Vulnerabilities > CVE-2011-1787 - Race Condition vulnerability in VMWare products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Race condition in mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to gain privileges on the guest OS by mounting a filesystem on top of an arbitrary directory.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyWindows
    NASL idVMWARE_MULTIPLE_VMSA_2011_0009.NASL
    descriptionA VMware product (Player or Workstation) detected on the remote host has multiple vulnerabilities in the Host Guest File System : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it
    last seen2020-06-01
    modified2020-06-02
    plugin id54996
    published2011-06-08
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/54996
    titleVMware Products Multiple Vulnerabilities (VMSA-2011-0009)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    
    if (description)
    {
      script_id(54996);
      script_version("1.10");
      script_cvs_date("Date: 2019/09/24 15:02:54");
    
      script_cve_id("CVE-2011-1787", "CVE-2011-2145", "CVE-2011-2146");
      script_bugtraq_id(48098);
      script_xref(name:"VMSA", value:"2011-0009");
    
      script_name(english:"VMware Products Multiple Vulnerabilities (VMSA-2011-0009)");
      script_summary(english:"Checks vulnerable versions of VMware products");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote host has a virtualization application affected by multiple
    vulnerabilities."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "A VMware product (Player or Workstation) detected on the remote host
    has multiple vulnerabilities in the Host Guest File System :
    
      - An attacker with access to a Guest operating system can
        determine if a path exists in the Host filesystem and
        whether it's a file or a directory regardless of
        permissions. (CVE-2011-2146)
    
      - A race condition in mount.vmhgfs may allow an attacker
        with access to a Guest to mount on arbitrary directories
        in the Guest filesystem and escalate their privileges if
        they can control the contents of the mounted directory.
        (CVE-2011-1787)
    
      - A procedural error allows an attacker with access to a
        Solaris or FreeBSD Guest operating system to gain write
        access to an arbitrary file in the Guest filesystem.
        (CVE-2011-2145)
    
    These vulnerabilities only affect non-Windows guest operating systems."
      );
      script_set_attribute(attribute:"see_also",value:"http://www.vmware.com/security/advisories/VMSA-2011-0009.html");
      script_set_attribute(attribute:"see_also",value:"http://lists.vmware.com/pipermail/security-announce/2011/000141.html");
      script_set_attribute(
        attribute:"solution",
        value:
    "Upgrade to :
    
      - VMware Workstation 7.1.4 or later.
      - VMware Player 3.1.4 or later.
    
    In addition to patching, VMware Tools must be updated on all non-
    Windows guest VMs in order to completely mitigate certain
    vulnerabilities.  Refer to the VMware advisory for more information."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date",value:"2011/06/02");
      script_set_attribute(attribute:"patch_publication_date",value:"2011/06/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/08");
    
      script_set_attribute(attribute:"plugin_type",value:"local");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:workstation");
      script_set_attribute(attribute:"cpe",value:"cpe:/a:vmware:player");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
    
      script_dependencies("vmware_workstation_detect.nasl", "vmware_player_detect.nasl");
      script_require_keys("SMB/Registry/Enumerated");
      script_require_ports("VMware/Workstation/Version", "VMware/Player/Version");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("smb_func.inc");
    
    
    port = kb_smb_transport();
    report = "";
    
    # Check for VMware Workstation
    version = get_kb_item("VMware/Workstation/Version");
    if (version)
    {
      fix = '7.1.4';
    
      if (version =~ '^7\\.1' && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
      {
        report += 
          '\n  Product           : VMware Workstation'+
          '\n  Installed version : '+version+
          '\n  Fixed version     : ' + fix + '\n';
      }
    }
    
    # Check for VMware Player
    version = get_kb_item("VMware/Player/Version");
    if (version)
    {
      fix = '3.1.4';
    
      if (version =~ '^3\\.1' && ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
      {
        report +=
          '\n  Product           : VMware Player'+
          '\n  Installed version : '+version+
          '\n  Fixed version     : ' + fix + '\n';
      }
    }
    
    if (!report) exit(0, "The host is not affected.");
    
    if (report_verbosity > 0)
      security_hole(port:port, extra:report);
    else
      security_hole();
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_4_LIBVMTOOLS-DEVEL-110608.NASL
    descriptionThis update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145
    last seen2020-06-01
    modified2020-06-02
    plugin id75932
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75932
    titleopenSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update libvmtools-devel-4693.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(75932);
      script_version("1.4");
      script_cvs_date("Date: 2019/10/25 13:36:42");
    
      script_cve_id("CVE-2011-1681", "CVE-2011-1787", "CVE-2011-2145", "CVE-2011-2146");
    
      script_name(english:"openSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)");
      script_summary(english:"Check for the libvmtools-devel-4693 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update of open-vm-tools fixes the following vulnerabilities which
    allowed an attacker to gain root privileges within the guest system :
    
      - CVE-2011-1681
    
      - CVE-2011-2146
    
      - CVE-2011-1787
    
      - CVE-2011-2145"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=673267"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=690491"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2011-06/msg00018.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected libvmtools-devel packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools0");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libvmtools0-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-gui");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:open-vm-tools-gui-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-default-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-desktop");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-desktop-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:vmware-guest-kmp-pae-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.4", reference:"libvmtools-devel-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"libvmtools0-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"libvmtools0-debuginfo-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-debuginfo-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-debugsource-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-gui-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"open-vm-tools-gui-debuginfo-2011.05.27-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-default-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-default-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-desktop-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-desktop-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-pae-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    if ( rpm_check(release:"SUSE11.4", reference:"vmware-guest-kmp-pae-debuginfo-2011.05.27_k2.6.37.6_0.5-0.3.3") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "open-vm-tools");
    }
    
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2011-0009_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Linux Kernel in the do_anonymous_page() function due to improper separation of the stack and the heap. An attacker can exploit this to execute arbitrary code. (CVE-2010-2240) - A packet filter bypass exists in the Linux Kernel e1000 driver due to processing trailing payload data as a complete frame. A remote attacker can exploit this to bypass packet filters via a large packet with a crafted payload. (CVE-2009-4536) - A use-after-free error exists in the Linux Kernel when IPV6_RECVPKTINFO is set on a listening socket. A remote attacker can exploit this, via a SYN packet while the socket is in a listening (TCP_LISTEN) state, to cause a kernel panic, resulting in a denial of service condition. (CVE-2010-1188) - An array index error exists in the Linux Kernel in the gdth_read_event() function. A local attacker can exploit this, via a negative event index in an IOCTL request, to cause a denial of service condition. (CVE-2009-3080) - A race condition exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to gain privileges by mounting a filesystem on top of an arbitrary directory. (CVE-2011-1787) - A flaw exists in the VMware Host Guest File System (HGFS) that allows a Solaris or FreeBSD guest operating system user to modify arbitrary guest operating system files. (CVE-2011-2145) - A flaw exists in the VMware Host Guest File System (HGFS) that allows guest operating system users to disclose host operating system files and directories. (CVE-2011-2146) - A flaw exists in the bundled Tom Sawyer GET Extension Factory that allows a remote attacker to cause a denial of service condition or the execution of arbitrary code via a crafted HTML document. (CVE-2011-2217)
    last seen2020-06-01
    modified2020-06-02
    plugin id89678
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89678
    titleVMware ESX / ESXi Multiple Vulnerabilities (VMSA-2011-0009) (remote check)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_LIBVMTOOLS-DEVEL-110607.NASL
    descriptionThis update of open-vm-tools fixes the following vulnerabilities which allowed an attacker to gain root privileges within the guest system : - CVE-2011-1681 - CVE-2011-2146 - CVE-2011-1787 - CVE-2011-2145
    last seen2020-06-01
    modified2020-06-02
    plugin id75626
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75626
    titleopenSUSE Security Update : libvmtools-devel (openSUSE-SU-2011:0617-1)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2011-0009.NASL
    descriptiona. VMware vmkernel third-party e1000(e) Driver Packet Filter Bypass There is an issue in the e1000(e) Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. b. ESX third-party update for Service Console kernel This update for the console OS kernel package resolves four security issues. 1) IPv4 Remote Denial of Service An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1188 to this issue. 2) SCSI Driver Denial of Service / Possible Privilege Escalation A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-3080 to this issue. 3) Kernel Memory Management Arbitrary Code Execution A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-2240 to this issue. 4) e1000 Driver Packet Filter Bypass There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-4536 to this issue. c. Multiple vulnerabilities in mount.vmhgfs This patch provides a fix for the following three security issues in the VMware Host Guest File System (HGFS). None of these issues affect Windows based Guest Operating Systems. 1) Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2146 to this issue. 2) Mount.vmhgfs Race Condition Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-1787 to this issue. 3) Mount.vmhgfs Privilege Escalation Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2145 to this issue. VMware would like to thank Dan Rosenberg for reporting these issues. d. VI Client ActiveX vulnerabilities VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user
    last seen2020-06-01
    modified2020-06-02
    plugin id54968
    published2011-06-06
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/54968
    titleVMSA-2011-0009 : VMware hosted product updates, ESX patches and VI Client update resolve multiple security issues
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FUSION_3_1_3.NASL
    descriptionThe version of VMware Fusion installed on the Mac OS X host is earlier than 3.1.3. As such, it is reportedly affected by the following three security vulnerabilities : - An attacker with access to a Guest operating system can determine if a path exists in the Host filesystem and whether it
    last seen2020-06-01
    modified2020-06-02
    plugin id54974
    published2011-06-06
    reporterThis script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/54974
    titleVMware Fusion < 3.1.3 (VMSA-2011-0009 / VMSA-2011-0011)