Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

security vulnerability in VMware

from [seppi] Network Security [Permanent Link]
Subject: security vulnerability in VMware
Date: 24 Aug 2007 22:34:05 -0000 
vulnerable software: VMware Workstation 6.0 for Windows, possible some other 
VMware products as well
type of vulnerability: DoS, potential privilege escalation

I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged 
user in the host OS to crash the system and potentially run arbitrary code with 
kernel privileges.

The issue is in the vmstor-60 driver, which is supposed to mount VMware images 
within the host OS. When sending the IOCTL code FsSetVoleInformation with 
subcode FsSetFileInformation with a large buffer and underreporting its size to 
at max 1024 bytes, it will underrun and potentially execute arbitrary code.

Interestingly the vmstor driver (which is the old version supposed to mount 
VMware images prior to version 6.0) is not vulnerable.

I have originally reported this vulnerability on 21-May-07 and got response 
from the VMware security team, but so far the investigation hasn't gone any 
further and no update has been released.

how to reproduce:

- get DC2.exe from the latest Windows Driver Kit
- login as unprivileged user
- run "dc2 /hct \Device\vstor-ws60"

workaround:

Disable the vstor-ws60 driver in the device manager. This will disable the 
VMware Virtual Image Mounter.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • security vulnerability in VMware, seppi <=
Previous by Date:  [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory, security
Next by Date:  Re: VMWare poor guest isolation design, Tim Newsham
Previous by Thread:  [Full-disclosure] n.runs-SA-2007.027 - Sophos Antivirus UPX parsing Arbitrary CodeExecution Advisory, security
Next by Thread:  Security vulnerability in BufferZone 2.5, seppi
Indexes:  [Date] [Thread] [Top] [All Lists]