Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25262
HistoryDec 10, 2010 - 12:00 a.m.

Bonsai Information Security - VMware Tools update OS Command Injection

2010-12-1000:00:00
vulners.com
16

VMware Tools update OS Command Injection

  1. Advisory Information
    Advisory ID: BONSAI-2010-0110
    Date published: Thu Dec 9, 2010
    Vendors contacted: VMware
    Release mode: Coordinated release

  2. Vulnerability Information
    Class: Injection
    Remotely Exploitable: Yes
    Locally Exploitable: Yes
    CVE Name: CVE-2010-4297

  3. Software Description
    VMware Tools is a suite of utilities that enhances the performance of
    the virtual machine's guest operating system and improves management of
    the virtual machine. Without VMware Tools installed in your guest
    operating system, guest performance lacks important functionality.
    Installing VMware Tools eliminates or improves the following issues:

    • low video resolution
    • inadequate color depth
    • incorrect display of network speed
    • restricted movement of the mouse
    • inability to copy and paste and drag-and-drop files
    • missing sound

VMware Tools includes these components:

* VMware Tools service
* VMware device drivers
* VMware user process
* VMware Tools control panel

VMware Tools is provided in the following formats:

* ISOs (contain .tar and .rpm files) – packaged with the product and

are installed in a number of ways, depending upon the VMware product and
the guest operating system installed in the virtual machine. VMware
Tools provides a different ISO file for each type of supported guest
operating system: Windows, Linux, NetWare, Solaris, and FreeBSD.
* Operating System Specific Packages (OSPs) – downloaded and
installed from the command line. VMware Tools is available as separate
downloadable, light-weight packages that are specific to each supported
Linux operating system and VMware product. OSPs are an alternative to
the existing mechanism for installing VMware Tools and only support
Linux systems running on ESX.

  1. Vulnerability Description
    Injection flaws, such as SQL, OS, and LDAP injection, occur when
    untrusted data is sent to an interpreter as part of a command or query.
    The attacker’s hostile data can trick the interpreter into executing
    unintended commands or accessing unauthorized data.

  2. Vulnerable packages
    Column 4 of the following table lists the action required to remediate
    the vulnerability in each release, if a solution is available:
    VMWare Product Product Version Running On Replace with / Apply Patch
    VirtualCenter any Windows not affected
    Workstation 7.X any 7.1.2 Build 301548 or later
    Workstation 6.5.X any 6.5.5 Build 328052 or later
    Player 3.1.X any 3.1.2 Build 301548 or later
    Player 2.5.X any 2.5.5 Build 328052 or later
    AMS any any not affected
    Server 2.0.2 any affected, no patch planned
    Fusion 3.1.X Mac OSX 3.1.2 Build 332101
    Fusion 2.X Mac OSX 2.0.8 Build 328035
    ESXi 4.1 ESXi ESXi410-201010402-BG
    ESXi 4.0 ESXi ESXi400-201009402-BG
    ESXi 3.5 ESXi ESXe350-201008402-T-BG **
    ESX 4.1 ESX ESX410-201010405-BG
    ESX 4.0 ESX ESX400-201009401-SG
    ESX 3.5 ESX ESX350-201008409-BG **
    ESX 3.0.3 ESX not affected

  • hosted products are VMware Workstation, Player, ACE, Fusion.
    ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:
    • Install the relevant ESX patch.
    • Manually upgrade tools in the virtual machine (virtual machine
      users will not be prompted to upgrade tools). Note the VI Client may
      not show that the VMware tools is out of date in th summary tab.
      Full VMWare advisory could be found at:
      http://www.vmware.com/security/advisories/VMSA-2010-0018.html
  1. Non-vulnerable packages
    See above table.

  2. Credits
    This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
    bonsai-sec.com ).

  3. Technical Description
    8.1. OS Command Injection – PoC Example
    CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
    VMware Server Infrastructure Web Access is prone to remote command
    execution vulnerability because the software fails to adequately
    sanitize user-supplied input.
    When Updating the VMTools on a certain Guest Virtual Machine, a command
    injection attack can be executed if specially crafted parameters are sent.
    Successful attacks can compromise the affected Guest Virtual Machine
    with root privileges.
    The following proof of concept is given. It was exploited in a GNU/Linux
    Guest with VMware Tools installed but not fully updated:
    POST /ui/sb HTTP/1.1
    […]
    Cookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;
    l=http%3A%2F%2Flocalhost%3A80%2Fsdk
    […]
    [{i:"378",exec:"/cmd/vm",args:["UpgradeTools_Task",{_i:"VirtualMachine|960"},";
    INJECTED COMMAND HERE ;"]}]

  4. Report Timeline
    • 2010-04-24 / Vulnerabilities were identified
    • 2010-04-29 – 2010-12-02 / Multiple Contacts with Vendor
    • 2010-12-09 / Vulnerability is Disclosed – PoC attached

  5. About Bonsai
    Bonsai is a company involved in providing professional computer
    information security services. Currently a sound growth company, since
    its foundation in early 2009 in Buenos Aires, Argentina, we are fully
    committed to quality service and focused on our customers’ real needs.

  6. Disclaimer
    The contents of this advisory are copyright (c) 2010 Bonsai Information
    Security, and may be distributed freely provided that no fee is charged
    for this distribution and proper credit is given.

  7. Research
    http://www.bonsai-sec.com/en/research/vulnerability.php
    http://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php

Related for SECURITYVULNS:DOC:25262