exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ACROS Security Problem Report 2010-04-12.2

ACROS Security Problem Report 2010-04-12.2
Posted Apr 14, 2010
Authored by Mitja Kolsek, ACROS Security | Site acrossecurity.com

ACROS Security Problem Report #2010-04-12-2 - A "binary planting" vulnerability in VMware Tools for Windows allows a local non-administrative attacker, under certain circumstances, to execute a malicious executable on virtual Windows machines in the context of logged- on users.

tags | advisory, local
systems | windows
SHA-256 | f4ab6e48b6664883b247cd29bef48610a751f93149811ac6017b3e330925de9b

ACROS Security Problem Report 2010-04-12.2

Change Mirror Download
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2010-04-12-2
-------------------------------------------------------------------------
ASPR #2010-04-12-2: Local Binary Planting in VMware Tools for Windows
=========================================================================

Document ID: ASPR #2010-04-12-2-PUB
Vendor: VMware, Inc. (http://www.vmware.com)
Target: VMware Tools for Windows
Impact: Local execution of arbitrary code on a virtual Windows
machine
Severity: High
Status: Official patch available, workarounds available
Discovered by: Mitja Kolsek of ACROS Security

Current version
http://www.acrossecurity.com/aspr/ASPR-2010-04-12-2-PUB.txt


Summary
=======

A "binary planting" vulnerability in VMware Tools for Windows allows a
local non-administrative attacker, under certain circumstances, to execute
a malicious executable on virtual Windows machines in the context of
logged- on users.


Product Coverage
================

- VMware Tools for Windows build 91707
- VMware Tools for Windows version 7.8.4 build 126130

Note: We only tested the above versions; other versions may also be
affected.


Analysis
========

There is a code execution vulnerability in VMware Tools for Windows that
allows a local attacker (being able to log on locally to the virtual
machine) to plant a malicious executable with a specific name on the local
drive and wait for this executable to get launched when another user logs
on to the virtual machine.

While this scenario is usually blocked on default VMware Tools'
installations on Windows XP, Windows Vista and Windows 7 due to the
default file system ACLs, a non-administrative local attacker can launch
the attack against virtual machines where VMware Tools were installed on
non-default locations, e.g., on a non-system drive. Additionally, the
attack is always possible on pre- Windows XP systems such as Windows 2000.

Additional details are available to interested corporate and government
customers under NDA, as public disclosure would reveal too many details on
the vulnerability and unduly accelerate malicious exploitation.


Mitigating Factors
==================

- The attacker must be able to log on to the machine, or exploit another
vulnerability on the machine to place the malicious executable on a local
drive. Note that Windows Terminal Server allows multiple users to log on
locally from remote and effectively act as local users. Additionally, the
default configuration of Windows domain machines allows any domain user to
log on locally to any domain computer (except the domain controller),
which can be especially attacker-friendly in conjunction with remotely-
accessible desktops via VMware View.

- VMware Tools installations on Windows XP, Windows Vista and Windows 7
are unaffected as long as (1) they're installed on the default location on
system drive (usually C:\Program Files\VMware) and (2) the default file
system ACLs haven't been modified.


Solution
========

VMware has issued a security bulletin [1] and published remediated
versions of VMware Workstation, Player, ACE, Server and Fusion, and
patches for ESX and ESXi that fix this issue.

Warning: It is not enough to install the new version or the patch; it is
also necessary to upgrade VMware Tools in each affected virtual machine.
On VMware Workstation, Player, ACE, Server and Fusion, the user will be
automatically prompted to upgrade, while there will be no such prompt on
ESX and ESXi. The upgrade of VMware Tools requires a subsequent reboot of
the virtual machine.


Workaround
==========

Workarounds are available to interested corporate and government customers
under NDA, as public disclosure would reveal too many details on the
vulnerability and unduly accelerate malicious exploitation.


Related Services
================

ACROS is offering professional consulting on this issue to interested
corporate and government customers. Typical questions we can help you
answer are:

1) To what extent is your organization affected by this issue?

2) Have you adequately applied the remedies to remove the vulnerability?

3) Are there other workarounds that you could implement to fix this issue
more efficiently and/or inexpensively?

4) Are your systems or applications vulnerable to other similar issues?


Interested parties are encouraged to ask for more information at
security@acrossecurity.com.


References
==========

[1] VMware Security Advisory VMSA-2010-0007
http://www.vmware.com/security/advisories/VMSA-2010-0007.html


Acknowledgments
===============

We would like to acknowledge VMware for professional handling of the
identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

April 12, 2010: Initial release


Copyright
=========

(c) 2010 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close