Vulnerabilities > CVE-2016-5330 - Untrusted Search Path vulnerability in VMWare products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
vmware
CWE-426
nessus
exploit available
metasploit

Summary

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging/Manipulating Configuration File Search Paths
    This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Exploit-Db

descriptionVMware Host Guest Client Redirector - DLL Side Loading (Metasploit). CVE-2016-5330. Local exploit for Windows platform
idEDB-ID:41711
last seen2017-03-23
modified2017-03-23
published2017-03-23
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/41711/
titleVMware Host Guest Client Redirector - DLL Side Loading (Metasploit)

Metasploit

descriptionA DLL side loading vulnerability was found in the VMware Host Guest Client Redirector, a component of VMware Tools. This issue can be exploited by luring a victim into opening a document from the attacker's share. An attacker can exploit this issue to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. If the WebDAV Mini-Redirector is enabled, it is possible to exploit this issue over the internet.
idMSF:EXPLOIT/WINDOWS/MISC/VMHGFS_WEBDAV_DLL_SIDELOAD
last seen2020-06-01
modified2017-07-24
published2016-08-05
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb
titleDLL Side Loading Vulnerability in VMware Host Guest Client Redirector

Nessus

  • NASL familyMisc.
    NASL idVMWARE_VMSA-2016-0010_REMOTE.NASL
    descriptionThe remote VMware ESXi host is version 5.0, 5.1, 5.5, or 6.0 and is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - An arbitrary code execution vulnerability exists in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user. (CVE-2016-5330) - An HTTP header injection vulnerability exists due to improper sanitization of user-supplied input. A remote attacker can exploit this to inject arbitrary HTTP headers and conduct HTTP response splitting attacks. (CVE-2016-5331)
    last seen2020-06-01
    modified2020-06-02
    plugin id92949
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92949
    titleESXi 5.0 / 5.1 / 5.5 / 6.0 Multiple Vulnerabilities (VMSA-2016-0010) (remote check)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_FUSION_VMSA_2016_0010.NASL
    descriptionThe version of VMware Fusion installed on the remote Mac OS X host is 8.1.x prior to 8.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id92943
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92943
    titleVMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)
  • NASL familyGeneral
    NASL idVMWARE_WORKSTATION_LINUX_VMSA_2016_0010.NASL
    descriptionThe version of VMware Workstation installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id92946
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92946
    titleVMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)
  • NASL familyWindows
    NASL idVMWARE_WORKSTATION_WIN_VMSA_2016_0010.NASL
    descriptionThe version of VMware Workstation installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id92947
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92947
    titleVMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)
  • NASL familyGeneral
    NASL idVMWARE_PLAYER_LINUX_VMSA_2016_0010.NASL
    descriptionThe version of VMware Player installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id92944
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92944
    titleVMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)
  • NASL familyWindows
    NASL idVMWARE_PLAYER_WIN_VMSA_2016_0010.NASL
    descriptionThe version of VMware Player installed on the remote host is 12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user.
    last seen2020-06-01
    modified2020-06-02
    plugin id92945
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92945
    titleVMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/138289/vmhgfs_webdav_dll_sideload.rb.txt
idPACKETSTORM:138289
last seen2016-12-05
published2016-08-11
reporterYorick Koster
sourcehttps://packetstormsecurity.com/files/138289/DLL-Side-Loading-In-VMware-Host-Guest-Client-Redirector.html
titleDLL Side Loading In VMware Host Guest Client Redirector