SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   VMware Vendors:   VMware
VMware Tools Temporary File Permission Flaws Lets Local Users Deny Service and Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1030758
SecurityTracker URL:  http://securitytracker.com/id/1030758
CVE Reference:   CVE-2014-4199, CVE-2014-4200   (Links to External Site)
Date:  Aug 26 2014
Impact:   Denial of service via local system, Disclosure of system information, Modification of system information
Exploit Included:  Yes  
Version(s): vm-support version 0.88
Description:   Two vulnerabilities were reported in VMware Tools. A local user can cause denial of service conditions. A local user can obtain potentially sensitive information.

A local user can exploit a flaw in the creation of temporary files in '/tmp' to cause system files on the target system to be overwritten by the target user running vm-support [CVE-2014-4199].

The vm-support archive in the '/tmp' has world-readable permissions [CVE-2014-4200]. A local user can obtain potentially sensitive information.

Dolev Farhi reported these vulnerabilities.

Impact:   A local user can cause denial of service conditions on the target system.

A local user can obtain potentially sensitive information.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.vmware.com/ (Links to External Site)
Cause:   Access control error

Message History:   None.


 Source Message Contents

Subject:  [FD] VMware vm-support multiple vulnerabilities

Author: dolevf
Date: 18.6.2014
Version: vm-support latest version 0.88
Tested on: Red Hat Enterprise Linux 6
Relevant CVEs: 2014-4199, 2014-4200


1. About the application
------------------------
VMware support is a tool designed to collect diagnostic information such 
as logs, configuration files and directories, from a virtualized guest 
system.
vm-support is part of the vmware-tools pack.


2. Vulnerabilities Descriptions:
-----------------------------
CVE-2014-4199: An attacker is able to over-write system files  due to 
insecure creation of files in /tmp by running vm-support tool, 
potentially denying service to other users of the system.
CVE-2014-4200:  An attacker is able to extract sensitive files from the 
vm-support archive due to it having 0644 permissions and stored in /tmp 
folder.



3. Release date
--------------------
26.8.2014


4. proof of concept
-----------------------

CVE-2014-4199:
=============
  runcmd "ifconfig -a" "/tmp/ifconfig.$$.txt"
  runcmd "mount" "/tmp/mount.$$.txt"
  runcmd "dmesg" "/tmp/dmesg.$$.txt"
  runcmd "ulimit -a" "/tmp/ulimit-a.$$.txt"



CVE-2014-4200:
=============
[root@server1 tmp]# ls -ld vm-2014-08-26.25023.tar.gz
-rw-r--r-- 1 root root 631081 Aug 26 17:19 vm-2014-08-26.25023.tar.gz





_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC