VMware Tools – Update OS Command Injection

• Exploit Database
• 11 阅读

• 作者： Nahuel Grisolia
  日期： 2010-12-09
• 类别：

  • remote
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/15717/

• VMware Tools update OS Command Injection
  ========================================
  
  1. Advisory Information
  Advisory ID: BONSAI-2010-0110
  Date published: Thu Dec 9, 2010
  Vendors contacted: VMware
  Release mode: Coordinated release
  
  2. Vulnerability Information
  Class: Injection
  Remotely Exploitable: Yes
  Locally Exploitable: Yes
  CVE Name: CVE-2010-4297
  
  3. Software Description
  VMware Tools is a suite of utilities that enhances the performance of
  the virtual machine's guest operating system and improves management of
  the virtual machine. Without VMware Tools installed in your guest
  operating system, guest performance lacks important functionality.
  Installing VMware Tools eliminates or improves the following issues:
  
  * low video resolution
  * inadequate color depth
  * incorrect display of network speed
  * restricted movement of the mouse
  * inability to copy and paste and drag-and-drop files
  * missing sound
  
  VMware Tools includes these components:
  
  * VMware Tools service
  * VMware device drivers
  * VMware user process
  * VMware Tools control panel
  
  VMware Tools is provided in the following formats:
  
  * ISOs (contain .tar and .rpm files) – packaged with the product and
  are installed in a number of ways, depending upon the VMware product and
  the guest operating system installed in the virtual machine. VMware
  Tools provides a different ISO file for each type of supported guest
  operating system: Windows, Linux, NetWare, Solaris, and FreeBSD.
  * Operating System Specific Packages (OSPs) – downloaded and
  installed from the command line. VMware Tools is available as separate
  downloadable, light-weight packages that are specific to each supported
  Linux operating system and VMware product. OSPs are an alternative to
  the existing mechanism for installing VMware Tools and only support
  Linux systems running on ESX.
  
  4. Vulnerability Description
  Injection flaws, such as SQL, OS, and LDAP injection, occur when
  untrusted data is sent to an interpreter as part of a command or query.
  The attacker’s hostile data can trick the interpreter into executing
  unintended commands or accessing unauthorized data.
  
  5. Vulnerable packages
  Column 4 of the following table lists the action required to remediate
  the vulnerability in each release, if a solution is available:
  VMWare Product	Product Version	Running On	Replace with / Apply Patch
  VirtualCenter	any	Windows	not affected
  Workstation	7.X	any	7.1.2 Build 301548 or later
  Workstation	6.5.X	any	6.5.5 Build 328052 or later
  Player	3.1.X	any	3.1.2 Build 301548 or later
  Player	2.5.X	any	2.5.5 Build 328052 or later
  AMS	any	any	not affected
  Server	2.0.2	any	affected, no patch planned
  Fusion	3.1.X	Mac OSX	3.1.2 Build 332101
  Fusion	2.X	Mac OSX	2.0.8 Build 328035
  ESXi	4.1	ESXi	ESXi410-201010402-BG
  ESXi	4.0	ESXi	ESXi400-201009402-BG
  ESXi	3.5	ESXi	ESXe350-201008402-T-BG **
  ESX	4.1	ESX	ESX410-201010405-BG
  ESX	4.0	ESX	ESX400-201009401-SG
  ESX	3.5	ESX	ESX350-201008409-BG **
  ESX	3.0.3	ESX	not affected
  
  * hosted products are VMware Workstation, Player, ACE, Fusion.
  ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:
   - Install the relevant ESX patch.
   - Manually upgrade tools in the virtual machine (virtual machine
  users will not be prompted to upgrade tools).Note the VI Client may
  not show that the VMware tools is out of date in th summary tab.
  Full VMWare advisory could be found at:
  http://www.vmware.com/security/advisories/VMSA-2010-0018.html
  
  6. Non-vulnerable packages
  See above table.
  
  7. Credits
  This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-
  bonsai-sec.com ).
  
  8. Technical Description
  8.1. OS Command Injection – PoC Example
  CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)
  VMware Server Infrastructure Web Access is prone to remote command
  execution vulnerability because the software fails to adequately
  sanitize user-supplied input.
  When Updating the VMTools on a certain Guest Virtual Machine, a command
  injection attack can be executed if specially crafted parameters are sent.
  Successful attacks can compromise the affected Guest Virtual Machine
  with root privileges.
  The following proof of concept is given. It was exploited in a GNU/Linux
  Guest with VMware Tools installed but not fully updated:
  POST /ui/sb HTTP/1.1
  […]
  Cookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;
  l=http%3A%2F%2Flocalhost%3A80%2Fsdk
  […]
  [{i:"378",exec:"/cmd/vm",args:["UpgradeTools_Task",{_i:"VirtualMachine|960"},";
  INJECTED COMMAND HERE ;"]}]
  
  
  9. Report Timeline
  • 2010-04-24 / Vulnerabilities were identified
  • 2010-04-29 – 2010-12-02 / Multiple Contacts with Vendor
  • 2010-12-09 / Vulnerability is Disclosed – PoC attached
  
  10. About Bonsai
  Bonsai is a company involved in providing professional computer
  information security services. Currently a sound growth company, since
  its foundation in early 2009 in Buenos Aires, Argentina, we are fully
  committed to quality service and focused on our customers’ real needs.
  
  11. Disclaimer
  The contents of this advisory are copyright (c) 2010 Bonsai Information
  Security, and may be distributed freely provided that no fee is charged
  for this distribution and proper credit is given.
  
  12. Research
  http://www.bonsai-sec.com/en/research/vulnerability.php
  http://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php