Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » VMware symlink problems

VMware symlink problems

by phiber on April 19th, 2001 There is symlink vulnerability in the vmware-mount.pl script which comes with lates VMware. For description and exploit download click here.




Download exploit


Details:



While mounting virtual disk drives using the vmware-mount.pl script, a
temporary file named vmware-mount.pl.PID where PID is the current pid of the command will be created in an insecure manner. This allows an
attacker to overwrite any local file, if root mounts a VMware's virtual
partition (mounting is usually done as root).



Example:



[email protected]:/tmp > id

uid=500(paul) gid=100(users) Gruppen=100(users),90(firewall)

[email protected]:/tmp > ./mpl.sh



VMware local /etc/passwd DoS

By Ihq.



linking /etc/passwd to /tmp

[+] please wait for root to run vmware-mount.pl



after running vmware-mount.pl:



[email protected]:/tmp > id

uid=500 gid=100(users) Gruppen=100(users),90(firewall)



Obviously the passwd file has been overwritten:



[email protected]:/tmp > cat /etc/passwd



Nr Start Size Type Id Sytem

-- ---------- ---------- ---- -- ------------------------

1 63 2096577 BIOS C Win95 FAT32 (LBA)





Impact:



Local file corruption.

-------------------

Credit goes to Paul Starzetz. He posted this vulnerability on a bt mailing list.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »