what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ACROS Security Problem Report 2010-04-12.1

ACROS Security Problem Report 2010-04-12.1
Posted Apr 14, 2010
Authored by Mitja Kolsek, ACROS Security, Jure Skofic | Site acrossecurity.com

ACROS Security Problem Report #2010-04-12-1 - A "binary planting" vulnerability in VMware Tools for Windows allows local or remote (possibly Internet-based) attackers to deploy and execute malicious code on virtual Windows machines in the context of logged-on users.

tags | advisory, remote, local
systems | windows
SHA-256 | 1a33ad33d61288c5a2f1bc8851a66d3420578051913dd9eb34bba9d650c3d21b

ACROS Security Problem Report 2010-04-12.1

Change Mirror Download
=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2010-04-12-1
-------------------------------------------------------------------------
ASPR #2010-04-12-1: Remote Binary Planting in VMware Tools for Windows
=========================================================================

Document ID: ASPR #2010-04-12-1-PUB
Vendor: VMware, Inc. (https://www.vmware.com)
Target: VMware Tools for Windows
Impact: Remote execution of arbitrary code on a virtual Windows
machine
Severity: Very high
Status: Official patch available, workarounds available
Discovered by: Jure Skofic and Mitja Kolsek of ACROS Security

Current version
https://www.acrossecurity.com/aspr/ASPR-2010-04-12-1-PUB.txt


Summary
=======

A "binary planting" vulnerability in VMware Tools for Windows allows local
or remote (possibly Internet-based) attackers to deploy and execute
malicious code on virtual Windows machines in the context of logged-on
users.


Product Coverage
================

- VMware Tools for Windows build 91707
- VMware Tools for Windows version 7.8.4 build 126130

Note: We only tested the above versions; other versions may also be
affected.


Analysis
========

As a result of an incorrect dynamic link library loading in VMware Tools
for Windows, an attacker can cause her malicious DLL to be loaded and
executed from local drives, a remote Windows share, and even a share
located on Internet.

All a remote attacker has to do is plant a malicious DLL with a specific
name on a network share and get the user to open any file from this
network location with any Windows application - which should require
minimal social engineering. Since Windows systems by default have the Web
Client service running - which makes remote network shares accessible via
WebDAV -, the malicious DLL can also be deployed from an Internet-based
network share as long as the intermediate firewalls allow outbound HTTP
traffic to the Internet.

A systematic attack could deploy malicious code to a large number of
virtual Windows workstations in a short period of time, possibly as an
Internet worm.

Additional details are available to interested corporate and government
customers under NDA, as public disclosure would reveal too many details on
the vulnerability and unduly accelerate malicious exploitation.


Mitigating Factors
==================

- A firewall blocking outbound WebDAV traffic (in addition to blocking all
Windows Networking protocols) could stop an Internet-based attack.


Solution
========

VMware has issued a security bulletin [1] and published remediated
versions of VMware Workstation, Player, ACE, Server and Fusion, and
patches for ESX and ESXi that fix this issue.

Warning: It is not enough to install the new version or the patch; it is
also necessary to upgrade VMware Tools in each affected virtual machine.
On VMware Workstation, Player, ACE, Server and Fusion, the user will be
automatically prompted to upgrade, while there will be no such prompt on
ESX and ESXi. The upgrade of VMware Tools requires a subsequent reboot of
the virtual machine.


Workaround
==========

- Stopping the Web Client service could stop Internet-based attacks
as long as the network firewall stops outbound Microsoft Networking
protocols. This would not, however, stop remote LAN-based attacks where
the attacker is able to place a malicious DLL on a network share inside
the target (e.g., corporate) network.

Other workarounds are available to interested corporate and government
customers under NDA, as public disclosure would reveal too many details on
the vulnerability and unduly accelerate malicious exploitation.


Related Services
================

ACROS is offering professional consulting on this issue to interested
corporate and government customers. Typical questions we can help you
answer are:

1) To what extent is your organization affected by this issue?

2) Is it possible to get remote code from the Internet launched inside
your network? Can this be demonstrated?

3) Have you adequately applied the remedies to remove the vulnerability?

4) Are there other workarounds that you could implement to fix this issue
more efficiently and/or inexpensively?

5) Are your systems or applications vulnerable to other similar issues?


Interested parties are encouraged to ask for more information at
security@acrossecurity.com.


References
==========

[1] VMware Security Advisory VMSA-2010-0007
https://www.vmware.com/security/advisories/VMSA-2010-0007.html


Acknowledgments
===============

We would like to acknowledge VMware for professional handling of the
identified vulnerability.


Contact
=======

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: security@acrossecurity.com
web: https://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
https://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
https://www.acrossecurity.com/advisories.htm

ACROS Security Papers
https://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
https://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm


Disclaimer
==========

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.


Revision History
================

April 12, 2010: Initial release


Copyright
=========

(c) 2010 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close