Vulnerabilities > CVE-2008-0923 - Path Traversal vulnerability in VMWare products

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
vmware
CWE-22
nessus
NVD
Published: 2008-02-26
Updated: 2018-10-15

Summary

Directory traversal vulnerability in the Shared Folders feature for VMWare ACE 1.0.2 and 2.0.2, Player 1.0.4 and 2.0.2, and Workstation 5.5.4 and 6.0.2 allows guest OS users to read and write arbitrary files on the host OS via a multibyte string that produces a wide character string containing .. (dot dot) sequences, which bypasses the protection mechanism, as demonstrated using a "%c0%2e%c0%2e" string.

Vulnerable Configurations

Part Description Count
Application
Vmware
15

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.

Nessus

NASL familyWindows
NASL idVMWARE_MULTIPLE_VMSA_2008_0005.NASL
descriptionVMware products installed on the remote host are affected by multiple vulnerabilities : - The
last seen2020-06-01
modified2020-06-02
plugin id31729
published2008-04-02
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/31729
titleVMware Products Multiple Vulnerabilities (VMSA-2008-0005)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(31729);
  script_version("1.23");
  script_cvs_date("Date: 2018/11/15 20:50:29");

  script_cve_id(
    "CVE-2006-2937",
    "CVE-2006-2940",
    "CVE-2006-4339",
    "CVE-2006-4343",
    "CVE-2007-5269",
    "CVE-2007-5618",
    "CVE-2008-0923",
    "CVE-2008-1340",
    "CVE-2008-1361",
    "CVE-2008-1362",
    "CVE-2008-1363",
    "CVE-2008-1364",
    "CVE-2008-1392"
  );
  script_bugtraq_id(28276,28289);
  script_xref(name:"VMSA", value:"2008-0005");

  script_name(english:"VMware Products Multiple Vulnerabilities (VMSA-2008-0005)");
  script_summary(english:"Checks vulnerable versions of multiple VMware products");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host has an application that is affected by
multiple issues.");
  script_set_attribute(attribute:"description", value:
"VMware products installed on the remote host are affected by multiple
vulnerabilities :

  - The 'authd' process is affected by a privilege
    escalation vulnerability that could allow an attacker to
    execute arbitrary code with system level privileges or
    cause a denial of service condition.

  - A feature in VMware workstation version 6.0.2 could
    allow anonymous console access to guest host via VIX
    API, which could result in unauthorized access. This
    feature has been disabled in version 6.0.3.

  - Windows based VMware hosts are affected by a privilege
    escalation vulnerability. By manipulating 'config.ini'
    an attacker may be able to gain elevated privileges by
    hijacking the VMware VMX process.

  - Multiple VMware products are affected by a directory
    traversal vulnerability. If a Windows based VMware host
    is configured to allow shared access from a guest host
    to a folder on the Host system (HGFS), it may be
    possible
    to gain access to the Host file system from guest OS and
    create/modify arbitrary executable files. VMware Server
    is not affected by this vulnerability.

  - Multiple VMware products hosted on a Windows 2000 host
    are affected by a privilege escalation vulnerability.

  - Multiple VMware products are vulnerable to a potential
    denial of service attack.");
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2008-0005.html");
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/server/doc/releasenotes_server.html" );
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/ws6/doc/releasenotes_ws6.html#603" );
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/ws55/doc/releasenotes_ws55.html" );
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/player/doc/releasenotes_player.html" );
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/player2/doc/releasenotes_player2.html" );
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/support/ace2/doc/releasenotes_ace2.html" );
  script_set_attribute(attribute:"solution", value:
"Upgrade to :

  - VMware Workstation 6.0.3/5.5.6 or higher.
  - VMware Server 1.0.5 or higher.
  - VMware Player 2.0.3/1.0.6 or higher.
  - VMware ACE 2.0.3/1.0.5 or higher.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_cwe_id(16, 20, 22, 264, 310, 399);

  script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/02");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:ace");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:player");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_server");
  script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_workstation");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");

  script_dependencies("vmware_workstation_detect.nasl","vmware_server_win_detect.nasl", "vmware_player_detect.nasl","vmware_ace_detect.nasl");
  script_require_ports("VMware/Server/Version", "VMware/ACE/Version", "VMware/Player/Version", "VMware/Workstation/Version", 139, 445);

  exit(0);
}

include("global_settings.inc");
include("smb_func.inc");

port = kb_smb_transport();

# Check for VMware Workstation

version = get_kb_item("VMware/Workstation/Version");
if (version)
{
 v = split(version, sep:".", keep:FALSE);

 if (( int(v[0]) < 5 ) ||
     ( int(v[0]) == 5 && int(v[1]) < 5 ) ||
     ( int(v[0]) == 5 && int(v[1]) == 5 && int(v[2]) < 6 ) ||
     ( int(v[0]) == 6 && int(v[1]) == 0 && int(v[2]) < 3 )
   )
     {
      if (report_verbosity)
      {
        report = string(
          "\n",
          "Version ",version," of VMware Workstation is installed on the remote host.",
          "\n"
        );
        security_hole(port:port, extra:report);
       }
       else
   	 security_hole(port);
     }
}

# Check for VMware Server

version = get_kb_item("VMware/Server/Version");
if (version)
{
 v = split(version, sep:".", keep:FALSE);
 if ( ( int(v[0]) < 1 ) ||
      ( int(v[0]) == 1  && int(v[1]) == 0 && int(v[2]) < 5 )
    )
   {
     if (report_verbosity)
      {
        report = string(
          "\n",
          "Version ",version," of VMware Server is installed on the remote host.",
          "\n"
        );
        security_hole(port:port, extra:report);
       }
       else
    	security_hole(port);
    }
}

# Check for VMware Player

version = get_kb_item("VMware/Player/Version");
if (version)
{
 v = split(version, sep:".", keep:FALSE);
 if ( ( int(v[0]) < 1 ) ||
      ( int(v[0]) == 1  && int(v[1]) == 0 && int(v[2]) < 6 ) ||
      ( int(v[0]) == 2  && int(v[1]) == 0 && int(v[2]) < 3 )
    )
   {
     if (report_verbosity)
      {
        report = string(
          "\n",
          "Version ",version," of VMware Player is installed on the remote host.",
          "\n"
        );
        security_hole(port:port, extra:report);
       }
       else
        security_hole(port);
    }
}

# Check for VMware ACE.
version = get_kb_item("VMware/ACE/Version");
if (version)
{
 v = split(version, sep:".", keep:FALSE);
 if ( ( int(v[0]) < 1 ) ||
    ( int(v[0]) == 1  && int(v[1]) == 0 && int(v[2]) < 5 ) ||
    ( int(v[0]) == 2  && int(v[1]) == 0 && int(v[2]) < 3 )
  )
  {
    if (report_verbosity)
    {
      report = string(
         "\n",
         "Version ",version," of VMware ACE is installed on the remote host.",
         "\n"
      );
      security_hole(port:port, extra:report);
    }
    else
       security_hole(port);
  }
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/64009/CORE-2007-0930.txt
idPACKETSTORM:64009
last seen2016-12-05
published2008-02-25
reporterCore Security Technologies
sourcehttps://packetstormsecurity.com/files/64009/Core-Security-Technologies-Advisory-2007.0930.html
titleCore Security Technologies Advisory 2007.0930

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 27944 CVE(CAN) ID: CVE-2008-0923 VMWare是一款虚拟PC软件,允许在一台机器上同时运行两个或多个Windows、DOS、LINUX系统。 VMware的共享文件夹机制实现上存在目录遍历漏洞,运行于Guest系统上的程序可以利用此漏洞访问到Host系统的文件。 VMware的共享文件夹允许用户在Guest和Host系统之间传输数据,该机制允许Guest系统的用户读写任意部分的Host文件系统,包括系统文件夹和其他敏感文件。 该漏洞的起因是用于在Guest系统中提供共享文件夹功能的VMware API处理PathName参数的方式。在确认PathName参数不包含有0x2e0x2e(翻译为ASCII子字符“..”)字符串后,就会将其从多个字节字符串转换为宽字符字符串,然后将所生成的宽字符字符串传送给Host系统上的系统文件API。这个转换是使用Windows API的MultiByteToWideChar函数实现的。由于验证“..”字符串是在转换输入字符串之前执行的,因此Guest系统上的恶意程序或用户提供的PathName可以通过验证,但在调用MultiByteToWideChar之后仍可能映射为包含有Unicode UTF-16版本的“..”字符串。 VMWare VMWare Workstation 6.0.2 VMWare VMWare Workstation 5.5.4 VMWare ACE 2.0.2 VMWare ACE 1.0.2 VMWare Player 2.0.2 VMWare Player 1.0.4 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 在全局设置中禁用共享文件夹: 从VMware产品菜单选择Edit > Preferences 在Workspace标签的Virtual Machines下,清除选择Enable复选框。 如果要对单个虚拟机设置禁用共享文件夹: 从VMware产品的菜单选择VM > Settings 在Options标签中,选择Shared Folders然后选择Disable。 厂商补丁: VMWare ------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: <a href=http://www.vmware.com target=_blank>http://www.vmware.com</a>
idSSV:2951
last seen2017-11-19
modified2008-02-27
published2008-02-27
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-2951
titleVMware产品共享文件夹MultiByteToWideChar()变量目录遍历漏洞

References