download
Hi @ll,

on February 13, 2016, I sent a vulnerability report regarding the
then current executable installer of VMware-player 7.1.3 to its
vendor.

On September 14, 2016, VMware published
<http://blogs.vmware.com/security/2016/09/vmsa-2016-0014.html> and
<http://www.vmware.com/security/advisories/VMSA-2016-0014.html>

I was NOT AMUSED that it took 7 month to fix this beginner's error.


In January 2018, VMware published VMware-player-12.5.9-7535481.exe,
available via <https://www.vmware.com/go/downloadplayer> from
<https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>,
which shows this vulnerability again (plus THREE others), again
allowing arbitrary code execution WITH escalation of privilege!

Apparently VMware's developers haven't heard of regression tests
yet, and their QA (if they have one) seems sound asleep!


On a fully patched Windows 7 SP1, VMware-player-12.5.9-7535481.exe
loads CredSSP.dll, WSHTCPIP.dll, WSHIP6.dll and RASAdHlp.dll from
its "application directory", typically the user's "Downloads"
directory "%USERPROFILE%\Downloads", instead from Windows'
"system directory" "%SystemRoot%\System32".

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://capec.mitre.org/data/definitions/471.html>.


The application manifest embedded in VMware-player-12.5.9-7535481.exe
specifies "requireAdministrator", so any (rogue) DLL placed by the
unprivileged user in the "Downloads" directory is executed with
administrative rights, resulting in arbitrary code execution WITH
escalation of privilege.

CVSS v3 Base Score: 8.2 (High) CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS v2 Base Score: 7.8 AV:L/AC:M/Au:N/C:C/I:C/A:C


Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. follow the instructions from
<https://skanthak.homepage.t-online.de/minesweeper.html>
and build a minefield of 32-bit forwarder DLLs in your "Downloads"
directory;

2. download
<https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>,
and save it in your "Downloads" directory;

3. execute VMware-player-12.5.9-7535481.exe: notice the message
boxes displayed from the DLLs built in step 1!


stay tuned (and FAR away from ALL executable installers!)
Stefan Kanthak


Timeline:
~~~~~~~~~

2018-06-03 vulnerability report(s) sent to vendor

2018-06-13 vendor acknowledged receipt:
"We will look into this and provide feedback in due course."

2018-06-14 vendor replies:
"It is my understanding that Workstation Player 12.x has
since reached end of general support (in February of 2018)
as per our Lifecycle Product Matrix
<https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.pdf>."

2018-08-01 report published
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close