what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vmwarevix-vuln.txt

vmwarevix-vuln.txt
Posted Aug 31, 2007
Site vmware.com

VMWware suffers from a poor guest isolation design.

tags | advisory
SHA-256 | e34dca01aaf832d2fa675dfd14bd66bec79bc94f49d2c237202424a01a6d8b9f

vmwarevix-vuln.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

*Summary*

VMware VIX API 1.1 supports an option that allows users with privileges
on the host machine to execute programs on a guest operating system
under the identity of a user currently logged into the guest. For
example, if user A powers on a virtual machine (VM) and logs into the
guest operating system, then a user B who has privilege on the host
machine to connect to that VM can also write scripts that will
anonymously run programs in the VM guest operating system as user A.
Note that the only users who can access the VM this way are either the
same users who have powered on the VM or an administrator on the host.


*Affected products:*

This behavior is only present in Workstation 6.0, Workstation 6.0 with
ACE Option Pack, and VMware Player 2.0.

This issue does not affect any released version of VMware Server, VMware
ESX Server, or VMware GSX Server.

This issue also does not affect deployed ACE 2.0 virtual machines.


*How to disable this behavior*

You can disable this behavior by adding an entry to the host
configuration file. This will override any VM-specific configuration and
globally disable the behavior for all virtual machines running on the host.

The host configuration is owned by the System/root account, so it is
protected against non-root users who have virtual machines on the system.

This behavior can be disabled at the host level by adding the following
line to the host configuration file:

guest.commands.anonGuestCommandsRunAsConsoleUser = "FALSE"

On Linux, the default pathname for this file is:

/usr/lib/vmware/settings

(Note that "settings" is the file name, not another directory name.)

On Windows (except Windows Vista), the default pathname for this file is:

C:\Documents and Settings\All Users\Application

Data\VMware\VMware Workstation\settings.ini

On Windows Vista, the default pathname for this file is:

C:\ProgramData\VMware\VMware Workstation\settings.ini

(Note that on Windows Vista, the "ProgramData" directory may be hidden
by default.)

If you installed the product in a custom location, then the path name
for the configuration file may be different.

Normally, the file will not exist. If the file does not exist, then
first create a new blank text file named "settings" on Linux and
"settings.ini" on Windows and then add the new settings line.

Alternatively, you can also add the following line to the VMX
configuration file to disable the behavior on a per-VM basis:

guest.commands.anonGuestCommandsRunAsConsoleUser=FALSE

The only feature of VMware Workstation that relies on this behavior is
the Integrated Virtual Debugger, i.e. the optional plugins for Eclipse
IDE and Microsoft Visual Studio. Disabling this login mode as documented
above will disable this feature.

In addition, VIX API client programs and scripts which depend on this
login mode while calling VixVM_LoginInGuest will need to be modified to
use a username and password to login to the guest.

*The rationale for this design decision*

We added this functionality to VMware Workstation in order to provide a
seamless user experience using Integrated Virtual Debugger – a user will
not be prompted to log-in each time a program is launched to run/debug
inside a VM.

We determined that, although this automates interaction with the guest
operating system, this is not a /bona fide/ escalation of privileges in
the guest operation system because any user who can access the VM this
way can already open the user interface and manually interact with the
guest under the identity of the currently logged-in user.

In other words, if you are able to connect to a running VM, you need to
be either the user who powered on the VM, or you are an administrator of
the host. So, this behavior only applies to users who already have
access to the VM.

However, we take this feedback very seriously, and we are reevaluating
this design decision for the next dot-release of Workstation.

For further questions regarding this issue or other security related
issues for VMware, please contact us at security@vmware.com.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG1h1pS2KysvBH1xkRCPUmAJ0TIfQlGDl6t7Rad+HeAyldW5KtHgCeLwlj
Sij6woX7EFYylIN9q8Q73OA=
=wnfC
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close