Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   VMware GSX Server Vendors:   VMware
[Vendor Disputes Claim] VMware GSX Server Buffer Overflow in VMware Authorization Service Input Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008051
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Nov 18 2003
Original Entry Date:  Oct 31 2003
Impact:   Execution of arbitrary code via network, Root access via network

Version(s): 2.0.1 build-2129
Description:   A vulnerability was reported in the VMware GSX Server in the vmware-authd authentication service. A remote user can execute arbitrary code on the target system with administrator privileges.

It is reported that a remote user can supply a specially crafted value to the authentication service to trigger a buffer overflow and execute arbitrary code. According to the report, the individual arguments (e.g., USER, PASS, GLOBAL) are properly validated but the initial input line is not.

[Editor's note: The vendor has indicated that there is no vulnerability and that the original author has retracted his posting. We are awaiting confirmation from the original author.]

Impact:   A remote user can execute arbitrary code with administrator privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)
Underlying OS Comments:  Tested only on Windows

Message History:   None.

 Source Message Contents

Subject:  VMWare GSX Server Authentication Server Buffer Overflow

Author: Darryl Swofford

Date: 2003/10/31

VMware GSX Server 2.0.1 build-2129 for Windows (other versions not tested). Tested on Windows NT/2000/2003/XP systems.

After reviewing BugTaq #5294 (VMWare GSX Server Authentication Server Buffer Overflow Vulnerability) I was able to modify the sample
 code to exploit the updated vmware-authd service.

I will not release the source code as I feel this is not prudent until the vendor acknowledges the issue. Until then you can view
 the overflow by using telnet with the following syntax and simply alter the code as I did. 

>telnet 902
> 220 VMware Authentication Daemon Version 1.00
 PANIC: Buffer overflow in VMAuthdSocketRead()
Connection to host lost.

It seems that the vmware-authd service limits the input strings of the program when passed correct arguments (USER, PASS, GLOBAL);
 however the initial readline can be overflowed as it does not control the amount of data passed to it. 
Stop and disable the VMware authorization service. 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC