Bugtraq mailing list archives

Re: VMware 1.1.2 Symlink Vulnerability

From: oinos () MAIL KB0RVE ORG (Oinos)
Date: Tue, 25 Jan 2000 00:23:12 -0600


The use of the /tmp directory is default in VMware, but configurable with
the tmpDirectory = <directory> setting in the .cfg file for the guest
operating system, or with the TMPDIR=<directory> setting in your shell
environment.  This is documented on VMware's website.

-Oinos

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of harikiri
Sent: Monday, January 24, 2000 8:49 AM
To: BUGTRAQ () SECURITYFOCUS COM
Subject: VMware 1.1.2 Symlink Vulnerability

w00w00 Security Advisory - http://www.w00w00.org/

Title:          VMware 1.1.2 Symlink Vulnerability
Platforms:      Linux Distributions with VMware 1.1.2 (build 364)
Discovered:     17th January, 2000
Local:          Yes.
Remote:         No.
Author:         harikiri <harikiri () attrition org>
Vendor Status:  Notified.
Last Updated:   N/A

1. Overview

VMware stores temporary log files within the /tmp directory. It does
not check whether all of these files exist prior to creation, resulting
in the potential for a symlink attack.

2. Background

VMware is a commercial application that enables the operation of "guest"
operating systems within the host system. This is performed via the use of
Virtual Machine technology.

Due to the low-level requirements of VMware, it is necessary to run the
program at a high privilege level, typically root.

3. Issue

VMware creates the file "/tmp/vmware-log" on startup. The existance and
owner of the file is not checked prior to writing startup information to
the file.

NOTE: VMware uses other files in the /tmp directory. The one cited above
is only a single example.

4. Impact

Local users may create a symlink from an arbitrary file to /tmp/vmware-log.
When VMware is executed, the file pointed to by the symlink will be
overwritten.

This may be used as a local denial of service attack. There may also be a
method to gain elevated privileges via the symlink attack, though none is
known at this time.

5. Recommendation

Wait for a fix from the vendor.

6. References

- VMware Inc: http://www.vmware.com/
- w00w00 Security Development: http://www.w00w00.org/

EOF

Current thread:

NIS security advisory : password method downgrade Stefan Laudat (Jan 21)
- Re: NIS security advisory : password method downgrade Thorsten Kukuk (Jan 23)
- VMware 1.1.2 Symlink Vulnerability harikiri (Jan 24)
  - Re: VMware 1.1.2 Symlink Vulnerability Oinos (Jan 24)
- <Possible follow-ups>
- Re: NIS security advisory : password method downgrade Darren Moffat - Solaris Sustaining Engineering (Jan 24)