what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vmware60-escalate.txt

vmware60-escalate.txt
Posted Aug 25, 2007
Authored by seppi

VMWare Workstation version 6.0 for Windows suffers from a denial of service vulnerability and possible privilege escalation.

tags | advisory, denial of service
systems | windows
SHA-256 | 67a938ecbc47b48c034177b38a5ae49d14ec8dbe2d82b5f7310ace3aa361dae6

vmware60-escalate.txt

Change Mirror Download
vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware products as well
type of vulnerability: DoS, potential privilege escalation

I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user in the host OS to crash the system and potentially run arbitrary code with kernel privileges.

The issue is in the vmstor-60 driver, which is supposed to mount VMware images within the host OS. When sending the IOCTL code FsSetVoleInformation with subcode FsSetFileInformation with a large buffer and underreporting its size to at max 1024 bytes, it will underrun and potentially execute arbitrary code.

Interestingly the vmstor driver (which is the old version supposed to mount VMware images prior to version 6.0) is not vulnerable.

I have originally reported this vulnerability on 21-May-07 and got response from the VMware security team, but so far the investigation hasn't gone any further and no update has been released.

how to reproduce:

- get DC2.exe from the latest Windows Driver Kit
- login as unprivileged user
- run "dc2 /hct \Device\vstor-ws60"

workaround:

Disable the vstor-ws60 driver in the device manager. This will disable the VMware Virtual Image Mounter.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close