Author: dolevf Date: 18.6.2014 Version: vm-support latest version 0.88 Tested on: Red Hat Enterprise Linux 6 Relevant CVEs: 2014-4199, 2014-4200 1. About the application ------------------------ VMware support is a tool designed to collect diagnostic information such as logs, configuration files and directories, from a virtualized guest system. vm-support is part of the vmware-tools pack. 2. Vulnerabilities Descriptions: ----------------------------- CVE-2014-4199: An attacker is able to over-write system files due to insecure creation of files in /tmp by running vm-support tool, potentially denying service to other users of the system. CVE-2014-4200: An attacker is able to extract sensitive files from the vm-support archive due to it having 0644 permissions and stored in /tmp folder. 3. Release date -------------------- 26.8.2014 4. proof of concept ----------------------- CVE-2014-4199: ============= runcmd "ifconfig -a" "/tmp/ifconfig.$$.txt" runcmd "mount" "/tmp/mount.$$.txt" runcmd "dmesg" "/tmp/dmesg.$$.txt" runcmd "ulimit -a" "/tmp/ulimit-a.$$.txt" CVE-2014-4200: ============= [root@server1 tmp]# ls -ld vm-2014-08-26.25023.tar.gz -rw-r--r-- 1 root root 631081 Aug 26 17:19 vm-2014-08-26.25023.tar.gz