iDefense Security Advisory 06.04.08 - Local exploitation of a input validation vulnerability within VMware's Hgfs.sys driver could allow an unprivileged attacker to execute arbitrary code within the kernel of a Windows guest operating system. When a VMware guest operating system has the VMware Tools package installed, the hgfs.sys driver is loaded on the machine. This driver allows any user to open the device "\\.\hgfs" and issue IOCTLs with a buffering mode of METHOD_NEITHER. This allows untrusted user mode code to pass kernel addresses as arguments to the driver. iDefense confirmed the existence of this vulnerability in hgfs.sys as included with VMware Workstation 5.5.4. Other versions are suspected vulnerable as well.
94965d18331de5c2c720b4857032236ba30344a29f60b2f9431727bdeac556fa