Vulnerabilities > CVE-2010-4297 - Improper Input Validation vulnerability in VMWare products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The VMware Tools update functionality in VMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548; VMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548; VMware Server 2.0.2; VMware Fusion 2.x before 2.0.8 build 328035 and 3.1.x before 3.1.2 build 332101; VMware ESXi 3.5, 4.0, and 4.1; and VMware ESX 3.0.3, 3.5, 4.0, and 4.1 allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a "command injection" issue.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Exploit-Db
| description | VMware Tools update OS Command Injection. CVE-2010-4297. Remote exploits for multiple platform |
| id | EDB-ID:15717 |
| last seen | 2016-02-01 |
| modified | 2010-12-09 |
| published | 2010-12-09 |
| reporter | Nahuel Grisolia |
| source | https://www.exploit-db.com/download/15717/ |
| title | VMware Tools update OS Command Injection |
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0018_REMOTE.NASL description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by an unspecified flaw in the Tools update functionality due to improper validation of user-supplied input. A local attacker with host operating system access can exploit this flaw to gain root privileges on the guess operating system. last seen 2020-06-01 modified 2020-06-02 plugin id 89744 published 2016-03-08 reporter This script is Copyright (C) 2016-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89744 title VMware ESX / ESXi Tools Update Privilege Escalation (VMSA-2010-0018) (remote check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(89744); script_version("1.7"); script_cvs_date("Date: 2019/09/24 15:02:54"); script_cve_id("CVE-2010-4297"); script_bugtraq_id(45166); script_xref(name:"VMSA", value:"2010-0018"); script_name(english:"VMware ESX / ESXi Tools Update Privilege Escalation (VMSA-2010-0018) (remote check)"); script_summary(english:"Checks the ESX / ESXi version and build number."); script_set_attribute(attribute:"synopsis", value: "The remote VMware ESX / ESXi host is missing a security-related patch."); script_set_attribute(attribute:"description", value: "The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by an unspecified flaw in the Tools update functionality due to improper validation of user-supplied input. A local attacker with host operating system access can exploit this flaw to gain root privileges on the guess operating system."); script_set_attribute(attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000112.html"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch as referenced in the vendor advisory that pertains to ESX version 3.5 / 4.0 / 4.1 or ESXi version 3.5 / 4.0 / 4.1."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/02"); script_set_attribute(attribute:"patch_publication_date", value:"2010/12/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/08"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"VMware ESX Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2016-2019 Tenable Network Security, Inc."); script_dependencies("vmware_vsphere_detect.nbin"); script_require_keys("Host/VMware/version", "Host/VMware/release"); script_require_ports("Host/VMware/vsphere"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); ver = get_kb_item_or_exit("Host/VMware/version"); rel = get_kb_item_or_exit("Host/VMware/release"); port = get_kb_item_or_exit("Host/VMware/vsphere"); esx = ''; if ("ESX" >!< rel) audit(AUDIT_OS_NOT, "VMware ESX/ESXi"); extract = eregmatch(pattern:"^(ESXi?) (\d\.\d).*$", string:ver); if (isnull(extract)) audit(AUDIT_UNKNOWN_APP_VER, "VMware ESX/ESXi"); else { esx = extract[1]; ver = extract[2]; } # fixed build numbers are the same for ESX and ESXi fixes = make_array( "3.5", "283373", "4.0", "294855", "4.1", "320092" ); fix = FALSE; fix = fixes[ver]; # get the build before checking the fix for the most complete audit trail extract = eregmatch(pattern:'^VMware ESXi?.* build-([0-9]+)$', string:rel); if (isnull(extract)) audit(AUDIT_UNKNOWN_BUILD, "VMware " + esx, ver); build = int(extract[1]); # if there is no fix in the array, fix is FALSE if (!fix) audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build); if (build < fix) { report = '\n Version : ' + esx + " " + ver + '\n Installed build : ' + build + '\n Fixed build : ' + fix + '\n'; security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_VER_NOT_VULN, "VMware " + esx, ver, build);NASL family Windows NASL id VMWARE_MULTIPLE_VMSA_2010_0018.NASL description A VMware product (Player, Workstation, Server, or Movie Decoder) detected on the remote host has one or more of the following vulnerabilities : - A vulnerability in VMware Tools update could allow arbitrary code execution on non-Windows based guest operating systems with root privileges. (CVE-2010-4297) - A vulnerability in VMware VMnc Codec could allow arbitrary code execution subject to the privileges of the user running the application using the vulnerable codec. (CVE-2010-4294) In addition to patching, VMware Tools must be manually updated on all guest VMs in order to completely mitigate certain vulnerabilities. Refer to the VMware advisory for more information. last seen 2020-06-01 modified 2020-06-02 plugin id 51057 published 2010-12-07 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51057 title VMware Products Multiple Vulnerabilities (VMSA-2010-0018) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(51057); script_version("1.12"); script_cvs_date("Date: 2019/09/24 15:02:54"); script_cve_id("CVE-2010-4294","CVE-2010-4297"); script_bugtraq_id(45166, 45169); script_xref(name:"VMSA", value:"2010-0018"); script_xref(name:"Secunia", value:"42480"); script_xref(name:"Secunia", value:"42481"); script_name(english:"VMware Products Multiple Vulnerabilities (VMSA-2010-0018)"); script_summary(english:"Checks vulnerable versions of VMware products"); script_set_attribute( attribute:"synopsis", value: "The remote host has a virtualization application affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "A VMware product (Player, Workstation, Server, or Movie Decoder) detected on the remote host has one or more of the following vulnerabilities : - A vulnerability in VMware Tools update could allow arbitrary code execution on non-Windows based guest operating systems with root privileges. (CVE-2010-4297) - A vulnerability in VMware VMnc Codec could allow arbitrary code execution subject to the privileges of the user running the application using the vulnerable codec. (CVE-2010-4294) In addition to patching, VMware Tools must be manually updated on all guest VMs in order to completely mitigate certain vulnerabilities. Refer to the VMware advisory for more information." ); script_set_attribute(attribute:"see_also",value:"https://www.vmware.com/security/advisories/VMSA-2010-0018.html"); script_set_attribute(attribute:"see_also",value:"http://dvlabs.tippingpoint.com/advisory/TPTI-10-16"); script_set_attribute(attribute:"see_also",value:"http://lists.vmware.com/pipermail/security-announce/2010/000112.html"); script_set_attribute( attribute:"solution", value: "Upgrade to : - VMware Workstation 6.5.5 / 7.1.2 or later. - VMware Player 2.5.5 / 3.1.2 or later. - VMware Movie Decoder (standalone) 6.5.5/7.1.2 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date",value:"2010/12/02"); script_set_attribute(attribute:"patch_publication_date",value:"2010/12/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_player"); script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_server"); script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:vmware_workstation"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "vmware_workstation_detect.nasl", "vmware_player_detect.nasl", "vmware_server_win_detect.nasl"); script_require_keys("SMB/Registry/Enumerated"); script_require_ports(139, 445); exit(0); } include("misc_func.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); port = kb_smb_transport(); report = ''; vuln = NULL; # Check if Movie Decoder is installed list = get_kb_list("SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName"); decoder_installed = FALSE; foreach name (list) { if (name == 'VMware Movie Decoder') { decoder_installed = TRUE; break; } } # Check for VMware Workstation version = get_kb_item("VMware/Workstation/Version"); if (version) { v = split(version, sep:".", keep:FALSE); if ( ( int(v[0]) < 6 ) || ( int(v[0]) == 6 && int(v[1]) < 5) || ( int(v[0]) == 6 && int(v[1]) == 5 && int(v[2]) < 5) ) { vuln = TRUE; report = '\n Product : VMware Workstation'+ '\n Installed version : '+version+ '\n Fixed version : 6.5.5\n'; } else if ( (int(v[0]) == 7 && int(v[1]) < 1 ) || (int(v[0]) == 7 && int(v[1]) == 1 && int(v[2]) < 2) ) { vuln = TRUE; report = '\n Product : VMware Workstation'+ '\n Installed version : '+version+ '\n Fixed version : 7.1.2\n'; } else if (isnull(vuln)) vuln = FALSE; } else if (decoder_installed) { # If Workstation is not installed, check if the standalone Movie Decoder is # present and vulnerable if (!is_accessible_share()) exit(1, "is_accessible_share() failed."); if ( (hotfix_is_vulnerable(file:"vmnc.dll", version:"6.5.5", dir:"\system32")) || (hotfix_is_vulnerable(file:"vmnc.dll", version:"7.1.2", min_version:"7.0.0", dir:"\system32")) ) { vuln = TRUE; hf_report = split(hotfix_get_report(), sep:'\n', keep:FALSE); report = '\n Product : VMware Movie Decoder'+ '\n ' + hf_report[1]+ '\n ' + hf_report[2]+'\n'; } hotfix_check_fversion_end(); } version = get_kb_item("VMware/Server/Version"); if (version) { v = split(version, sep:".", keep:FALSE); # Flag all server versions <= 2 if (int(v[0]) <= 2) { vuln = TRUE; report = '\n Product : VMware Server'+ '\n Installed version : '+ version + '\n Fixed version : no patches planned.\n'; } else if (isnull(vuln)) vuln = FALSE; } # Check for VMware Player version = get_kb_item("VMware/Player/Version"); if (version) { v = split(version, sep:".", keep:FALSE); if ( ( int(v[0]) < 2 ) || ( int(v[0]) == 2 && int(v[1]) < 5 ) || ( int(v[0]) == 2 && int(v[1]) == 5 && int(v[2]) < 5) ) { vuln = TRUE; report += '\n Product : VMware Player'+ '\n Installed version : '+version+ '\n Fixed version : 2.5.5\n'; } else if ((int(v[0]) == 3 && int(v[1]) < 1) || (int(v[0]) == 3 && int(v[1]) == 1 && int(v[2]) < 2) ) { vuln = TRUE; report += '\n Product : VMware Player'+ '\n Installed version : '+version+ '\n Fixed version : 3.1.2\n'; } else if (isnull(vuln)) vuln = FALSE; } if (isnull(vuln)) exit(0, "No VMware products were detected on this host."); if (!vuln) exit(0, "The host is not affected."); if (report_verbosity > 0) security_hole(port:port, extra:report); else security_hole();NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_2_0_8.NASL description The version of VMware Fusion installed on the Mac OS X host is earlier than 2.0.8. The VMware Tools update functionality in such versions allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a last seen 2020-06-01 modified 2020-06-02 plugin id 51078 published 2010-12-08 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51078 title VMware Fusion < 2.0.8 (VMSA-2010-0018) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(51078); script_version("1.7"); script_cvs_date("Date: 2019/09/24 15:02:54"); script_cve_id("CVE-2010-4297"); script_bugtraq_id(45166); script_name(english:"VMware Fusion < 2.0.8 (VMSA-2010-0018)"); script_summary(english:"Checks version of Fusion"); script_set_attribute( attribute:"synopsis", value: "The remote host has an application that is affected by a security issue." ); script_set_attribute( attribute:"description", value: "The version of VMware Fusion installed on the Mac OS X host is earlier than 2.0.8. The VMware Tools update functionality in such versions allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a 'command injection' issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2010/000112.html" ); script_set_attribute( attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2010-0018.html" ); script_set_attribute( attribute:"see_also", value:"http://www.vmware.com/support/fusion2/doc/releasenotes_fusion_208.html" ); script_set_attribute(attribute:"solution", value:"Upgrade to VMware Fusion 2.0.8 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/02"); script_set_attribute(attribute:"patch_publication_date", value:"2010/12/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc."); script_dependencies("macosx_fusion_detect.nasl"); script_require_keys("MacOSX/Fusion/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); version = get_kb_item_or_exit("MacOSX/Fusion/Version"); fixed_version = "2.0.8"; major = split(version, sep:'.', keep:FALSE); major = major[0]; if (major == "2") { if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); exit(0); } else exit(0, "The host is not affected since VMware Fusion "+version+" is installed."); } else exit(0, "The host is not affected since VMware Fusion "+version+" is installed and this plugin looks only at versions "+major+".x.");NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_3_1_2.NASL description The version of VMware Fusion installed on the Mac OS X host is earlier than 3.1.2. Such versions are affected by three security issues : - A race condition in the mounting process in vmware-mount in allows host OS users to gain privileges via vectors involving temporary files. (CVE-2010-4295) - The VMware Tools update functionality allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a last seen 2020-06-01 modified 2020-06-02 plugin id 51079 published 2010-12-08 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51079 title VMware Fusion < 3.1.2 (VMSA-2010-0018) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2010-0018.NASL description a. VMware Workstation, Player and Fusion vmware-mount race condition The way temporary files are handled by the mounting process could result in a race condition. This issue could allow a local user on the host to elevate their privileges. VMware Workstation and Player running on Microsoft Windows are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4295 to this issue. VMware would like to thank Dan Rosenberg for reporting this issue. b. VMware Workstation, Player and Fusion vmware-mount privilege escalation vmware-mount which is a suid binary has a flaw in the way libraries are loaded. This issue could allow local users on the host to execute arbitrary shared object files with root privileges. VMware Workstation and Player running on Microsoft Windows are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4296 to this issue. VMware would like to thank Martin Carpenter for reporting this issue. c. OS Command Injection in VMware Tools update A vulnerability in the input validation of VMware Tools update allows for injection of commands. The issue could allow a user on the host to execute commands on the guest operating system with root privileges. The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4297 to this issue. VMware would like to thank Nahuel Grisolia of Bonsai Information Security, http://www.bonsai-sec.com, for reporting this issue. d. VMware VMnc Codec frame decompression remote code execution The VMware movie decoder contains the VMnc media codec that is required to play back movies recorded with VMware Workstation, VMware Player and VMware ACE, in any compatible media player. The movie decoder is installed as part of VMware Workstation, VMware Player and VMware ACE, or can be downloaded as a stand alone package. A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec. For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-4294 to this issue. VMware would like to thank Aaron Portnoy and Logan Brown of TippingPoint DVLabs for reporting this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 50985 published 2010-12-06 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50985 title VMSA-2010-0018 : VMware hosted products and ESX patches resolve multiple security issues
Packetstorm
| data source | https://packetstormsecurity.com/files/download/96508/BONSAI-2010-0110.txt |
| id | PACKETSTORM:96508 |
| last seen | 2016-12-05 |
| published | 2010-12-09 |
| reporter | N. Grisolia |
| source | https://packetstormsecurity.com/files/96508/VMware-Tools-Update-OS-Command-Injection.html |
| title | VMware Tools Update OS Command Injection |
References
- http://lists.vmware.com/pipermail/security-announce/2010/000112.html
- http://osvdb.org/69590
- http://secunia.com/advisories/42480
- http://secunia.com/advisories/42482
- http://www.securityfocus.com/archive/1/514995/100/0/threaded
- http://www.securityfocus.com/bid/45166
- http://www.securitytracker.com/id?1024819
- http://www.securitytracker.com/id?1024820
- http://www.vmware.com/security/advisories/VMSA-2010-0018.html
- http://www.vupen.com/english/advisories/2010/3116