Critical VMware Vulnerability, Exploit Released

← Back to Stories (view on slashdot.org)

Critical VMware Vulnerability, Exploit Released

Posted by kdawson on Thursday February 28, 2008 @07:41AM from the heads-up-incoming dept.

BaCa writes "Core Security has issued an advisory disclosing a vulnerability that could severely impact organizations relying on VMware's desktop virtualization software. It involves directory traversal using VMware's shared folders, and could allow an attacker access to the host system from a guest VM. Core also released an exploit for the vulnerability."

6 of 104 comments (clear)

Min score:

Reason:

Sort:

Limited issue by nhtshot · 2008-02-28 07:45 · Score: 3, Interesting

It only affects the desktop systems. Interesting to see vulnerabilities finally start cropping up in the panacea virtualization techs.

But, this isn't a very big deal.
1. Re:Limited issue by billcopc · 2008-02-28 13:51 · Score: 2, Interesting
  
  Actually, I have a differing opinion.
  
  I think VMware Shared Folders have a valid purpose, and the implementation isn't all bad. Having them as a virtual network share, I like. The problem with any feature, useful or not, is that some half-breed is going to misuse it to the extreme. That imbecile will get owned and blame the software because there's no possible way he could have made a stupid mistake.
  
  I think such fools should be put on display. The idiot who used Shared Folders in a production environment, needs to be hung out to dry and hopefully fired from his job because clearly he does not understand the finer intricacies of operating a networked computer.
  
  Me, I like Shared Folders. They're handy on the few occasions when actually use them. I would rather see people quit screaming over this exploit, wait a day for a fix to be released (VMware's pretty decent on important updates), then carry on with their lives. Let's be honest here: Shared Folders are not something every user needs on a constant basis. There are a bunch of people who use VMware on servers, where these folders matter not. There's another bunch like myself who run a ton of virtualized OS'es for compatibility testing. Lastly, there's a handful of idiots who don't really know what they're doing, they just know their title and salary and are extremely good at putting the blame on others to protect that title and salary.
  
  --
  -Billco, Fnarg.com
Doesnt affect Server by quo_vadis · 2008-02-28 07:58 · Score: 2, Interesting

This doesnt affect VMWare server though,which most people use in home settings (given that it is free)

--
Legally obligatory sig : My opinions are my own... etc etc
Re:Exploit code released? by garett_spencley · 2008-02-28 08:31 · Score: 4, Interesting

About 8 years ago I was working at a dot-bomb that produced an "Intranet" solution. We weren't a huge company but we did have customers who deployed our product on their production web servers, as well we offered a "hosted" solution where we hosted the virtual desktop solution on our own servers.

One day a nice whitehat sent an e-mail to all@.com describing that he had found a buffer overflow in our CGI binary that could be exploited in order to get shell access with the permissions of whatever user the webserver was running as. He told us exactly how to exploit it but he did not provide any kind of proof-of-concept code.

Well, the main developer and maintainer of the CGI program (an extremely experienced and talented programmer who is, to this day, still one of the programmers that I look up to the most - for reasons other than what I am about to describe obviously) assured everyone in the company that exploiting such a programming error would be soooooo incredibly difficult that it was a complete non-issue.

Based on his assurances the whitehat was ignored and customers were never notified of the problem and many of them went on running a vulnerable application.

I tried explaining to everyone that buffer overflows in services were exploited all the time to gain remote access but I was a junior level programmer at the time and was ignored.

I imagine that had the whitehat provided us with exploit code that we could use to actually test the problem ourselves and demonstrate it to the "non-believers" then seriousness of the problem would have been forced and the issues would have gotten a lot more attention.

Anyway, of course Core could have provided the code to VMWare only, but the basic idea is that with exploit code in the wild it gives an extra push to get VMWare to fix the problem quickly.
Parallels Desktop has a similar problem... by argent · 2008-02-28 08:54 · Score: 4, Interesting

In Beta they enabled their full drag and drop by default, but turned it off-by-default after a storm of protest on the Parallels forums. The reason for the protest is that they implemented the ability to do Mac-Windows drag and drop everywhere (instead of just to and from the Windows desktop) by creating a special magic UNC path that provided full local-user access to the root of the OS X file system.

As far as I know that's still in there, for both drag-and-drop and, if I recall correctly, for their "Coherence" mode where the Windows run in a pseudo-multi-window mode integrated to the Mac user interface.
Re:Duh? by Bill_the_Engineer · 2008-02-28 11:51 · Score: 2, Interesting

This is a great example of how virtual machines can actually reduce security

No, this is an example of a poor implementation of shared folders. This does not invalidate the use of virtual machines as a security mechanism. However, I will repeat what I said before on this subject: Virtualization solves an availability problem not a security problem.
(something that Theo de Raadt said not that long ago, and was lambasted for.)

He was lambasted for creating a controversy that didn't exist just so that he would be mention in the press. Theo is that you?

--
These comments are my own and do not necessarily reflect the views or opinions of my employer or colleagues...