VMware Tools Multiple Vulnerabilities

Release Date 2011-06-03
Application VMware Guest Tools
Severity High
Discovered by Dan Rosenberg <drosenberg {at} vsecurity.com>
Vendor Status Patch Released [2]
CVE Candidates CVE-2011-1787, CVE-2011-2145, CVE-2011-2146
Reference Original Advisory

Product Description

From [1]:

"VMware Tools is a suite of utilities that enhances the performance of the virtual machine's guest operating system and improves management of the virtual machine. Without VMware Tools installed in your guest operating system, guest performance lacks important functionality."

Vulnerability Overview

On February 17th, VSR identified multiple vulnerabilities in VMware Tools, a suite of utilities shipped by VMware with multiple product offerings, as well as by open-source distributions as the open-vm-tools package. The first of these issues results in a minor information disclosure vulnerability, while the second two issues may result in privilege escalation in a VMware guest with VMware Tools installed.

Product Background

VMware Tools includes mount.vmhgfs, a setuid-root utility that allows unprivileged users in a guest VM to mount HGFS shared folders. Also shipped with VMware Tools is vmware-user-suid-wrapper, a setuid-root utility which handles initial setup to prepare for running vmware-user, which grants users access to other utilities included with VMware Tools.

Vulnerability Details

CVE-2011-2146

The mount.vmhgfs utility makes a call to stat() to check for the existence and type (file, directory, etc.) of the user-supplied mountpoint, and provides an error message if the provided argument does not exist or is not a directory. Because mount.vmhgfs is setuid-root, a local attacker can leverage this behavior to identify if a given path exists in the guest operating system and whether it is a file or directory, potentially violating directory permissions.

CVE-2011-1787

The mount.vmhgfs utility checks that the user-provided mountpoint is owned by the user attempting to mount an HGFS share prior to performing the mount. However, a race condition exists between the time this checking is performed and when the mount is performed. Successful exploitation allows a local attacker to mount HGFS shares over arbitrary, potentially root-owned directories, subsequently allowing privilege escalation within the guest.

CVE-2011-2145

The vmware-user-suid-wrapper utility attempts to create a directory at /tmp/VMwareDnD. Next, it makes calls to chown() and chmod() to make this directory root-owned and world-writable. By placing a symbolic link at the location of this directory, vmware-user-suid-wrapper will cause the symbolic link target to become world-writable, allowing local attackers to escalate privileges within the guest. Only FreeBSD and Solaris versions of VMware Tools are affected.

Versions Affected

VMware's advisory [2] indicates the following product versions are affected:

       VMware      Product     Running     Replace with/
       Product     Version     on          Apply Patch
       =========   ========    =======     =================
       vCenter     any         Windows     not affected

       Workstation 7.1.x       Linux       7.1.4 or later*
       Workstation 7.1.x       Windows     7.1.4 or later*

       Player      3.1.x       Linux       3.1.4 or later*
       Player      3.1.x       Windows     3.1.4 or later*

       AMS         any         any         not affected

       Fusion      3.1.x       OSX         Fusion 3.1.3 or later*

       ESXi        4.1         ESXi        ESXi410-201104402-BG*
       ESXi        4.0         ESXi        ESXi400-201104402-BG*
       ESXi        3.5         ESXi        ESXe350-201105402-T-SG*

       ESX         4.1         ESX         ESX410-201104401-SG*
       ESX         4.0         ESX         ESX400-201104401-SG*
       ESX         3.5         ESX         ESX350-201105406-SG*
       ESX         3.0.3       ESX         not affected

The open-vm-tools package prior to version 2011.02.23-368700 is also affected.

Vendor Response

The following timeline details VMware's response to the reported issue:

2011-02-17 VMware receives initial vulnerability report
2011-02-17 VMware security team acknowledges receipt
2011-03-04 VMware provides status update
2011-03-04 VSR initiates discussion of disclosure date
2011-03-10 VMware responds, indicates internal coordination underway
2011-03-11 VSR acknowledges response
2011-03-15 VMware indicates internal coordination still ongoing
2011-03-15 VSR acknowledges response
2011-03-20 VMware proposes disclosure date of late Q3
2011-03-21 VSR agrees to disclosure date
2011-03-30 VMware provides status update
2011-04-28 VMware provides status update
2011-05-05 VMware provides status update
2011-05-06 VSR acknowledges receipt of status updates
2011-06-03 Coordinated disclosure

Recommendation

Apply VMware-supplied updates to affected products, or download distribution-supplied security updates if using the opem-vm-tools package.

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the numbers CVE-2011-1787, CVE-2011-2145, and CVE-2011-2146 to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks for VMware for their prompt response, frequent status updates, and fix.


References

1. Overview of VMware Tools
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=340
2. VMSA-2011-0009
http://www.vmware.com/security/advisories/VMSA-2011-0009.html

This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

See the VSR disclosure policy for more information on our responsible disclosure practices.


Copyright 2011 Virtual Security Research, LLC. All rights reserved.

2014-09-17
Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability

2014-05-20
XML Schema, DTD, and Entity Attacks

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com