[13560] in bugtraq
Re: VMware 1.1.2 Symlink Vulnerability
daemon@ATHENA.MIT.EDU (Oinos)
Tue Jan 25 15:24:49 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NDBBLNJFELLLLDNDHMPMOELICFAA.oinos@kb0rve.org>
Date: Tue, 25 Jan 2000 00:23:12 -0600
Reply-To: Oinos <oinos@golem.kb0rve.org>
From: Oinos <oinos@golem.kb0rve.org>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSO.4.10.10001240842210.19617-100000@shaolin.fcbl.net>
The use of the /tmp directory is default in VMware, but configurable with
the tmpDirectory = <directory> setting in the .cfg file for the guest
operating system, or with the TMPDIR=<directory> setting in your shell
environment. This is documented on VMware's website.
-Oinos
-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of harikiri
Sent: Monday, January 24, 2000 8:49 AM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: VMware 1.1.2 Symlink Vulnerability
w00w00 Security Advisory - http://www.w00w00.org/
Title: VMware 1.1.2 Symlink Vulnerability
Platforms: Linux Distributions with VMware 1.1.2 (build 364)
Discovered: 17th January, 2000
Local: Yes.
Remote: No.
Author: harikiri <harikiri@attrition.org>
Vendor Status: Notified.
Last Updated: N/A
1. Overview
VMware stores temporary log files within the /tmp directory. It does
not check whether all of these files exist prior to creation, resulting
in the potential for a symlink attack.
2. Background
VMware is a commercial application that enables the operation of "guest"
operating systems within the host system. This is performed via the use of
Virtual Machine technology.
Due to the low-level requirements of VMware, it is necessary to run the
program at a high privilege level, typically root.
3. Issue
VMware creates the file "/tmp/vmware-log" on startup. The existance and
owner of the file is not checked prior to writing startup information to
the file.
NOTE: VMware uses other files in the /tmp directory. The one cited above
is only a single example.
4. Impact
Local users may create a symlink from an arbitrary file to /tmp/vmware-log.
When VMware is executed, the file pointed to by the symlink will be
overwritten.
This may be used as a local denial of service attack. There may also be a
method to gain elevated privileges via the symlink attack, though none is
known at this time.
5. Recommendation
Wait for a fix from the vendor.
6. References
- VMware Inc: http://www.vmware.com/
- w00w00 Security Development: http://www.w00w00.org/
EOF
