martin carpenter

contents

contact
blog
2022/01/31
determining password dump origin using n-grams
2015/07/01
escape from ansible
2015/06/24
solaris elfsign vulnerability
2014/10/22
metasploiting nrpe
2014/01/24
readable setuid cores in desktop ubuntu
2014/01/20
enlightenment sysactions vulnerability
most popular
2013/10/22
extracting openssl private keys from core dumps
2013/03/25
john the ripper, cuda, ubuntu
2012/05/05, updated 2012/12/15
ubuntu unity lens for vim
2010/03/11
twofish.rb: pure ruby twofish gem
2010/04/14
ckwtmpx

vmware vmware-mount vulnerability

2010/12/02

tags: linux vmware vmware-mount vulnerability CVE-2010-4296

summary

Attack on the shared library loading mechanism in setuid root vmware-mount utility enables local attacker to gain root privilege. Affects VMWare Workstation 6.5, 7 and VMWare Fusion 2.0, 3.0.

details

vmware-mount is a setuid root utility shipped with some number of VMware products. It reads a user configuration file ~/.vmware. In that file one can configure a libdir parameter from which shared objects are loaded (dlopen()ed). In particular vmware-mount tries to load the OpenSSL libraries (libssl.so, libcrypto.so) by first searching the libdir directory and then calling functions defined in these libraries (eg SSL_library_init()). Privileges have not been completely dropped at this point (saved UID is zero) so it is trivial to generate spoof shared objects from the list of exported function symbols in the legitimate libraries. Running vmware-mount with any two (even invalid) arguments is enough to then gain root.

timeline

advisories