SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware Vendors:   VMware
VMware Buffer Overflow in vmstor-60 Driver Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1018609
SecurityTracker URL:  http://securitytracker.com/id/1018609
CVE Reference:   CVE-2007-4591   (Links to External Site)
Updated:  Mar 26 2008
Original Entry Date:  Aug 27 2007
Impact:   Execution of arbitrary code via local system, User access via local system

Version(s): 6.0 Workstation for Windows; possibly other versions
Description:   A vulnerability was reported in VMware. A local user can obtain elevated privileges on the target system.

A local user on the host operating system can trigger a buffer overflow in the vmstor-60 driver to execute arbitrary code with kernel level privileges on the target system.

The FsSetVoleInformation IOCTL's FsSetFileInformation function is affected.

The vendor was notified on May 21, 2007.

The following demonstration exploit steps are provided:

- get DC2.exe from the latest Windows Driver Kit
- login as unprivileged user
- run "dc2 /hct \Device\vstor-ws60"

seppi at seppig.de reported this vulnerability.

Impact:   A local user can obtain elevated privileges on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vmware.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  security vulnerability in VMware

vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware products as well
type of vulnerability: DoS, potential privilege escalation

I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user in the host OS to crash the system and potentially
 run arbitrary code with kernel privileges.

The issue is in the vmstor-60 driver, which is supposed to mount VMware images within the host OS. When sending the IOCTL code FsSetVoleInformation
 with subcode FsSetFileInformation with a large buffer and underreporting its size to at max 1024 bytes, it will underrun and potentially
 execute arbitrary code.

Interestingly the vmstor driver (which is the old version supposed to mount VMware images prior to version 6.0) is not vulnerable.

I have originally reported this vulnerability on 21-May-07 and got response from the VMware security team, but so far the investigation
 hasn't gone any further and no update has been released.

how to reproduce:

- get DC2.exe from the latest Windows Driver Kit
- login as unprivileged user
- run "dc2 /hct \Device\vstor-ws60"

workaround:

Disable the vstor-ws60 driver in the device manager. This will disable the VMware Virtual Image Mounter.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC