Vulnerabilities > CVE-2016-5330 - Untrusted Search Path vulnerability in VMWare products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging/Manipulating Configuration File Search Paths This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
Exploit-Db
description | VMware Host Guest Client Redirector - DLL Side Loading (Metasploit). CVE-2016-5330. Local exploit for Windows platform |
id | EDB-ID:41711 |
last seen | 2017-03-23 |
modified | 2017-03-23 |
published | 2017-03-23 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/41711/ |
title | VMware Host Guest Client Redirector - DLL Side Loading (Metasploit) |
Metasploit
description | A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector, a component of VMware Tools. This issue can be exploited by luring a victim into opening a document from the attacker's share. An attacker can exploit this issue to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. If the WebDAV Mini-Redirector is enabled, it is possible to exploit this issue over the internet. |
id | MSF:EXPLOIT/WINDOWS/MISC/VMHGFS_WEBDAV_DLL_SIDELOAD |
last seen | 2020-06-01 |
modified | 2017-07-24 |
published | 2016-08-05 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb |
title | DLL Side Loading Vulnerability in VMware Host Guest Client Redirector |
Nessus
NASL family Misc. NASL id VMWARE_VMSA-2016-0010_REMOTE.NASL description The remote VMware ESXi host is version 5.0, 5.1, 5.5, or 6.0 and is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - An arbitrary code execution vulnerability exists in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user. (CVE-2016-5330) - An HTTP header injection vulnerability exists due to improper sanitization of user-supplied input. A remote attacker can exploit this to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. (CVE-2016-5331) last seen 2020-06-01 modified 2020-06-02 plugin id 92949 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92949 title ESXi 5.0 / 5.1 / 5.5 / 6.0 Multiple Vulnerabilities (VMSA-2016-0010) (remote check) NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2016_0010.NASL description The version of VMware Fusion installed on the remote Mac OS X host is 8.1.x prior to 8.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 92943 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92943 title VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) NASL family General NASL id VMWARE_WORKSTATION_LINUX_VMSA_2016_0010.NASL description The version of VMware Workstation installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 92946 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92946 title VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux) NASL family Windows NASL id VMWARE_WORKSTATION_WIN_VMSA_2016_0010.NASL description The version of VMware Workstation installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 92947 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92947 title VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) NASL family General NASL id VMWARE_PLAYER_LINUX_VMSA_2016_0010.NASL description The version of VMware Player installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 92944 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92944 title VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux) NASL family Windows NASL id VMWARE_PLAYER_WIN_VMSA_2016_0010.NASL description The version of VMware Player installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user. last seen 2020-06-01 modified 2020-06-02 plugin id 92945 published 2016-08-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92945 title VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)
Packetstorm
data source | https://packetstormsecurity.com/files/download/138289/vmhgfs_webdav_dll_sideload.rb.txt |
id | PACKETSTORM:138289 |
last seen | 2016-12-05 |
published | 2016-08-11 |
reporter | Yorick Koster |
source | https://packetstormsecurity.com/files/138289/DLL-Side-Loading-In-VMware-Host-Guest-Client-Redirector.html |
title | DLL Side Loading In VMware Host Guest Client Redirector |
References
- http://www.rapid7.com/db/modules/exploit/windows/misc/vmhgfs_webdav_dll_sideload
- http://www.rapid7.com/db/modules/exploit/windows/misc/vmhgfs_webdav_dll_sideload
- http://www.securityfocus.com/archive/1/539131/100/0/threaded
- http://www.securityfocus.com/archive/1/539131/100/0/threaded
- http://www.securityfocus.com/bid/92323
- http://www.securityfocus.com/bid/92323
- http://www.securitytracker.com/id/1036544
- http://www.securitytracker.com/id/1036544
- http://www.securitytracker.com/id/1036545
- http://www.securitytracker.com/id/1036545
- http://www.securitytracker.com/id/1036619
- http://www.securitytracker.com/id/1036619
- http://www.vmware.com/security/advisories/VMSA-2016-0010.html
- http://www.vmware.com/security/advisories/VMSA-2016-0010.html
- https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html
- https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html