[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: security vulnerability in VMware
From: seppi () seppig ! de
Date: 2007-08-24 22:34:05
Message-ID: 20070824223405.12299.qmail () securityfocus ! com
[Download RAW message or body]
vulnerable software: VMware Workstation 6.0 for Windows, possible some other VMware \
products as well type of vulnerability: DoS, potential privilege escalation
I found a vulnerability in VMware Workstation 6.0 which allows an unprivileged user \
in the host OS to crash the system and potentially run arbitrary code with kernel \
privileges.
The issue is in the vmstor-60 driver, which is supposed to mount VMware images within \
the host OS. When sending the IOCTL code FsSetVoleInformation with subcode \
FsSetFileInformation with a large buffer and underreporting its size to at max 1024 \
bytes, it will underrun and potentially execute arbitrary code.
Interestingly the vmstor driver (which is the old version supposed to mount VMware \
images prior to version 6.0) is not vulnerable.
I have originally reported this vulnerability on 21-May-07 and got response from the \
VMware security team, but so far the investigation hasn't gone any further and no \
update has been released.
how to reproduce:
- get DC2.exe from the latest Windows Driver Kit
- login as unprivileged user
- run "dc2 /hct \Device\vstor-ws60"
workaround:
Disable the vstor-ws60 driver in the device manager. This will disable the VMware \
Virtual Image Mounter.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic