Vulnerability

    VMware

Affected

    Linux Distributions with VMware 1.1.2 (build 364)

Description

    'harakiri' found  following.   VMware stores  temporary log  files
    within the /tmp directory.  It does not check whether all of these
    files exist prior  to creation, resulting  in the potential  for a
    symlink attack.

    VMware is a commercial  application that enables the  operation of
    "guest"  operating  systems  within  the  host  system.   This  is
    performed via the use of  Virtual Machine technology.  Due  to the
    low-level  requirements  of  VMware,  it  is  necessary to run the
    program at a high privilege level, typically root.

    VMware  creates  the  file  "/tmp/vmware-log"  on  startup.    The
    existance and owner  of the file  is not checked  prior to writing
    startup information to  the file.   NOTE: VMware uses  other files
    in the  /tmp directory.   The one  cited above  is only  a  single
    example.

    Local  users  may  create  a  symlink  from  an  arbitrary file to
    /tmp/vmware-log.  When VMware is executed, the file pointed to  by
    the symlink  will be  overwritten.   This may  be used  as a local
    denial of  service attack.   There may  also be  a method  to gain
    elevated privileges via the  symlink attack, though none  is known
    at this time.

Solution

    Wait for a  fix from the  vendor.  Set  $TMPDIR to something  sane
    like $HOME/tmpfiles.  The use of the /tmp directory is default  in
    VMware,  but  configurable  with  the  tmpDirectory  = <directory>
    setting in the .cfg file  for the guest operating system,  or with
    the TMPDIR=<directory>  setting in  your shell  environment.  This
    is documented on VMware's website.