=====[BEGIN-ACROS-REPORT]===== PUBLIC ========================================================================= ACROS Security Problem Report #2010-04-12-2 ------------------------------------------------------------------------- ASPR #2010-04-12-2: Local Binary Planting in VMware Tools for Windows ========================================================================= Document ID: ASPR #2010-04-12-2-PUB Vendor: VMware, Inc. (http://www.vmware.com) Target: VMware Tools for Windows Impact: Local execution of arbitrary code on a virtual Windows machine Severity: High Status: Official patch available, workarounds available Discovered by: Mitja Kolsek of ACROS Security Current version http://www.acrossecurity.com/aspr/ASPR-2010-04-12-2-PUB.txt Summary ======= A "binary planting" vulnerability in VMware Tools for Windows allows a local non-administrative attacker, under certain circumstances, to execute a malicious executable on virtual Windows machines in the context of logged- on users. Product Coverage ================ - VMware Tools for Windows build 91707 - VMware Tools for Windows version 7.8.4 build 126130 Note: We only tested the above versions; other versions may also be affected. Analysis ======== There is a code execution vulnerability in VMware Tools for Windows that allows a local attacker (being able to log on locally to the virtual machine) to plant a malicious executable with a specific name on the local drive and wait for this executable to get launched when another user logs on to the virtual machine. While this scenario is usually blocked on default VMware Tools' installations on Windows XP, Windows Vista and Windows 7 due to the default file system ACLs, a non-administrative local attacker can launch the attack against virtual machines where VMware Tools were installed on non-default locations, e.g., on a non-system drive. Additionally, the attack is always possible on pre- Windows XP systems such as Windows 2000. Additional details are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation. Mitigating Factors ================== - The attacker must be able to log on to the machine, or exploit another vulnerability on the machine to place the malicious executable on a local drive. Note that Windows Terminal Server allows multiple users to log on locally from remote and effectively act as local users. Additionally, the default configuration of Windows domain machines allows any domain user to log on locally to any domain computer (except the domain controller), which can be especially attacker-friendly in conjunction with remotely- accessible desktops via VMware View. - VMware Tools installations on Windows XP, Windows Vista and Windows 7 are unaffected as long as (1) they're installed on the default location on system drive (usually C:\Program Files\VMware) and (2) the default file system ACLs haven't been modified. Solution ======== VMware has issued a security bulletin [1] and published remediated versions of VMware Workstation, Player, ACE, Server and Fusion, and patches for ESX and ESXi that fix this issue. Warning: It is not enough to install the new version or the patch; it is also necessary to upgrade VMware Tools in each affected virtual machine. On VMware Workstation, Player, ACE, Server and Fusion, the user will be automatically prompted to upgrade, while there will be no such prompt on ESX and ESXi. The upgrade of VMware Tools requires a subsequent reboot of the virtual machine. Workaround ========== Workarounds are available to interested corporate and government customers under NDA, as public disclosure would reveal too many details on the vulnerability and unduly accelerate malicious exploitation. Related Services ================ ACROS is offering professional consulting on this issue to interested corporate and government customers. Typical questions we can help you answer are: 1) To what extent is your organization affected by this issue? 2) Have you adequately applied the remedies to remove the vulnerability? 3) Are there other workarounds that you could implement to fix this issue more efficiently and/or inexpensively? 4) Are your systems or applications vulnerable to other similar issues? Interested parties are encouraged to ask for more information at security@acrossecurity.com. References ========== [1] VMware Security Advisory VMSA-2010-0007 http://www.vmware.com/security/advisories/VMSA-2010-0007.html Acknowledgments =============== We would like to acknowledge VMware for professional handling of the identified vulnerability. Contact ======= ACROS d.o.o. Makedonska ulica 113 SI - 2000 Maribor e-mail: security@acrossecurity.com web: http://www.acrossecurity.com phone: +386 2 3000 280 fax: +386 2 3000 282 ACROS Security PGP Key http://www.acrossecurity.com/pgpkey.asc [Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD] ACROS Security Advisories http://www.acrossecurity.com/advisories.htm ACROS Security Papers http://www.acrossecurity.com/papers.htm ASPR Notification and Publishing Policy http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm Disclaimer ========== The content of this report is purely informational and meant only for the purpose of education and protection. ACROS d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk. Revision History ================ April 12, 2010: Initial release Copyright ========= (c) 2010 ACROS d.o.o. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-ACROS-REPORT]" and "[END-ACROS-REPORT]" marks remains unchanged. =====[END-ACROS-REPORT]=====