Skip to content
cyberexploits
remotemultipletext

VMware Tools - Update OS Command Injection

VMware Tools - Update OS Command Injection

Published on 2010-12-09

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/multiple/remote/15717.txt7eac4c3a
raw
VMware Tools update OS Command Injection

========================================



1. Advisory Information

Advisory ID: BONSAI-2010-0110

Date published: Thu Dec 9, 2010

Vendors contacted: VMware

Release mode: Coordinated release



2. Vulnerability Information

Class: Injection

Remotely Exploitable: Yes

Locally Exploitable: Yes

CVE Name: CVE-2010-4297



3. Software Description

VMware Tools is a suite of utilities that enhances the performance of

the virtual machine's guest operating system and improves management of

the virtual machine. Without VMware Tools installed in your guest

operating system, guest performance lacks important functionality.

Installing VMware Tools eliminates or improves the following issues:



    * low video resolution

    * inadequate color depth

    * incorrect display of network speed

    * restricted movement of the mouse

    * inability to copy and paste and drag-and-drop files

    * missing sound



VMware Tools includes these components:



    * VMware Tools service

    * VMware device drivers

    * VMware user process

    * VMware Tools control panel



VMware Tools is provided in the following formats:



    * ISOs (contain .tar and .rpm files) – packaged with the product and

are installed in a number of ways, depending upon the VMware product and

the guest operating system installed in the virtual machine. VMware

Tools provides a different ISO file for each type of supported guest

operating system: Windows, Linux, NetWare, Solaris, and FreeBSD.

    * Operating System Specific Packages (OSPs) – downloaded and

installed from the command line. VMware Tools is available as separate

downloadable, light-weight packages that are specific to each supported

Linux operating system and VMware product. OSPs are an alternative to

the existing mechanism for installing VMware Tools and only support

Linux systems running on ESX.



4. Vulnerability Description

Injection flaws, such as SQL, OS, and LDAP injection, occur when

untrusted data is sent to an interpreter as part of a command or query.

The attacker’s hostile data can trick the interpreter into executing

unintended commands or accessing unauthorized data.



5. Vulnerable packages

Column 4 of the following table lists the action required to remediate

the vulnerability in each release, if a solution is available:

VMWare Product	Product Version	Running On	Replace with / Apply Patch

VirtualCenter	any	Windows	not affected

Workstation	7.X	any	7.1.2 Build 301548 or later

Workstation	6.5.X	any	6.5.5 Build 328052 or later

Player	3.1.X	any	3.1.2 Build 301548 or later

Player	2.5.X	any	2.5.5 Build 328052 or later

AMS	any	any	not affected

Server	2.0.2	any	affected, no patch planned

Fusion	3.1.X	Mac OSX	3.1.2 Build 332101

Fusion	2.X	Mac OSX	2.0.8 Build 328035

ESXi	4.1	ESXi	ESXi410-201010402-BG

ESXi	4.0	ESXi	ESXi400-201009402-BG

ESXi	3.5	ESXi	ESXe350-201008402-T-BG **

ESX	4.1	ESX	ESX410-201010405-BG

ESX	4.0	ESX	ESX400-201009401-SG

ESX	3.5	ESX	ESX350-201008409-BG **

ESX	3.0.3	ESX	not affected



  * hosted products are VMware Workstation, Player, ACE, Fusion.

  ** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:

     - Install the relevant ESX patch.

     - Manually upgrade tools in the virtual machine (virtual machine

users will not be prompted to upgrade tools).  Note the VI Client may

not show that the VMware tools is out of date in th summary tab.

Full VMWare advisory could be found at:

http://www.vmware.com/security/advisories/VMSA-2010-0018.html



6. Non-vulnerable packages

See above table.



7. Credits

This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-

bonsai-sec.com ).



8. Technical Description

8.1. OS Command Injection – PoC Example

CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

VMware Server Infrastructure Web Access is prone to remote command

execution vulnerability because the software fails to adequately

sanitize user-supplied input.

When Updating the VMTools on a certain Guest Virtual Machine, a command

injection attack can be executed if specially crafted parameters are sent.

Successful attacks can compromise the affected Guest Virtual Machine

with root privileges.

The following proof of concept is given. It was exploited in a GNU/Linux

Guest with VMware Tools installed but not fully updated:

POST /ui/sb HTTP/1.1

[…]

Cookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;

l=http%3A%2F%2Flocalhost%3A80%2Fsdk

[…]

[{i:"378",exec:"/cmd/vm",args:["UpgradeTools_Task",{_i:"VirtualMachine|960"},";

INJECTED COMMAND HERE ;"]}]





9. Report Timeline

• 2010-04-24 / Vulnerabilities were identified

• 2010-04-29 – 2010-12-02 / Multiple Contacts with Vendor

• 2010-12-09 / Vulnerability is Disclosed – PoC attached



10. About Bonsai

Bonsai is a company involved in providing professional computer

information security services. Currently a sound growth company, since

its foundation in early 2009 in Buenos Aires, Argentina, we are fully

committed to quality service and focused on our customers’ real needs.



11. Disclaimer

The contents of this advisory are copyright (c) 2010 Bonsai Information

Security, and may be distributed freely provided that no fee is charged

for this distribution and proper credit is given.



12. Research

http://www.bonsai-sec.com/en/research/vulnerability.php

http://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php

View on GitHub