[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    security vulnerability in VMware
From:       seppi () seppig ! de
Date:       2007-08-24 22:34:05
Message-ID: 20070824223405.12299.qmail () securityfocus ! com
[Download RAW message or body]

vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware \
products as well type of vulnerability: DoS, potential privilege escalation

I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user \
in the host OS to crash the system and potentially run arbitrary code with kernel \
privileges.

The issue is in the vmstor-60 driver, which is supposed to mount VMware images within \
the host OS. When sending the IOCTL code FsSetVoleInformation with subcode \
FsSetFileInformation with a large buffer and underreporting its size to at max 1024 \
bytes, it will underrun and potentially execute arbitrary code.

Interestingly the vmstor driver (which is the old version supposed to mount VMware \
images prior to version 6.0) is not vulnerable.

I have originally reported this vulnerability on 21-May-07 and got response from the \
VMware security team, but so far the investigation hasn't gone any further and no \
update has been released.

how to reproduce:

- get DC2.exe from the latest Windows Driver Kit
- login as unprivileged user
- run "dc2 /hct \Device\vstor-ws60"

workaround:

Disable the vstor-ws60 driver in the device manager. This will disable the VMware \
Virtual Image Mounter.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic