VMware Tools Update OS Command Injection

`VMware Tools update OS Command Injection  
========================================  
  
1. Advisory Information  
Advisory ID: BONSAI-2010-0110  
Date published: Thu Dec 9, 2010  
Vendors contacted: VMware  
Release mode: Coordinated release  
  
2. Vulnerability Information  
Class: Injection  
Remotely Exploitable: Yes  
Locally Exploitable: Yes  
CVE Name: CVE-2010-4297  
  
3. Software Description  
VMware Tools is a suite of utilities that enhances the performance of  
the virtual machine's guest operating system and improves management of  
the virtual machine. Without VMware Tools installed in your guest  
operating system, guest performance lacks important functionality.  
Installing VMware Tools eliminates or improves the following issues:  
  
* low video resolution  
* inadequate color depth  
* incorrect display of network speed  
* restricted movement of the mouse  
* inability to copy and paste and drag-and-drop files  
* missing sound  
  
VMware Tools includes these components:  
  
* VMware Tools service  
* VMware device drivers  
* VMware user process  
* VMware Tools control panel  
  
VMware Tools is provided in the following formats:  
  
* ISOs (contain .tar and .rpm files) – packaged with the product and  
are installed in a number of ways, depending upon the VMware product and  
the guest operating system installed in the virtual machine. VMware  
Tools provides a different ISO file for each type of supported guest  
operating system: Windows, Linux, NetWare, Solaris, and FreeBSD.  
* Operating System Specific Packages (OSPs) – downloaded and  
installed from the command line. VMware Tools is available as separate  
downloadable, light-weight packages that are specific to each supported  
Linux operating system and VMware product. OSPs are an alternative to  
the existing mechanism for installing VMware Tools and only support  
Linux systems running on ESX.  
  
4. Vulnerability Description  
Injection flaws, such as SQL, OS, and LDAP injection, occur when  
untrusted data is sent to an interpreter as part of a command or query.  
The attacker’s hostile data can trick the interpreter into executing  
unintended commands or accessing unauthorized data.  
  
5. Vulnerable packages  
Column 4 of the following table lists the action required to remediate  
the vulnerability in each release, if a solution is available:  
VMWare Product Product Version Running On Replace with / Apply Patch  
VirtualCenter any Windows not affected  
Workstation 7.X any 7.1.2 Build 301548 or later  
Workstation 6.5.X any 6.5.5 Build 328052 or later  
Player 3.1.X any 3.1.2 Build 301548 or later  
Player 2.5.X any 2.5.5 Build 328052 or later  
AMS any any not affected  
Server 2.0.2 any affected, no patch planned  
Fusion 3.1.X Mac OSX 3.1.2 Build 332101  
Fusion 2.X Mac OSX 2.0.8 Build 328035  
ESXi 4.1 ESXi ESXi410-201010402-BG  
ESXi 4.0 ESXi ESXi400-201009402-BG  
ESXi 3.5 ESXi ESXe350-201008402-T-BG **  
ESX 4.1 ESX ESX410-201010405-BG  
ESX 4.0 ESX ESX400-201009401-SG  
ESX 3.5 ESX ESX350-201008409-BG **  
ESX 3.0.3 ESX not affected  
  
* hosted products are VMware Workstation, Player, ACE, Fusion.  
** Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:  
- Install the relevant ESX patch.  
- Manually upgrade tools in the virtual machine (virtual machine  
users will not be prompted to upgrade tools). Note the VI Client may  
not show that the VMware tools is out of date in th summary tab.  
Full VMWare advisory could be found at:  
http://www.vmware.com/security/advisories/VMSA-2010-0018.html  
  
6. Non-vulnerable packages  
See above table.  
  
7. Credits  
This vulnerability was discovered by Nahuel Grisolia ( nahuel -at-  
bonsai-sec.com ).  
  
8. Technical Description  
8.1. OS Command Injection – PoC Example  
CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)  
VMware Server Infrastructure Web Access is prone to remote command  
execution vulnerability because the software fails to adequately  
sanitize user-supplied input.  
When Updating the VMTools on a certain Guest Virtual Machine, a command  
injection attack can be executed if specially crafted parameters are sent.  
Successful attacks can compromise the affected Guest Virtual Machine  
with root privileges.  
The following proof of concept is given. It was exploited in a GNU/Linux  
Guest with VMware Tools installed but not fully updated:  
POST /ui/sb HTTP/1.1  
[…]  
Cookie: JSESSIONID=F78CCA7DD3CF4E2E82587B236660C9ED; user_name=vmuser;  
l=http%3A%2F%2Flocalhost%3A80%2Fsdk  
[…]  
[{i:"378",exec:"/cmd/vm",args:["UpgradeTools_Task",{_i:"VirtualMachine|960"},";  
INJECTED COMMAND HERE ;"]}]  
  
  
9. Report Timeline  
• 2010-04-24 / Vulnerabilities were identified  
• 2010-04-29 – 2010-12-02 / Multiple Contacts with Vendor  
• 2010-12-09 / Vulnerability is Disclosed – PoC attached  
  
10. About Bonsai  
Bonsai is a company involved in providing professional computer  
information security services. Currently a sound growth company, since  
its foundation in early 2009 in Buenos Aires, Argentina, we are fully  
committed to quality service and focused on our customers’ real needs.  
  
11. Disclaimer  
The contents of this advisory are copyright (c) 2010 Bonsai Information  
Security, and may be distributed freely provided that no fee is charged  
for this distribution and proper credit is given.  
  
12. Research  
http://www.bonsai-sec.com/en/research/vulnerability.php  
http://www.bonsai-sec.com/en/research/vulnerabilities/vmware-tools-os-command-injection-0110.php  
  
`