Vulnerabilities > CVE-2009-2267 - Local Privilege Escalation vulnerability in VMware Products Page Fault Exception
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, VMware ACE 2.5.x before 2.5.3 build 185404, VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138, VMware Fusion 2.x before 2.0.6 build 196839, VMware ESXi 3.5 and 4.0, and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0, when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register.
Vulnerable Configurations
Exploit-Db
| description | VMWare Virtual 8086 Linux Local Ring0 Exploit. CVE-2009-2267. Local exploits for multiple platform |
| id | EDB-ID:10207 |
| last seen | 2016-02-01 |
| modified | 2009-10-27 |
| published | 2009-10-27 |
| reporter | Tavis Ormandy and Julien Tinnes |
| source | https://www.exploit-db.com/download/10207/ |
| title | VMWare Virtual 8086 - Linux - Local Ring0 Exploit |
Nessus
NASL family Windows NASL id VMWARE_MULTIPLE_VMSA_2009_0015.NASL description A VMware product (Workstation, Player, ACE, or Server) detected on the remote host has a privilege escalation vulnerability. Page fault exceptions are not handled properly, which could allow a local attacker to elevate privileges within the guest VM. This vulnerability reportedly does not affect the host system. last seen 2020-06-01 modified 2020-06-02 plugin id 42308 published 2009-10-29 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42308 title VMware Products Privilege Escalation Vulnerability (VMSA-2009-0015) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201209-25.NASL description The remote host is affected by the vulnerability described in GLSA-201209-25 (VMware Player, Server, Workstation: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details. Impact : Local users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information. A remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console. Furthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS). Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 62383 published 2012-10-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/62383 title GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2009-0015.NASL description a. Mishandled exception on page faults An improper setting of the exception code on page faults may allow for local privilege escalation on the guest operating system. This vulnerability does not affect the host system. VMware would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2267 to this issue. b. Directory Traversal vulnerability A directory traversal vulnerability allows for remote retrieval of any file from the host system. In order to send a malicious request, the attacker will need to have access to the network on which the host resides. VMware would like to thank Justin Morehouse and Jason Kratzer for independently reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3733 to this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 42289 published 2009-10-28 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/42289 title VMSA-2009-0015 : VMware hosted products and ESX patches resolve two security issues
Oval
| accepted | 2014-01-20T04:01:39.433-05:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | VMware Workstation 6.5.x before 6.5.3 build 185404, VMware Player 2.5.x before 2.5.3 build 185404, VMware ACE 2.5.x before 2.5.3 build 185404, VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138, VMware Fusion 2.x before 2.0.6 build 196839, VMware ESXi 3.5 and 4.0, and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0, when Virtual-8086 mode is used, do not properly set the exception code upon a page fault (aka #PF) exception, which allows guest OS users to gain privileges on the guest OS by specifying a crafted value for the cs register. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:8473 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-03-22T13:01:12.000-04:00 | ||||||||||||
| title | VMware improper setting of the exception code on page faults vulnerability | ||||||||||||
| version | 7 |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:12550 last seen 2017-11-19 modified 2009-10-30 published 2009-10-30 reporter Root source https://www.seebug.org/vuldb/ssvid-12550 title Invalid #PF Exception Code in VMware can result in Guest Privilege Escalation bulletinFamily exploit description BUGTRAQ ID: 36841 CVE(CAN) ID: CVE-2009-2267 VMWare是一款虚拟PC软件,允许在一台机器上同时运行两个或多个Windows、DOS、LINUX系统。 在受保护的模式中,cpl通常等于cs寄存器最不重要的两位,但也有一个例外:在Virtual-8086模式中,无论cs寄存器为何值cpl总是为 3(最少权限)。当处理器出现#PF异常时,会向包含有标记的栈上Push一个异常代码,操作系统使用这个标记确定正确地操作阶段。其中的一个标记为 U/S(user/supervisor),当处理器处于用户态时出现错误会设置这个标记。 在Virtual-8086模式中,当VMWare模拟far调用或far jmp指令时,错误的使用了管理访问push栈上的返回cs和ip,导致向guest内核传输了错误的异常代码。由于Virtual-8086模式允许用户域代码执行任意的cs寄存器,包括两个最不重要位,因此攻击者可以利用这个管理访问迷惑内核,获得权限提升。 VMWare Workstation 6.5.x VMWare ACE 2.5.x VMWare Player 2.5.x VMWare Server 2.x VMWare Server 1.x VMWare Fusion 2.x VMWare ESX 4.0 VMWare ESX 3.5 VMWare ESX 3.0.3 VMWare ESX 2.5.5 VMWare ESXi 4.0 VMWare ESXi 3.5 厂商补丁: VMWare ------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.vmware.com id SSV:12541 last seen 2017-11-19 modified 2009-10-30 published 2009-10-30 reporter Root source https://www.seebug.org/vuldb/ssvid-12541 title VMware PF异常本地权限提升漏洞 bulletinFamily exploit description No description provided by source. id SSV:14961 last seen 2017-11-19 modified 2009-11-23 published 2009-11-23 reporter Root source https://www.seebug.org/vuldb/ssvid-14961 title VMWare Virtual 8086 Linux Local Ring0 Exploit
References
- http://lists.vmware.com/pipermail/security-announce/2009/000069.html
- http://secunia.com/advisories/37172
- http://security.gentoo.org/glsa/glsa-201209-25.xml
- http://securitytracker.com/id?1023082
- http://securitytracker.com/id?1023083
- http://www.securityfocus.com/archive/1/507523/100/0/threaded
- http://www.securityfocus.com/archive/1/507539/100/0/threaded
- http://www.securityfocus.com/bid/36841
- http://www.vmware.com/security/advisories/VMSA-2009-0015.html
- http://www.vupen.com/english/advisories/2009/3062
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8473