Vulnerabilities > CVE-2012-1509 - Buffer Errors vulnerability in VMWare View 4.0.0/4.5/4.6.0

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
vmware
CWE-119
nessus
NVD
Published: 2012-03-16
Updated: 2017-09-19

Summary

Buffer overflow in the XPDM display driver in VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Vmware
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2012-0005.NASL
    descriptiona. VMware Tools Display Driver Privilege Escalation The VMware XPDM and WDDM display drivers contain buffer overflow vulnerabilities and the XPDM display driver does not properly check for NULL pointers. Exploitation of these issues may lead to local privilege escalation on Windows-based Guest Operating Systems. VMware would like to thank Tarjei Mandt for reporting theses issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-1509 (XPDM buffer overrun), CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null pointer dereference) to these issues. Note: CVE-2012-1509 doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id58362
    published2012-03-16
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58362
    titleVMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues
    code
    #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from VMware Security Advisory 2012-0005. 
# The text itself is copyright (C) VMware Inc.
#

include("compat.inc");

if (description)
{
  script_id(58362);
  script_version("1.52");
  script_cvs_date("Date: 2019/09/24 15:02:54");

  script_cve_id("CVE-2010-0405", "CVE-2011-3190", "CVE-2011-3375", "CVE-2011-3389", "CVE-2011-3546", "CVE-2011-3547", "CVE-2011-3554", "CVE-2012-0022", "CVE-2012-1508", "CVE-2012-1510", "CVE-2012-1512");
  script_bugtraq_id(43331, 49353, 49778, 50211, 50215, 50216, 50218, 50220, 50223, 50224, 50226, 50229, 50231, 50234, 50236, 50237, 50239, 50242, 50243, 50246, 50248, 50250, 51447, 52525);
  script_xref(name:"VMSA", value:"2012-0005");
  script_xref(name:"IAVB", value:"2010-B-0083");

  script_name(english:"VMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues");
  script_summary(english:"Checks esxupdate output for the patches");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote VMware ESXi / ESX host is missing one or more
security-related patches."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"a. VMware Tools Display Driver Privilege Escalation

 The VMware XPDM and WDDM display drivers contain buffer overflow
 vulnerabilities and the XPDM display driver does not properly
 check for NULL pointers. Exploitation of these issues may lead
 to local privilege escalation on Windows-based Guest Operating
 Systems.

 VMware would like to thank Tarjei Mandt for reporting theses
 issues to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the names CVE-2012-1509 (XPDM buffer overrun),
 CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null
 pointer dereference) to these issues.

 Note: CVE-2012-1509 doesn't affect ESXi and ESX.

b. vSphere Client internal browser input validation vulnerability

 The vSphere Client has an internal browser that renders html
 pages from log file entries. This browser doesn't properly
 sanitize input and may run script that is introduced into the
 log files. In order for the script to run, the user would need
 to open an individual, malicious log file entry. The script
 would run with the permissions of the user that runs the vSphere
 Client.

 VMware would like to thank Edward Torkington for reporting this
 issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2012-1512 to this issue.

 In order to remediate the issue, the vSphere Client of the
 vSphere 5.0 Update 1 release or the vSphere 4.1 Update 2 release
 needs to be installed. The vSphere Clients that come with
 vSphere 4.0 and vCenter Server 2.5 are not affected.

c. vCenter Orchestrator Password Disclosure

 The vCenter Orchestrator (vCO) Web Configuration tool reflects
 back the vCenter Server password as part of the webpage. This
 might allow the logged-in vCO administrator to retrieve the
 vCenter Server password.

 VMware would like to thank Alexey Sintsov from Digital Security
 Research Group for reporting this issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2012-1513 to this issue.

d. vShield Manager Cross-Site Request Forgery vulnerability

 The vShield Manager (vSM) interface has a Cross-Site Request
 Forgery vulnerability. If an attacker can convince an
 authenticated user to visit a malicious link, the attacker may
 force the victim to forward an authenticated request to the
 server.

 VMware would like to thank Frans Pehrson of Xxor AB
 (www.xxor.se<http://www.xxor.se>) and Claudio Criscione for independently reporting
 this issue to us

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2012-1514 to this issue.

e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30

 Oracle (Sun) JRE is updated to version 1.6.0_30, which addresses
 multiple security issues that existed in earlier releases of
 Oracle (Sun) JRE.

 Oracle has documented the CVE identifiers that are addressed in
 JRE 1.6.0_29 and JRE 1.6.0_30 in the Oracle Java SE Critical
 Patch Update Advisory of October 2011. The References section
 provides a link to this advisory.

f. vCenter Server Apache Tomcat update 6.0.35

 Apache Tomcat has been updated to version 6.0.35 to address
 multiple security issues.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the names CVE-2011-3190, CVE-2011-3375,
 CVE-2011-4858, and CVE-2012-0022 to these issues.


g. ESXi update to third-party component bzip2

 The bzip2 library is updated to version 1.0.6, which resolves a
 security issue.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)
 has assigned the name CVE-2010-0405 to this issue."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://lists.vmware.com/pipermail/security-announce/2012/000198.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply the missing patches.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:4.1");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2012/03/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/16");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"VMware ESX Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
  script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");

  exit(0);
}


include("audit.inc");
include("vmware_esx_packages.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
  !get_kb_item("Host/VMware/esxcli_software_vibs") &&
  !get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);


init_esx_check(date:"2012-03-15");
flag = 0;


if (
  esx_check(
    ver           : "ESX 4.0",
    patch         : "ESX400-201110401-SG",
    patch_updates : make_list("ESX400-201111201-SG", "ESX400-201203401-SG", "ESX400-201205401-SG", "ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG", "ESX400-Update04")
  )
) flag++;

if (
  esx_check(
    ver           : "ESX 4.1",
    patch         : "ESX410-201110201-SG",
    patch_updates : make_list("ESX410-201201401-SG", "ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update02", "ESX410-Update03")
  )
) flag++;
if (
  esx_check(
    ver           : "ESX 4.1",
    patch         : "ESX410-201208101-SG",
    patch_updates : make_list("ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03")
  )
) flag++;

if (
  esx_check(
    ver           : "ESXi 4.1",
    patch         : "ESXi410-201110202-UG",
    patch_updates : make_list("ESXi410-Update02", "ESXi410-Update03")
  )
) flag++;

if (esx_check(ver:"ESXi 5.0", vib:"VMware:esx-base:5.0.0-0.10.608089")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
  • NASL familyWindows
    NASL idVMWARE_VIEW_MULTIPLE_VMSA_2012_0004.NASL
    descriptionThe VMware View, formerly VMware Virtual Desktop Infrastructure components (Agent or Server), on the remote host is 4.x prior to 4.6.1. It is, therefore, potentially affected by the following vulnerabilities : - A buffer overflow vulnerability exists in the XPDM and WDDM display drivers and a NULL pointer dereference in WDDM display driver that could allow local attackers to elevate privileges and potentially execute arbitrary code. (CVE-2012-1508, CVE-2012-1509, CVE-2012-1510) - A cross-site scripting vulnerability exists where input passed via view manager portal is not properly validated. A remote attacker could exploit this vulnerability by creating a specially crafted URL, which could result in execution of arbitrary script code. (CVE-2012-1511)
    last seen2020-06-01
    modified2020-06-02
    plugin id63684
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63684
    titleVMware View Multiple Vulnerabilities (VMSA-2012-0004)

Oval

accepted2013-07-29T04:01:17.227-04:00
classvulnerability
contributors
nameMaria Kedovskaya
organizationALTX-SOFT
definition_extensions
  • commentVMware Workstation is installed
    ovaloval:org.mitre.oval:def:16277
  • commentVMware Player is installed
    ovaloval:org.mitre.oval:def:17194
  • commentVMware View is installed
    ovaloval:org.mitre.oval:def:16309
descriptionBuffer overflow in the XPDM display driver in VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors.
familywindows
idoval:org.mitre.oval:def:17151
statusaccepted
submitted2013-06-20T10:26:26.748+04:00
titleVMware Tools Display Driver Privilege Escalation
version18

References