Critical vulnerability in VMware’s desktop virtualization software
Core Security Technologies issued an advisory disclosing a vulnerability that could severely impact organizations relying on VMware’s desktop virtualization software. This discovery demonstrates that thousands of companies with virtualized systems could unknowingly be exposing critical information assets that they otherwise sought to protect. Core Security today also released an exploit for this vulnerability, enabling customers to validate that it exists, prove that it can be exploited, and safely assess the consequences of an actual network intrusion.
Engineers from CoreLabs, the research arm of Core Security, discovered that an attacker could gain complete access to a host system by exploiting this vulnerability in VMware’s desktop software products. The vulnerability could allow an attacker to create or modify executable files on the host operating system.
Vulnerability Details
CoreLabs discovered that a malicious user or software running on a Guest system within VMware’s desktop software (VMware Player, Workstation and ACE) can break out of the isolated environment and gain full access to the Host computer system. The vulnerability was found while investigating a similar vulnerability in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007 (CVE-2007-1744, VMware Workstation Shared Folders Directory Traversal Vulnerability).
CoreLabs researchers developing the exploit for CVE-2007-1744 realized that, by using a specially crafted PathName to access a VMware shared folder, it is possible to gain complete access to the Host’s file system. This includes, but is not limited to, creating or modifying executable files in sensitive locations. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware’s Shared Folders mechanism, which in turn passes it to the Host system’s file system.
Exploitation of path traversal vulnerabilities such as one found by CoreLabs, also commonly found in web server software and web applications, generally involve the specification of pathnames that include the “..” substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources.
Vulnerable VMware products that implement the Shared Folders feature fail to properly sanitize malicious input in the PathName parameter. Although stricter input validation was implemented to fix the vulnerability disclosed previously (CVE-2007-1744), the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings.
The vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when Shared Folders are enabled (a default setting) and at least one folder on the Host system is configured for sharing. Organizations seeking an immediate workaround to mitigate risk should disable shared folders in all installations of the vulnerable software. If the Shared Folders feature cannot be fully disabled, configuring it to allow read-only access to the Host folder may still provide limited mitigation. However, because other exploitation scenarios may still exist, CoreLabs recommends that end users update to non-vulnerable versions of VMware Workstation, Player and ACE.
VMware has acknowledged this security problem and stated that it will address the issue within the release schedule of the affected products.