Vulnerabilities > CVE-2008-3698 - Permissions, Privileges, and Access Controls vulnerability in VMWare products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Unspecified vulnerability in the OpenProcess function in VMware Workstation 5.5.x before 5.5.8 build 108000, VMware Workstation 6.0.x before 6.0.5 build 109488, VMware Player 1.x before 1.0.8 build 108000, VMware Player 2.x before 2.0.5 build 109488, VMware ACE 1.x before 1.0.7 build 108880, VMware ACE 2.x before 2.0.5 build 109488, and VMware Server before 1.0.7 build 108231 on Windows allows local host OS users to gain privileges on the host OS via unknown vectors.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Blue Boxing
    This type of attack against older telephone switches and trunks has been around for decades. A tone is sent by an adversary to impersonate a supervisor signal which has the effect of rerouting or usurping command of the line. While the US infrastructure proper may not contain widespread vulnerabilities to this type of attack, many companies are connected globally through call centers and business process outsourcing. These international systems may be operated in countries which have not upgraded Telco infrastructure and so are vulnerable to Blue boxing. Blue boxing is a result of failure on the part of the system to enforce strong authorization for administrative functions. While the infrastructure is different than standard current applications like web applications, there are historical lessons to be learned to upgrade the access control for administrative functions.
  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.
  • Target Programs with Elevated Privileges
    This attack targets programs running with elevated privileges. The attacker would try to leverage a bug in the running program and get arbitrary code to execute with elevated privileges. For instance an attacker would look for programs that write to the system directories or registry keys (such as HKLM, which stores a number of critical Windows environment variables). These programs are typically running with elevated privileges and have usually not been designed with security in mind. Such programs are excellent exploit targets because they yield lots of power when they break. The malicious user try to execute its code at the same level as a privileged system call.

Nessus

  • NASL familyWindows
    NASL idVMWARE_MULTIPLE_VMSA_2008_0014.NASL
    descriptionA VMware product installed on the remote host is affected by multiple vulnerabilities : - ActiveX controls provided by VMware for IE could be exploited to cause a denial of service condition or execute arbitrary code on the remote system. (CVE-2007-5438, CVE-2008-3691-CVE-2008-3696, CVE-2008-3892) - Internet Server Application Programming Interface (ISAPI) extensions provided by VMware are affected by a remote denial of service vulnerability. (CVE-2008-3697) - Certain VMware products running as host systems are affected by a local privilege escalation vulnerability. Successful exploitation of this issue would allow users to execute arbitrary code on the system. (CVE-2008-3698) - A flaw in VMware
    last seen2020-06-01
    modified2020-06-02
    plugin id34156
    published2008-09-10
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34156
    titleVMware Products Multiple Vulnerabilities (VMSA-2008-0014)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34156);
      script_version("1.23");
      script_cvs_date("Date: 2018/11/15 20:50:29");
    
      script_cve_id(
        "CVE-2007-5438",
        "CVE-2008-3691",
        "CVE-2008-3692",
        "CVE-2008-3693",
        "CVE-2008-3694",
        "CVE-2008-3695",
        "CVE-2008-3696",
        "CVE-2008-3697",
        "CVE-2008-3698",
        "CVE-2008-3892",
        "CVE-2008-4279"
      );
      script_bugtraq_id(26025, 30934, 30935, 30936, 31569);
      script_xref(name:"VMSA", value:"2008-0014");
      script_xref(name:"Secunia", value:"31310");
      script_xref(name:"Secunia", value:"31707");
      script_xref(name:"Secunia", value:"31708");
      script_xref(name:"Secunia", value:"31709");
    
      script_name(english:"VMware Products Multiple Vulnerabilities (VMSA-2008-0014)");
      script_summary(english:"Checks versions of multiple VMware products");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host has an application that is affected by
    multiple issues.");
      script_set_attribute(attribute:"description", value:
    "A VMware product installed on the remote host is affected by multiple
    vulnerabilities :
    
      - ActiveX controls provided by VMware for IE could be
        exploited to cause a denial of service condition or
        execute arbitrary code on the remote system.
        (CVE-2007-5438, CVE-2008-3691-CVE-2008-3696,
        CVE-2008-3892)
    
      - Internet Server Application Programming Interface
        (ISAPI) extensions provided by VMware are affected
        by a remote denial of service vulnerability.
        (CVE-2008-3697)
    
      - Certain VMware products running as host systems are
        affected by a local privilege escalation vulnerability.
        Successful exploitation of this issue would allow
        users to execute arbitrary code on the system.
        (CVE-2008-3698)
    
      - A flaw in VMware's CPU hardware emulation could result
        in privilege escalation on guest systems running on
        64-bit operating systems. (CVE-2008-4279)");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/495869/100/0/threaded");
      script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2008/Oct/51" );
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2008-0014.html" );
      script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2008-0016.html" );
      script_set_attribute(attribute:"solution", value:
    "Upgrade to :
    
      - VMware Workstation 6.0.5/5.5.8 or higher.
      - VMware Player 2.0.5/1.0.8 or higher.
      - VMware Server 1.0.7 or higher.
      - VMware ACE 2.0.5/1.0.7 or higher.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 119, 264);
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/09/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:ace");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_player");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_server");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_workstation");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
    
      script_dependencies("vmware_workstation_detect.nasl","vmware_server_win_detect.nasl", "vmware_player_detect.nasl","vmware_ace_detect.nasl");
      script_require_ports("VMware/Server/Version", "VMware/ACE/Version", "VMware/Player/Version", "VMware/Workstation/Version", 139, 445);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("smb_func.inc");
    
    port = kb_smb_transport();
    
    # Check for VMware Workstation
    
    version = get_kb_item("VMware/Workstation/Version");
    if (version)
    {
     v = split(version, sep:".", keep:FALSE);
     for (i=0; i<max_index(v); i++)
        v[i] = int(v[i]);
    
     if (( v[0]  < 5 ) ||
         ( v[0] == 5 && v[1]  < 5 ) ||
         ( v[0] == 5 && v[1] == 5 && v[2] < 8 ) ||
         ( v[0] == 6 && v[1] == 0 && v[2] < 5 )
        )
         {
          if (report_verbosity > 0)
          {
            report = string(
              "\n",
              "Version ",version," of VMware Workstation is installed on the remote host.",
              "\n"
            );
            security_hole(port:port, extra:report);
           }
           else
       	 security_hole(port);
         }
    }
    
    # Check for VMware Server
    
    version = get_kb_item("VMware/Server/Version");
    if (version)
    {
     v = split(version, sep:".", keep:FALSE);
     for (i=0; i<max_index(v); i++)
        v[i] = int(v[i]);
    
     if ( ( v[0]  < 1 ) ||
          ( v[0] == 1  && v[1] == 0 && v[2] < 7 )
        )
       {
         if (report_verbosity > 0)
          {
            report = string(
              "\n",
              "Version ",version," of VMware Server is installed on the remote host.",
              "\n"
            );
            security_hole(port:port, extra:report);
           }
           else
        	security_hole(port);
        }
    }
    
    # Check for VMware Player
    
    version = get_kb_item("VMware/Player/Version");
    if (version)
    {
     v = split(version, sep:".", keep:FALSE);
     for (i=0; i<max_index(v); i++)
        v[i] = int(v[i]);
    
     if ( ( v[0]  < 1 ) ||
          ( v[0] == 1  && v[1] == 0 && v[2] < 8 ) ||
          ( v[0] == 2  && v[1] == 0 && v[2] < 5 )
        )
       {
         if (report_verbosity > 0)
          {
            report = string(
              "\n",
              "Version ",version," of VMware Player is installed on the remote host.",
              "\n"
            );
            security_hole(port:port, extra:report);
           }
           else
            security_hole(port);
        }
    }
    
    # Check for VMware ACE.
    
    version = get_kb_item("VMware/ACE/Version");
    if (version)
    {
     v = split(version, sep:".", keep:FALSE);
    
     for (i=0; i<max_index(v); i++)
        v[i] = int(v[i]);
    
     if (( v[0] == 1  && v[1] == 0 && v[2] < 7 ) ||
         ( v[0] == 2  && v[1] == 0 && v[2] < 5 )
        )
      {
        if (report_verbosity > 0)
        {
          report = string(
             "\n",
             "Version ",version," of VMware ACE is installed on the remote host.",
             "\n"
          );
          security_hole(port:port, extra:report);
        }
        else
           security_hole(port);
      }
    }
    
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2008-0014.NASL
    descriptionI Security Issues a. Setting ActiveX kill bit Starting from this release, VMware has set the kill bit on its ActiveX controls. Setting the kill bit ensures that ActiveX controls cannot run in Internet Explorer (IE), and avoids security issues involving ActiveX controls in IE. See the Microsoft KB article 240797 and the related references on this topic. Security vulnerabilities have been reported for ActiveX controls provided by VMware when run in IE. Under specific circumstances, exploitation of these ActiveX controls might result in denial-of- service or can allow running of arbitrary code when the user browses a malicious Web site or opens a malicious file in IE browser. An attempt to run unsafe ActiveX controls in IE might result in pop-up windows warning the user. Note: IE can be configured to run unsafe ActiveX controls without prompting. VMware recommends that you retain the default settings in IE, which prompts when unsafe actions are requested. Earlier, VMware had issued knowledge base articles, KB 5965318 and KB 9078920 on security issues with ActiveX controls. To avoid malicious scripts that exploit ActiveX controls, do not enable unsafe ActiveX objects in your browser settings. As a best practice, do not browse untrusted Web sites as an administrator and do not click OK or Yes if prompted by IE to allow certain actions. VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai, and Michal Bucko for reporting these issues to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the names CVE-2008-3691, CVE-2008-3692, CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and CVE-2008-3696 to the security issues with VMware ActiveX controls. b. VMware ISAPI Extension Denial of Service The Internet Server Application Programming Interface (ISAPI) is an API that extends the functionality of Internet Information Server (IIS). VMware uses ISAPI extensions in its Server product. One of the ISAPI extensions provided by VMware is vulnerable to a remote denial of service. By sending a malformed request, IIS might shut down. IIS 6.0 restarts automatically. However, IIS 5.0 does not restart automatically when its Startup Type is set to Manual. VMware would like to thank the Juniper Networks J-Security Security Research Team for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3697 to this issue. c. OpenProcess Local Privilege Escalation on Host System This release fixes a privilege escalation vulnerability in host systems. Exploitation of this vulnerability allows users to run arbitrary code on the host system with elevated privileges. VMware would like to thank Sun Bing from McAfee, Inc. for reporting this issue to us. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2008-3698 to this issue. d. Update to Freetype FreeType 2.3.6 resolves an integer overflow vulnerability and other vulnerabilities that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted file. This release updates FreeType to 2.3.7. The Common Vulnerabilities and Exposures Project (cve.mitre.com) has assigned the names CVE-2008-1806, CVE-2008-1807, and CVE-2008-1808 to the issues resolved in Freetype 2.3.6. e. Update to Cairo Cairo 1.4.12 resolves an integer overflow vulnerability that can allow malicious users to run arbitrary code or might cause a denial-of-service after reading a maliciously crafted PNG file. This release updates Cairo to 1.4.14. The Common Vulnerabilities and Exposures (cve.mitre.com) has assigned the name CVE-2007-5503 to this issue. f. VMware Consolidated Backup (VCB) command-line utilities may expose sensitive information VMware Consolidated Backup command-line utilities accept the user password through the -p command-line option. Users logged into the ESX service console or into the system that runs VCB could gain access to the username and password used by VCB command-line utilities when such commands are running. The ESX patch and the new version of VCB resolve this issue by providing an alternative way of passing the password used by VCB command-line utilities. VCB in ESX ---------- The following options are recommended for passing the password : 1. The password is specified in /etc/backuptools.conf (PASSWORD=xxxxx), and -p is not used in the command line. /etc/backuptools.conf file permissions are read/write only for root. 2. No password is specified in /etc/backuptools.conf and the -p option is not used in the command line. The user will be prompted to enter a password. ESX is not affected unless you use VCB. Stand-alone VCB --------------- The following options are recommended for passing the password : 1. The password is specified in config.js (PASSWORD=xxxxx), and -p is not used in the command line. The file permissions on config.js are read/write only for the administrator. The config.js file is located in folder
    last seen2020-06-01
    modified2020-06-02
    plugin id40382
    published2009-07-27
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/40382
    titleVMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from VMware Security Advisory 2008-0014. 
    # The text itself is copyright (C) VMware Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(40382);
      script_version("1.41");
      script_cvs_date("Date: 2019/11/12");
    
      script_cve_id("CVE-2007-5269", "CVE-2007-5438", "CVE-2007-5503", "CVE-2008-1447", "CVE-2008-1806", "CVE-2008-1807", "CVE-2008-1808", "CVE-2008-2101", "CVE-2008-3691", "CVE-2008-3692", "CVE-2008-3693", "CVE-2008-3694", "CVE-2008-3695", "CVE-2008-3696", "CVE-2008-3697", "CVE-2008-3698", "CVE-2008-4194");
      script_bugtraq_id(25956, 26650, 29637, 29639, 29640, 29641, 30131);
      script_xref(name:"VMSA", value:"2008-0014");
      script_xref(name:"IAVA", value:"2008-A-0045");
    
      script_name(english:"VMSA-2008-0014 : Updates to VMware Workstation, VMware Player, VMware ACE, VMware Server, VMware ESX, VMware VCB address information disclosure, privilege escalation and other security issues.");
      script_summary(english:"Checks esxupdate output for the patches");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote VMware ESXi / ESX host is missing one or more
    security-related patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "I Security Issues
    
     a. Setting ActiveX kill bit
    
         Starting from this release, VMware has set the kill bit on its
         ActiveX controls. Setting the kill bit ensures that ActiveX
         controls cannot run in Internet Explorer (IE), and avoids
         security issues involving ActiveX controls in IE. See the
         Microsoft KB article 240797 and the related references on this
         topic.
    
         Security vulnerabilities have been reported for ActiveX controls
         provided by VMware when run in IE. Under specific circumstances,
         exploitation of these ActiveX controls might result in denial-of-
         service or can allow running of arbitrary code when the user
         browses a malicious Web site or opens a malicious file in IE
         browser. An attempt to run unsafe ActiveX controls in IE might
         result in pop-up windows warning the user.
      
         Note: IE can be configured to run unsafe ActiveX controls without
               prompting.  VMware recommends that you retain the default
               settings in IE, which prompts when unsafe actions are
               requested.
    
         Earlier, VMware had issued knowledge base articles, KB 5965318 and
         KB 9078920 on security issues with ActiveX controls. To avoid
         malicious scripts that exploit ActiveX controls, do not enable
         unsafe ActiveX objects in your browser settings. As a best
         practice, do not browse untrusted Web sites as an administrator
         and do not click OK or Yes if prompted by IE to allow certain
         actions.
    
         VMware would like to thank Julien Bachmann, Shennan Wang, Shinnai,
         and Michal Bucko for reporting these issues to us.
    
         The Common Vulnerabilities and Exposures Project (cve.mitre.org)
         has assigned the names CVE-2008-3691, CVE-2008-3692,
         CVE-2008-3693, CVE-2008-3694, CVE-2008-3695, CVE-2007-5438, and
         CVE-2008-3696 to the security issues with VMware ActiveX controls.
    
     b. VMware ISAPI Extension Denial of Service
    
         The Internet Server Application Programming Interface (ISAPI) is
         an API that extends the functionality of Internet Information
         Server (IIS). VMware uses ISAPI extensions in its Server product.
    
         One of the ISAPI extensions provided by VMware is vulnerable to a
         remote denial of service. By sending a malformed request, IIS
         might shut down. IIS 6.0 restarts automatically. However, IIS 5.0
         does not restart automatically when its Startup Type is set to
         Manual.
    
         VMware would like to thank the Juniper Networks J-Security
         Security Research Team for reporting this issue to us.
    
         The Common Vulnerabilities and Exposures Project (cve.mitre.org)
         has assigned the name CVE-2008-3697 to this issue.
    
     c. OpenProcess Local Privilege Escalation on Host System
    
         This release fixes a privilege escalation vulnerability in host
         systems.  Exploitation of this vulnerability allows users to run
         arbitrary code on the host system with elevated privileges.
    
         VMware would like to thank Sun Bing from McAfee, Inc. for
         reporting this issue to us.
    
         The Common Vulnerabilities and Exposures Project (cve.mitre.org)
         has assigned the name CVE-2008-3698 to this issue.
    
     d. Update to Freetype
    
         FreeType 2.3.6 resolves an integer overflow vulnerability and other
         vulnerabilities that can allow malicious users to run arbitrary code
         or might cause a denial-of-service after reading a maliciously
         crafted file. This release updates FreeType to 2.3.7.
    
         The Common Vulnerabilities and Exposures Project (cve.mitre.com)
         has assigned the names CVE-2008-1806, CVE-2008-1807, and
         CVE-2008-1808 to the issues resolved in Freetype 2.3.6.
    
     e. Update to Cairo
    
         Cairo 1.4.12 resolves an integer overflow vulnerability that can
         allow malicious users to run arbitrary code or might cause a
         denial-of-service after reading a maliciously crafted PNG file.
         This release updates Cairo to 1.4.14.
    
         The Common Vulnerabilities and Exposures (cve.mitre.com) has
         assigned the name CVE-2007-5503 to this issue.
    
      f. VMware Consolidated Backup (VCB) command-line utilities may expose
         sensitive information
    
         VMware Consolidated Backup command-line utilities accept the user
         password through the -p command-line option. Users logged into the
         ESX service console or into the system that runs VCB could gain
         access to the username and password used by VCB command-line
    utilities
         when such commands are running.
    
         The ESX patch and the new version of VCB resolve this issue by
         providing an alternative way of passing the password used by VCB
         command-line utilities.
    
         VCB in ESX
         ----------
         The following options are recommended for passing the password :
    
         1. The password is specified in /etc/backuptools.conf
         (PASSWORD=xxxxx), and -p is not used in the command line.
         /etc/backuptools.conf file permissions are read/write only
         for root.
    
         2. No password is specified in /etc/backuptools.conf and the
         -p option is not used in the command line. The user will be
          prompted to enter a password.
    
         ESX is not affected unless you use VCB.
    
         Stand-alone VCB
         ---------------
         The following options are recommended for passing the password :
    
         1. The password is specified in config.js (PASSWORD=xxxxx), and -p
         is not used in the command line. The file permissions on config.js
         are read/write only for the administrator. The config.js file is
         located in folder 'config' of the VCB installation folder. For
    example,
         C:\Program Files\Vmware\Vmware Consolidated Backup Framework\config.
    
         2. The password is specified in the registry, and is not specified in
         config.js, and -p is not used in the command line. Access to the
         registry key holding the password is allowed only to the
    administrator.
         The location of the registry key is :
         On Windows x86: HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\
                         VMware Consolidated Backup\Password
         On Windows x64: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
                         VMware, Inc.\VMware Consolidated Backup\Password
    
         3. The password is not specified in the registry, and is not
    specified in
         config.js, and -p is not used in the command line. The user will be
         prompted to enter a password.
    
         The Common Vulnerabilities and Exposures project (cve.mitre.org)
         has assigned the name CVE-2008-2101 to this issue.
    
      g. Third-Party Library libpng Updated to 1.2.29
    
         Several flaws were discovered in the way third-party library
         libpng handled various PNG image chunks. An attacker could
         create a carefully crafted PNG image file in such a way that
         it causes an application linked with libpng to crash when the
         file is manipulated.
    
         The Common Vulnerabilities and Exposures project (cve.mitre.org)
         has assigned the name CVE-2007-5269 to this issue.
    
         NOTE: There are multiple patches required to remediate the issue.
    
    II ESX Service Console rpm updates
    
      a. update to bind
    
         This update upgrades the service console rpms for bind-utils and
         bind-lib to version 9.2.4-22.el3.
    
         Version 9.2.4.-22.el3 addresses the recently discovered
         vulnerability in the BIND software used for Domain Name
         resolution (DNS). VMware doesn't install all the BIND packages
         on ESX Server and is not vulnerable by default to the reported
         vulnerability. Of the BIND packages, VMware only ships bind-util
         and bind-lib in the service console and these components by
         themselves cannot be used to setup a DNS server. Bind-lib and
         bind-util are used in client DNS applications like nsupdate,
         nslookup, etc.
    
         VMware explicitly discourages installing applications like BIND
         on the service console. In case the customer has installed BIND,
         and the DNS server is configured to support recursive queries,
         their ESX Server system is affected and they should replace BIND
         with a patched version.
    
         Note: ESX Server will use the DNS server on the network it is
         on, so it is important to patch that DNS server.
    
         The Common Vulnerabilities and Exposures project (cve.mitre.org)
         has assigned the name CVE-2008-1447 to this issue."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://lists.vmware.com/pipermail/security-announce/2008/000040.html"
      );
      script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 189, 200, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:2.5.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.0.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:3.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:3.5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/08/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"VMware ESX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
      script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("vmware_esx_packages.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
    if (
      !get_kb_item("Host/VMware/esxcli_software_vibs") &&
      !get_kb_item("Host/VMware/esxupdate")
    ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    init_esx_check(date:"2008-08-29");
    flag = 0;
    
    
    if (esx_check(ver:"ESX 2.5.4", patch:"20")) flag++;
    
    if (esx_check(ver:"ESX 2.5.5", patch:"10")) flag++;
    
    if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1004823")) flag++;
    if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1005108")) flag++;
    if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1005111")) flag++;
    if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1005112")) flag++;
    if (esx_check(ver:"ESX 3.0.1", patch:"ESX-1005117")) flag++;
    
    if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1005109")) flag++;
    if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1005113")) flag++;
    if (esx_check(ver:"ESX 3.0.2", patch:"ESX-1005114")) flag++;
    
    if (
      esx_check(
        ver           : "ESX 3.0.3",
        patch         : "ESX303-200808403-SG",
        patch_updates : make_list("ESX303-201002201-UG", "ESX303-Update01")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 3.0.3",
        patch         : "ESX303-200808404-SG",
        patch_updates : make_list("ESX303-201002201-UG", "ESX303-Update01")
      )
    ) flag++;
    if (
      esx_check(
        ver           : "ESX 3.0.3",
        patch         : "ESX303-200808406-SG",
        patch_updates : make_list("ESX303-201002205-UG", "ESX303-Update01")
      )
    ) flag++;
    
    if (
      esx_check(
        ver           : "ESX 3.5.0",
        patch         : "ESX350-200808409-SG",
        patch_updates : make_list("ESX350-201002404-SG", "ESX350-Update04", "ESX350-Update05", "ESX350-Update05a")
      )
    ) flag++;
    
    if (esx_check(ver:"ESXi 3.5.0", patch:"ESXe350-200808501-I-SG")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID:30936 CVE ID:CVE-2008-3698 CNCVE ID:CNCVE-20083698 VMWare是一款虚拟PC软件,允许在一台机器上同时运行两个或多个Windows、DOS、LINUX系统。 VMware OpenProces存在特权提升问题,本地攻击者可以利用漏洞在宿主系统上执行任意代码。 目前没有详细漏洞细节提供。 VMWare Workstation 5.5.8 build 108000 VMWare Workstation 5.5.8 VMWare Server 1.0.7 build 108231 VMWare Server 1.0.7 VMWare Player 1.0.8 build 108000 VMWare Player 1.0.8 VMWare ACE 1.0.7 build 108880 VMWare ACE 1.0.7 目前供应商已经提供升级程序,可联系供应商获得补丁信息: <a href=http://lists.vmware.com/pipermail/security-announce/2008/000033.html target=_blank>http://lists.vmware.com/pipermail/security-announce/2008/000033.html</a>
idSSV:3948
last seen2017-11-19
modified2008-09-01
published2008-09-01
reporterRoot
titleVMware OpenProcess本地特权提升漏洞