[VIM] Incorrect Titling of VMSA-2007-0004 and Questions of Impact
Matthew Murphy
mattmurphy at kc.rr.com
Mon May 7 23:31:21 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
VMWare released VMSA-2007-0004 today:
http://seclists.org/fulldisclosure/2007/May/0098.html
The title, summary and synopsis all read "Multiple Denial-of-Service
issues fixed". However, the fifth issue, which snuck into it, is in
point 3e:
Shared Folders is a feature that enables users of guest operating
systems to access a specified set of folders in the host's file
system. A vulnerability was identified by Greg MacManus of
iDefense
Labs that could allow an attacker to write arbitrary content
from a
guest system to arbitrary locations on the host system. In
order to
exploit this vulnerability, the VMware system must have at least
one folder shared. Although the Shared Folder feature is enabled
by default, no folders are shared by default, which means this
vulnerability is not exploitable by default.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2007-1744 to this issue.
VMware Workstation 5.5.4 (Build# 44386)
VMware Player 1.0.4 (Build# 44386)
VMware Server 1.0.3 (Build# 44356)
VMware ACE 1.0.3 (Build# 44385)
CVE-2007-1744 corresponds to this iDefense advisory:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=521
The issue is not a DoS in any way. Rather, it allows an attacker
with the ability to run code on a VM to write files to arbitrary
folders on the host system, provided the host is sharing at least one
folder with VM guests.
At least on Windows, this is exploitable for arbitrary code
execution. The ability of malicious code on a guest account to write
files on the host is game over for the individual account using
VMWare. It's not clear from reading iDefense's advisory, or from
reading 2007-0004, however, if VMWare's Shared Folders are
implemented within the application or as part of one of VMWare's
service processes. In the latter case, arbitrary files can be
written with LocalSystem privileges, making it game over for the
entire host.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iQIVAwUBRj+2yXXzqEAiV8M/AQJ4LhAAqIkwtdP0VN7AnIdkqWlsy3zn+RFjs4bd
abLXqic8fKxdUTEodPH6Zku57D1KlvItIXDX2a9O57m5zthi1uxe5iTw/1w+epjy
lWF0afyMEQfF9823bxhhE51AOWbRF2TV31VSoKcmjCJSCMT9s65Kf68Z0FL9lS1a
2TlAVwBTsRv0lH7Qnjogk/9lFwqLxorI+AT0C2f/TyE4e4y90FakfQgUCjY58GvS
sPumO4U8IBjYDZZJQkuDL2vhIGgH6Oqrr3rxSgs65xrhGoRzT8q0cxwd8hFRjFK7
Rr3s7aHDcUei7a0Td7EU4sCsMpARd34sW16HCMPG195KkbqxASykXrsI+lmB+3eI
FGGA/ZoexmPZN0JmbS88MBX8zdaxJNSNQnAziWMG/z1Nmd5BqSmOz4cshCkbUUO7
Ter3b+iOq6P1FcjkwW4OHjVYkLJX3g0sJj/NDLZjO5VJb7kd/OIoESkBQm/6wK0w
XXGB8jmHtu+fIZcj2cCpmJgeGhfNeyqybGysCY3TRUWoL3B3dNJwX5/Ok799IT3C
pjX6FjHIcAYyU5nv/WZW6bbwY0mvyfJza6glEspDvnNN0ZUSJSJIflQK3ZdU9l+S
2wWWs44mWLZBrM0bmqQAlIFZlY3zdWFQvz7vVQ7tq0R22NcJ1wsFdtzLMkKPJS0e
ElrMm2IR/wM=
=aOWX
-----END PGP SIGNATURE-----
More information about the VIM
mailing list