‘VMware Tools for Windows Local Binary Planting Vulnerability’

Summary

A ‘binary planting’ vulnerability in VMware Tools for Windows allows a local non-administrative attacker, under certain circumstances, to execute a malicious executable on virtual Windows machines in the context of logged- on users.’

Credit:

‘The information has been provided by Mitja Kolsek.
The original article can be found at: http://www.acrossecurity.com/aspr/ASPR-2010-04-12-2-PUB.txt


Details

Vulnerable Systems:
 * VMware Tools for Windows build 91707
 * VMware Tools for Windows version 7.8.4 build 126130

There is a code execution vulnerability in VMware Tools for Windows that allows a local attacker (being able to log on locally to the virtual machine) to plant a malicious executable with a specific name on the local drive and wait for this executable to get launched when another user logs on to the virtual machine.

While this scenario is usually blocked on default VMware Tools’ installations on Windows XP, Windows Vista and Windows 7 due to the default file system ACLs, a non-administrative local attacker can launch the attack against virtual machines where VMware Tools were installed on non-default locations, e.g., on a non-system drive. Additionally, the attack is always possible on pre- Windows XP systems such as Windows 2000.

Patch Availability:
VMware has issued a security bulletin and published remediated versions of VMware Workstation, Player, ACE, Server and Fusion, and patches for ESX and ESXi that fix this issue.

http://www.vmware.com/security/advisories/VMSA-2010-0007.html

Warning: It is not enough to install the new version or the patch; it is also necessary to upgrade VMware Tools in each affected virtual machine. On VMware Workstation, Player, ACE, Server and Fusion, the user will be automatically prompted to upgrade, while there will be no such prompt on ESX and ESXi. The upgrade of VMware Tools requires a subsequent reboot of the virtual machine.

Workaround:
The attacker must be able to log on to the machine, or exploit another vulnerability on the machine to place the malicious executable on a local drive. Note that Windows Terminal Server allows multiple users to log on locally from remote and effectively act as local users. Additionally, the default configuration of Windows domain machines allows any domain user to log on locally to any domain computer (except the domain controller), which can be especially attacker-friendly in conjunction with remotely- accessible desktops via VMware View.

VMware Tools installations on Windows XP, Windows Vista and Windows 7 are unaffected as long as they’re installed on the default location on system drive (usually C:Program FilesVMware) and the default file system ACLs haven’t been modified.

Disclosure Timeline:
April 12, 2010: Initial release’

Categories: Windows