w00w00 Security Advisory - http://www.w00w00.org

Title: 		VMware 1.1.2 Symlink Vulnerability
Platforms: 	Linux Distributions with VMware 1.1.2 (build 364)
Discovered:	17th January, 2000
Local:		Yes.
Remote:		No.
Author:		harikiri (harikiri@attrition.org)
Vendor Status:	Notified.
Last Updated:	N/A

1. Overview

VMware stores temporary log files within the /tmp directory. It does
not check whether all of these files exist prior to creation, resulting
in the potential for a symlink attack.


2. Background

VMware is a commercial application that enables the operation of "guest"
operating systems within the host system. This is performed via the use of
Virtual Machine technology.

Due to the low-level requirements of VMware, it is necessary to run the
program at a high privilege level, typically root.


3. Issue

VMware creates the file "/tmp/vmware-log" on startup. The existance and
owner of the file is not checked prior to writing startup information to
the file.

NOTE: VMware uses other files in the /tmp directory. The one cited above
is only a single example.


4. Impact

Local users may create a symlink from an arbitrary file to /tmp/vmware-log.
When VMware is executed, the file pointed to by the symlink will be overwritten.

This may be used as a local denial of service attack. There may also be a
method to gain elevated privileges via the symlink attack, though none is
known at this time.


5. Recommendation

Wait for a fix from the vendor.  A temporary work is to set $TMPDIR to
something sane, or create the symlink yourself and have it point to
/dev/null, so that no one else can have it point to something bad.

6. References

- VMware Inc: http://www.vmware.com
- w00w00 Security Development: http://www.w00w00.org