martin carpenter


most popular
2012/05/05, updated 2012/12/15
Ubuntu unity lens for vim

vmware vmware-mount vulnerability


tags: linux vmware vmware-mount vulnerability CVE-2010-4296


Attack on the shared library loading mechanism in setuid root vmware-mount utility enables local attacker to gain root privilege. Affects VMWare Workstation 6.5, 7 and VMWare Fusion 2.0, 3.0.


vmware-mount is a setuid root utility shipped with some number of VMware products. It reads a user configuration file ~/.vmware. In that file one can configure a libdir parameter from which shared objects are loaded (dlopen()ed). In particular vmware-mount tries to load the OpenSSL libraries (, by first searching the libdir directory and then calling functions defined in these libraries (eg SSL_library_init()). Privileges have not been completely dropped at this point (saved UID is zero) so it is trivial to generate spoof shared objects from the list of exported function symbols in the legitimate libraries. Running vmware-mount with any two (even invalid) arguments is enough to then gain root.