w00w00 Security Advisory - Linux VMware 1.1.2 Symlink Vulnerability. VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack.
da520fa5a7804353f424ed408de54dc3b46708d2f49b82447d0645507cc3049e
<HTML>
<HEAD><TITLE>VMware 1.1.2 Symlink Vulnerability</TITLE></HEAD>
<BODY>
<PRE>
w00w00 Security Advisory - <A HREF="http://www.w00w00.org">http://www.w00w00.org</A>
Title: VMware 1.1.2 Symlink Vulnerability
Platforms: Linux Distributions with VMware 1.1.2 (build 364)
Discovered: 17th January, 2000
Local: Yes.
Remote: No.
Author: harikiri (<A HREF="mailto:harikiri@attrition.org">harikiri@attrition.org</A>)
Vendor Status: Notified.
Last Updated: N/A
1. Overview
VMware stores temporary log files within the /tmp directory. It does
not check whether all of these files exist prior to creation, resulting
in the potential for a symlink attack.
2. Background
VMware is a commercial application that enables the operation of "guest"
operating systems within the host system. This is performed via the use of
Virtual Machine technology.
Due to the low-level requirements of VMware, it is necessary to run the
program at a high privilege level, typically root.
3. Issue
VMware creates the file "/tmp/vmware-log" on startup. The existance and
owner of the file is not checked prior to writing startup information to
the file.
NOTE: VMware uses other files in the /tmp directory. The one cited above
is only a single example.
4. Impact
Local users may create a symlink from an arbitrary file to /tmp/vmware-log.
When VMware is executed, the file pointed to by the symlink will be overwritten.
This may be used as a local denial of service attack. There may also be a
method to gain elevated privileges via the symlink attack, though none is
known at this time.
5. Recommendation
Wait for a fix from the vendor. A temporary work is to set $TMPDIR to
something sane, or create the symlink yourself and have it point to
/dev/null, so that no one else can have it point to something bad.
6. References
- VMware Inc: <A HREF="http://www.vmware.com">http://www.vmware.com</A>
- w00w00 Security Development: <A HREF="http://www.vmware.com">http://www.w00w00.org</A>
</PRE>
<HR><BR>
<CENTER>
<A HREF="http://www.w00w00.org/w00giving.html">Back to w00giving '99</A><BR>
<A HREF="http://www.w00w00.org">Back to w00w00 webpage</A>
</CENTER>
</BODY>
</HTML>