Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » VMware GSX Server Remote Buffer Overflow

VMware GSX Server Remote Buffer Overflow

by Nikola Strahija on July 25th, 2002 VMware GSX Server is a very popular virtualization software, it's remote console: There is a buffer overflow vulnerability on VMware Authorization Service, although the designer have taken measures to prevent buffer overflow when the software was designed, the buffer overflow vulnerability still allow users to gain privileges and execute any commands.


Analyse:

(Thanks isno for giving me many documents about overflow)
VMware GSX Server communicates with VMware Remote Console via a open port
902 on VMware Authorization Service, the handshake operations which before
data transfer:

220 VMware Authentication Daemon Version 1.00
USER anyuser
331 Password required for user.
PASS ******
230 User user logged in.
GLOBAL server
200 Connect Global

The length of USER,PASS,GLOBAL command was limited by the program, when
the string is too long, the connection will be refused by server, and get
a return error information like: 599 vmware-authd PANIC: Buffer overflow
in VMAuthdSocketRead():
220 VMware Authentication Daemon Version 1.00
USER AAAA....(Ax500)
599 vmware-authd PANIC: Buffer overflow in VMAuthdSocketRead()

But the command GLOBAL can cause a overflow when the string still not
exceed the limite and the overflow can cause an abend of the VMware
Authorization Service. We can make a short shellcode to cover the return
address and excute the code of ourself.

Suppose we can use the Guest account now.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »