[VIM] Incorrect Titling of VMSA-2007-0004 and Questions of Impact

Matthew Murphy mattmurphy at kc.rr.com
Mon May 7 23:31:21 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

VMWare released VMSA-2007-0004 today:
http://seclists.org/fulldisclosure/2007/May/0098.html

The title, summary and synopsis all read "Multiple Denial-of-Service  
issues fixed".  However, the fifth issue, which snuck into it, is in  
point 3e:

      Shared Folders is a feature that enables users of guest operating
      systems to access a specified set of folders in the host's file
      system. A vulnerability was identified by Greg MacManus of  
iDefense
      Labs that could allow an attacker to write arbitrary content  
from a
      guest system to arbitrary locations on the host system. In  
order to
      exploit this vulnerability, the VMware system must have at least
      one folder shared. Although the Shared Folder feature is enabled
      by default, no folders are shared by default, which means this
      vulnerability is not exploitable by default.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the name CVE-2007-1744 to this issue.

      VMware Workstation 5.5.4 (Build# 44386)
      VMware Player 1.0.4 (Build# 44386)
      VMware Server 1.0.3 (Build# 44356)
      VMware ACE 1.0.3 (Build# 44385)

CVE-2007-1744 corresponds to this iDefense advisory:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=521

The issue is not a DoS in any way.  Rather, it allows an attacker  
with the ability to run code on a VM to write files to arbitrary  
folders on the host system, provided the host is sharing at least one  
folder with VM guests.

At least on Windows, this is exploitable for arbitrary code  
execution.  The ability of malicious code on a guest account to write  
files on the host is game over for the individual account using  
VMWare.  It's not clear from reading iDefense's advisory, or from  
reading 2007-0004, however, if VMWare's Shared Folders are  
implemented within the application or as part of one of VMWare's  
service processes.  In the latter case, arbitrary files can be  
written with LocalSystem privileges, making it game over for the  
entire host.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iQIVAwUBRj+2yXXzqEAiV8M/AQJ4LhAAqIkwtdP0VN7AnIdkqWlsy3zn+RFjs4bd
abLXqic8fKxdUTEodPH6Zku57D1KlvItIXDX2a9O57m5zthi1uxe5iTw/1w+epjy
lWF0afyMEQfF9823bxhhE51AOWbRF2TV31VSoKcmjCJSCMT9s65Kf68Z0FL9lS1a
2TlAVwBTsRv0lH7Qnjogk/9lFwqLxorI+AT0C2f/TyE4e4y90FakfQgUCjY58GvS
sPumO4U8IBjYDZZJQkuDL2vhIGgH6Oqrr3rxSgs65xrhGoRzT8q0cxwd8hFRjFK7
Rr3s7aHDcUei7a0Td7EU4sCsMpARd34sW16HCMPG195KkbqxASykXrsI+lmB+3eI
FGGA/ZoexmPZN0JmbS88MBX8zdaxJNSNQnAziWMG/z1Nmd5BqSmOz4cshCkbUUO7
Ter3b+iOq6P1FcjkwW4OHjVYkLJX3g0sJj/NDLZjO5VJb7kd/OIoESkBQm/6wK0w
XXGB8jmHtu+fIZcj2cCpmJgeGhfNeyqybGysCY3TRUWoL3B3dNJwX5/Ok799IT3C
pjX6FjHIcAYyU5nv/WZW6bbwY0mvyfJza6glEspDvnNN0ZUSJSJIflQK3ZdU9l+S
2wWWs44mWLZBrM0bmqQAlIFZlY3zdWFQvz7vVQ7tq0R22NcJ1wsFdtzLMkKPJS0e
ElrMm2IR/wM=
=aOWX
-----END PGP SIGNATURE-----

More information about the VIM mailing list