VMWare Player 7.1.3 DLL Hijacking

2018.08.03
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Hi @ll, on February 13, 2016, I sent a vulnerability report regarding the then current executable installer of VMware-player 7.1.3 to its vendor. On September 14, 2016, VMware published <http://blogs.vmware.com/security/2016/09/vmsa-2016-0014.html> and <http://www.vmware.com/security/advisories/VMSA-2016-0014.html> I was NOT AMUSED that it took 7 month to fix this beginner's error. In January 2018, VMware published VMware-player-12.5.9-7535481.exe, available via <https://www.vmware.com/go/downloadplayer> from <https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>, which shows this vulnerability again (plus THREE others), again allowing arbitrary code execution WITH escalation of privilege! Apparently VMware's developers haven't heard of regression tests yet, and their QA (if they have one) seems sound asleep! On a fully patched Windows 7 SP1, VMware-player-12.5.9-7535481.exe loads CredSSP.dll, WSHTCPIP.dll, WSHIP6.dll and RASAdHlp.dll from its "application directory", typically the user's "Downloads" directory "%USERPROFILE%\Downloads", instead from Windows' "system directory" "%SystemRoot%\System32". For this well-known and well-documented vulnerability see <https://cwe.mitre.org/data/definitions/426.html> and <https://cwe.mitre.org/data/definitions/427.html> plus <https://capec.mitre.org/data/definitions/471.html>. The application manifest embedded in VMware-player-12.5.9-7535481.exe specifies "requireAdministrator", so any (rogue) DLL placed by the unprivileged user in the "Downloads" directory is executed with administrative rights, resulting in arbitrary code execution WITH escalation of privilege. CVSS v3 Base Score: 8.2 (High) CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS v2 Base Score: 7.8 AV:L/AC:M/Au:N/C:C/I:C/A:C Demonstration/proof of concept: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. follow the instructions from <https://skanthak.homepage.t-online.de/minesweeper.html> and build a minefield of 32-bit forwarder DLLs in your "Downloads" directory; 2. download <https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>, and save it in your "Downloads" directory; 3. execute VMware-player-12.5.9-7535481.exe: notice the message boxes displayed from the DLLs built in step 1! stay tuned (and FAR away from ALL executable installers!) Stefan Kanthak Timeline: ~~~~~~~~~ 2018-06-03 vulnerability report(s) sent to vendor 2018-06-13 vendor acknowledged receipt: "We will look into this and provide feedback in due course." 2018-06-14 vendor replies: "It is my understanding that Workstation Player 12.x has since reached end of general support (in February of 2018) as per our Lifecycle Product Matrix <https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.pdf>." 2018-08-01 report published


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top