vmware.htm

vmware.htm: Posted Jan 27, 2000; Authored by Harikiri | Site w00w00.org; w00w00 Security Advisory - Linux VMware 1.1.2 Symlink Vulnerability. VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack.; tags | exploit; systems | linux; SHA-256 | da520fa5a7804353f424ed408de54dc3b46708d2f49b82447d0645507cc3049e; Download | Favorite | View

vmware.htm

<HTML>
<HEAD><TITLE>VMware 1.1.2 Symlink Vulnerability</TITLE></HEAD>
<BODY>
<PRE>
w00w00 Security Advisory - <A HREF="http://www.w00w00.org">http://www.w00w00.org</A>

Title:     VMware 1.1.2 Symlink Vulnerability
Platforms:   Linux Distributions with VMware 1.1.2 (build 364)
Discovered:  17th January, 2000
Local:    Yes.
Remote:    No.
Author:    harikiri (<A HREF="mailto:harikiri@attrition.org">harikiri@attrition.org</A>)
Vendor Status:  Notified.
Last Updated:  N/A

1. Overview

VMware stores temporary log files within the /tmp directory. It does
not check whether all of these files exist prior to creation, resulting
in the potential for a symlink attack.


2. Background

VMware is a commercial application that enables the operation of "guest"
operating systems within the host system. This is performed via the use of
Virtual Machine technology.

Due to the low-level requirements of VMware, it is necessary to run the
program at a high privilege level, typically root.


3. Issue

VMware creates the file "/tmp/vmware-log" on startup. The existance and
owner of the file is not checked prior to writing startup information to
the file.

NOTE: VMware uses other files in the /tmp directory. The one cited above
is only a single example.


4. Impact

Local users may create a symlink from an arbitrary file to /tmp/vmware-log.
When VMware is executed, the file pointed to by the symlink will be overwritten.

This may be used as a local denial of service attack. There may also be a
method to gain elevated privileges via the symlink attack, though none is
known at this time.


5. Recommendation

Wait for a fix from the vendor.  A temporary work is to set $TMPDIR to
something sane, or create the symlink yourself and have it point to
/dev/null, so that no one else can have it point to something bad.

6. References

- VMware Inc: <A HREF="http://www.vmware.com">http://www.vmware.com</A>
- w00w00 Security Development: <A HREF="http://www.vmware.com">http://www.w00w00.org</A>
</PRE>
<HR><BR>

<CENTER>
<A HREF="http://www.w00w00.org/w00giving.html">Back to w00giving '99</A><BR>
<A HREF="http://www.w00w00.org">Back to w00w00 webpage</A>
</CENTER>

</BODY>
</HTML>

Top Authors In Last 30 Days

Red Hat 240 files
indoushka 87 files
Ubuntu 85 files
Debian 22 files
LiquidWorm 21 files
Gentoo 8 files
Google Security Research 8 files
malvuln 5 files
Seth Jenkins 4 files
Emiliano Febbi 4 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,147)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,669)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,125)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,946)
UNIX (9,470)
UnixWare (188)
Windows (6,784)
Other

vmware.htm

vmware.htm

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

vmware.htm

Share This

vmware.htm

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems