Vulnerabilities > CVE-2017-4933 - Out-of-bounds Write vulnerability in VMWare Esxi, Fusion and Workstation PRO
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a vulnerability that could allow an authenticated VNC session to cause a heap overflow via a specific set of VNC packets resulting in heap corruption. Successful exploitation of this issue could result in remote code execution in a virtual machine via the authenticated VNC session. Note: In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine's .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2017-0021.NASL description a. ESXi, Workstation, and Fusion stack overflow via authenticated VNC session VMware ESXi, Workstation, and Fusion contain a vulnerability that could allow an authenticated VNC session to cause a stack overflow via a specific set of VNC packets. Successful exploitation of this issue could result in remote code execution in a virtual machine via the authenticated VNC session. Note: In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine last seen 2020-06-01 modified 2020-06-02 plugin id 105410 published 2017-12-21 reporter This script is Copyright (C) 2017-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/105410 title VMSA-2017-0021 : VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory 2017-0021. # The text itself is copyright (C) VMware Inc. # include("compat.inc"); if (description) { script_id(105410); script_version("3.11"); script_cvs_date("Date: 2019/09/26 15:14:18"); script_cve_id("CVE-2017-4933", "CVE-2017-4940", "CVE-2017-4941", "CVE-2017-4943"); script_xref(name:"VMSA", value:"2017-0021"); script_name(english:"VMSA-2017-0021 : VMware ESXi, vCenter Server Appliance, Workstation and Fusion updates address multiple security vulnerabilities"); script_summary(english:"Checks esxupdate output for the patches"); script_set_attribute( attribute:"synopsis", value: "The remote VMware ESXi host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "a. ESXi, Workstation, and Fusion stack overflow via authenticated VNC session VMware ESXi, Workstation, and Fusion contain a vulnerability that could allow an authenticated VNC session to cause a stack overflow via a specific set of VNC packets. Successful exploitation of this issue could result in remote code execution in a virtual machine via the authenticated VNC session. Note: In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine's .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall. VMware would like to thank Lilith Wyatt and another member of Cisco Talos for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4941 to this issue. b. ESXi, Workstation, and Fusion heap overflow via authenticated VNC session VMware ESXi, Workstation, and Fusion contain a vulnerability that could allow an authenticated VNC session to cause a heap overflow via a specific set of VNC packets resulting in heap corruption. Successful exploitation of this issue could result in remote code execution in a virtual machine via the authenticated VNC session. Note: In order for exploitation to be possible in ESXi, VNC must be manually enabled in a virtual machine's .vmx configuration file. In addition, ESXi must be configured to allow VNC traffic through the built-in firewall. VMware would like to thank Lilith Wyatt of Cisco Talos for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4933 to this issue. c. ESXi Host Client stored cross-site scripting vulnerability The ESXi Host Client contains a vulnerability that may allow for stored cross-site scripting (XSS). An attacker can exploit this vulnerability by injecting Javascript, which might get executed when other users access the Host Client. VMware would like to thank Alain Homewood of Insomnia Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4940 to this issue. d. Privilege escalation in vCenter Server Appliance (vCSA) VMware vCenter Server Appliance (vCSA) contains a local privilege escalation vulnerability via the 'showlog' plugin. Successful exploitation of this issue could result in a low privileged user gaining root level privileges over the appliance base OS. VMware would like to thank Lukasz Plonka for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4943 to this issue." ); script_set_attribute( attribute:"see_also", value:"http://lists.vmware.com/pipermail/security-announce/2017/000394.html" ); script_set_attribute(attribute:"solution", value:"Apply the missing patches."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:6.5"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 Tenable Network Security, Inc."); script_family(english:"VMware ESX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version"); script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs"); exit(0); } include("audit.inc"); include("vmware_esx_packages.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi"); if ( !get_kb_item("Host/VMware/esxcli_software_vibs") && !get_kb_item("Host/VMware/esxupdate") ) audit(AUDIT_PACKAGE_LIST_MISSING); init_esx_check(date:"2017-12-19"); flag = 0; if (esx_check(ver:"ESXi 5.5", vib:"VMware:esx-base:5.5.0-3.103.6480267")) flag++; if (esx_check(ver:"ESXi 5.5", vib:"VMware:esx-ui:1.12.0-6027315")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-base:6.0.0-3.76.6856897")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:esx-ui:1.22.0-6282878")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsan:6.0.0-3.76.6769077")) flag++; if (esx_check(ver:"ESXi 6.0", vib:"VMware:vsanhealth:6.0.0-3000000.3.0.3.76.6769078")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-base:6.5.0-1.29.6765664")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-tboot:6.5.0-1.29.6765664")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:esx-ui:1.23.0-6506686")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsan:6.5.0-1.29.6765666")) flag++; if (esx_check(ver:"ESXi 6.5", vib:"VMware:vsanhealth:6.5.0-1.29.6765667")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Windows NASL id VMWARE_PLAYER_WIN_VMSA_2017_0021.NASL description The version of VMware Player installed on the remote Windows host is 12.x prior to 12.5.8. It is, therefore, affected by multiple vulnerabilities that can allow code execution in a virtual machine via the authenticated VNC session as well as cause information disclosure from one virtual machine to another virtual machine on the same host. last seen 2020-06-01 modified 2020-06-02 plugin id 105555 published 2018-01-04 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105555 title VMware Player 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) NASL family Windows NASL id VMWARE_WORKSTATION_WIN_VMSA_2017_0021.NASL description The version of VMware Workstation installed on the remote Windows host is 12.x prior to 12.5.8. It is, therefore, affected by multiple vulnerabilities that can allow code execution in a virtual machine via the authenticated VNC session as well as cause information disclosure from one virtual machine to another virtual machine on the same host. last seen 2020-06-01 modified 2020-06-02 plugin id 105487 published 2017-12-29 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105487 title VMware Workstation 12.x < 12.5.8 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) NASL family MacOS X Local Security Checks NASL id MACOSX_FUSION_VMSA_2017_0021.NASL description The version of VMware Fusion installed on the remote macOS or Mac OS X host is 8.x prior to 8.5.9. It is, therefore, affected by multiple vulnerabilities that can allow code execution in a virtual machine via the authenticated VNC session as well as cause information disclosure from one virtual machine to another virtual machine on the same host. last seen 2020-06-01 modified 2020-06-02 plugin id 105485 published 2017-12-29 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105485 title VMware Fusion 8.x < 8.5.9 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (macOS) NASL family Misc. NASL id VMWARE_ESXI_6_5_BUILD_6765664.NASL description The version of the remote VMware ESXi 6.5 host is prior to build 6765664. It is, therefore, affected by a heap buffer overflow vulnerability that can be triggered by a specially crafted set of VNC packets. last seen 2020-06-01 modified 2020-06-02 plugin id 105614 published 2018-01-05 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105614 title ESXi 6.5 < Build 6765664 Heap Buffer Overflow (VMSA-2017-0021) (remote check)
Seebug
| bulletinFamily | exploit |
| description | ### Summary An exploitable code execution vulnerability exists in the remote management functionality of VMware . A specially crafted set of VNC packets can cause a heap overflow resulting in heap corruption. An attacker can create a VNC session to trigger this vulnerability. ### Tested Versions Vase, Linux/Windows ### Product URLs https://my.vmware.com/web/vmware/info/slug/desktopendusercomputing/vmwareworkstationpro/120 ### CVSSv3 Score 9.0 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H ### CWE CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer ### Details VMware's VNC implementation is used for remote management, remote access, and automation purposes in VMware products, such as Workstation, Player, and ESXi, which share a common VMW VNC code base between them all. Along with the standard VNC messages that all VNC servers are required to serve, as specified in the RFB RFC's, VMware uses a custom and proprietary VNC extension, designated by the byte ì\x7fî, which I will refer to as the vmw-vnc protocol during the course of this write-up. It should be noted that the vmw-vnc protocol reimplemented a few different VNC features, including MouseActions and KeyActions, the benefits of which could not be ascertained. But it also has some interesting messages, including ìVMWAudioî, ìVMWTouchEventî, however these were not supported within the vmw-vnc at the present. VMware VNC messages all follow the general format: ``` offset|bytes <== Explanation -------------------------------------------------------------------------------------- 0x0 | \x7f | <=Designates VMW (Virtual Machine Window) message 0x1 | \xAB <= Which VMW message (0x0-0xB seen so far) 0x2 | \x00\x08 <= Length of total VMW message 0x4 | [Where the message specific bytes begin] ``` It should also be noted that the size field just has to be larger than the message type's minimum. For example, the VMWClientAck request is as such: ``` \x7f\x04\x00\x08\x00\x00\xAB\xCD ``` With ì\x00\x00\xAB\xCDî being the duration of the ACK, but the size ì\x00\x08î just needs to be greater than a hardcoded 0x8. This specific vulnerability takes place within the VMWDynResolution request. Not surprisingly, this is one of the few messages that causes the VNC server to read in a user-supplied amount of bytes. The VMWDynResolution request is as follows: ``` 0x0 | \x7f [Header] 0x1 | \x0a [Type] 0x2 | \x00\x06 [Size] 0x4 | \xZZ\xZZ [NumRectangle] 0x6 | [Begin rectangle data] ``` These rectangles contribute to dynamically sizing the resolution and each rectangle consists of four dwords. These seem to refer to the bounds of the rectangle: ``` buf += struct.pack(">I",self.left) buf += struct.pack(">I",self.top) buf += struct.pack(">I",self.right) buf += struct.pack(">I",self.bottom) ``` The location of the crash occurs when the VNC server handles the data. When the server allocates space the ìVNCChannelî object, there is a statically sized space (0xac0) for the contents of any given VNC packet. It only reads in 0xaaa bytes at any given time, so the buffer never overflows, however the NumRectangle field is never validated, leading to a situation where the heap can still be corrupted. When formatting the rectangle data, a pseudo python example is shown below: ``` for x in range(0,NumRects): rect = rectangle(input_data[x:x+16]) byteSwap(rect.left) #[rsi+0] byteSwap(rect.top) #[rsi+4] byteSwap(rect.right) #[rsi+8] byteSwap(rect.bottom) #[rsi+C] if rect.right < 0 or rect.bottom < 0: return Bad ``` As noted above, since there's no check on the number of rectangles, and there's also a static buffer size, even though the buffer cannot be overflowed (fixed-size read), the heap can be corrupted by causing the server to treat heap metadata as a rectangle. While it does do some validation, such that you cannot go all the way down the heap, curiously, it only checks two of the co-ordinates for a valid/positive value, and it also doesn't validate before swapping the bytes. It should also be noted that the server does not error completely upon heap corruption, it will keep reading in VNC packets in a loop until there is no more data. An attacker could use this vulnerability to corrupt the heap, which could lead to code execution. ### Crash Information ``` [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x5f ('_') RCX: 0xffffffffffffffff RDX: 0x6 RSI: 0x164e2 RDI: 0x164db RBP: 0x7f0da5fc7ba0 --> 0x7f0da5fc7bb0 ("00007f0d70075110") RSP: 0x7f0da5fc7808 --> 0x7f0daa1b0448 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) RIP: 0x7f0daa1af067 (<__GI_raise+55>: cmp rax,0xfffffffffffff000) R8 : 0x3031313537303037 ('70075110') R9 : 0x0 R10: 0x8 R11: 0x3206 R12: 0x7f0da5fc79b0 --> 0x0 R13: 0x7 R14: 0x5f ('_') R15: 0x7 EFLAGS: 0x3206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7f0daa1af05d <__GI_raise+45>: movsxd rdi,ecx 0x7f0daa1af060 <__GI_raise+48>: mov eax,0xea 0x7f0daa1af065 <__GI_raise+53>: syscall => 0x7f0daa1af067 <__GI_raise+55>: cmp rax,0xfffffffffffff000 0x7f0daa1af06d <__GI_raise+61>: ja 0x7f0daa1af08d <__GI_raise+93> 0x7f0daa1af06f <__GI_raise+63>: repz ret 0x7f0daa1af071 <__GI_raise+65>: nop DWORD PTR [rax+0x0] 0x7f0daa1af078 <__GI_raise+72>: test ecx,ecx [------------------------------------stack-------------------------------------] 0000| 0x7f0da5fc7808 --> 0x7f0daa1b0448 (<__GI_abort+328>: mov rdx,QWORD PTR fs:0x10) 0008| 0x7f0da5fc7810 --> 0x20 (' ') 0016| 0x7f0da5fc7818 --> 0x0 0024| 0x7f0da5fc7820 --> 0x0 0032| 0x7f0da5fc7828 --> 0x0 0040| 0x7f0da5fc7830 --> 0x0 0048| 0x7f0da5fc7838 --> 0x0 0056| 0x7f0da5fc7840 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT 0x00007f0daa1af067 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/ linux/raise.c:56 56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. <(^.^)># bt #0 0x00007f0daa1af067 in __GI_raise (sig=sig@entry=0x6) at ../nptl/sysdeps/unix/sysv/ linux/raise.c:56 #1 0x00007f0daa1b0448 in __GI_abort () at abort.c:89 #2 0x00007f0daa1ed1b4 in __libc_message (do_abort=do_abort@entry=0x1, fmt=fmt@entry=0x7f0daa2e2210 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/ libc_fatal.c:175 #3 0x00007f0daa1f298e in malloc_printerr (action=0x1, str=0x7f0daa2de326 "free(): invalid pointer", ptr=<optimized out>) at malloc.c:4996 #4 0x00007f0daa1f3696 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0x0) at malloc.c:3840 ``` ### Mitigation An important factor in this vulnerability is that it requires a successful VNC authentication beforehand, but by default, VMware does not require a username/password for VNC sessions. Turning on VNC authentication should mitigate this, turning it from a no-auth bug to a single-auth one. ### Timeline * 2017-07-12 - Vendor Disclosure * 2017-12-19 - Public Release |
| id | SSV:97001 |
| last seen | 2017-12-25 |
| modified | 2017-12-20 |
| published | 2017-12-20 |
| reporter | Root |
| title | VMware VNC Dynamic Resolution Request Code Execution Vulnerability(CVE-2017-4933) |
Talos
| id | TALOS-2017-0368 |
| last seen | 2019-05-29 |
| published | 2017-12-19 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0368 |
| title | VMware VNC Dynamic Resolution Request Code Execution Vulnerability |