Bugtraq mailing list archives
Re: VMware 1.1.2 Symlink Vulnerability
From: oinos () MAIL KB0RVE ORG (Oinos)
Date: Tue, 25 Jan 2000 00:23:12 -0600
The use of the /tmp directory is default in VMware, but configurable with the tmpDirectory = <directory> setting in the .cfg file for the guest operating system, or with the TMPDIR=<directory> setting in your shell environment. This is documented on VMware's website. -Oinos -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of harikiri Sent: Monday, January 24, 2000 8:49 AM To: BUGTRAQ () SECURITYFOCUS COM Subject: VMware 1.1.2 Symlink Vulnerability w00w00 Security Advisory - http://www.w00w00.org/ Title: VMware 1.1.2 Symlink Vulnerability Platforms: Linux Distributions with VMware 1.1.2 (build 364) Discovered: 17th January, 2000 Local: Yes. Remote: No. Author: harikiri <harikiri () attrition org> Vendor Status: Notified. Last Updated: N/A 1. Overview VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack. 2. Background VMware is a commercial application that enables the operation of "guest" operating systems within the host system. This is performed via the use of Virtual Machine technology. Due to the low-level requirements of VMware, it is necessary to run the program at a high privilege level, typically root. 3. Issue VMware creates the file "/tmp/vmware-log" on startup. The existance and owner of the file is not checked prior to writing startup information to the file. NOTE: VMware uses other files in the /tmp directory. The one cited above is only a single example. 4. Impact Local users may create a symlink from an arbitrary file to /tmp/vmware-log. When VMware is executed, the file pointed to by the symlink will be overwritten. This may be used as a local denial of service attack. There may also be a method to gain elevated privileges via the symlink attack, though none is known at this time. 5. Recommendation Wait for a fix from the vendor. 6. References - VMware Inc: http://www.vmware.com/ - w00w00 Security Development: http://www.w00w00.org/ EOF
Current thread:
- NIS security advisory : password method downgrade Stefan Laudat (Jan 21)
- Re: NIS security advisory : password method downgrade Thorsten Kukuk (Jan 23)
- VMware 1.1.2 Symlink Vulnerability harikiri (Jan 24)
- Re: VMware 1.1.2 Symlink Vulnerability Oinos (Jan 24)
- <Possible follow-ups>
- Re: NIS security advisory : password method downgrade Darren Moffat - Solaris Sustaining Engineering (Jan 24)