Author: dolevf
Date: 18.6.2014
Version: vm-support latest version 0.88
Tested on: Red Hat Enterprise Linux 6
Relevant CVEs: 2014-4199, 2014-4200
1. About the application
------------------------
VMware support is a tool designed to collect diagnostic information such as logs, configuration files and directories, from a virtualized guest system.
vm-support is part of the vmware-tools pack.
2. Vulnerabilities Descriptions:
-----------------------------
CVE-2014-4199: An attacker is able to over-write system files due to insecure creation of files in /tmp by running vm-support tool, potentially denying service to other users of the system. CVE-2014-4200: An attacker is able to extract sensitive files from the vm-support archive due to it having 0644 permissions and stored in /tmp folder.
3. Release date
--------------------
26.8.2014
4. proof of concept
-----------------------
CVE-2014-4199:
=============
runcmd "ifconfig -a" "/tmp/ifconfig.$$.txt"
runcmd "mount" "/tmp/mount.$$.txt"
runcmd "dmesg" "/tmp/dmesg.$$.txt"
runcmd "ulimit -a" "/tmp/ulimit-a.$$.txt"
CVE-2014-4200:
=============
[root () server1 tmp]# ls -ld vm-2014-08-26.25023.tar.gz
-rw-r--r-- 1 root root 631081 Aug 26 17:19 vm-2014-08-26.25023.tar.gz
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
Date: 18.6.2014
Version: vm-support latest version 0.88
Tested on: Red Hat Enterprise Linux 6
Relevant CVEs: 2014-4199, 2014-4200
1. About the application
------------------------
VMware support is a tool designed to collect diagnostic information such as logs, configuration files and directories, from a virtualized guest system.
vm-support is part of the vmware-tools pack.
2. Vulnerabilities Descriptions:
-----------------------------
CVE-2014-4199: An attacker is able to over-write system files due to insecure creation of files in /tmp by running vm-support tool, potentially denying service to other users of the system. CVE-2014-4200: An attacker is able to extract sensitive files from the vm-support archive due to it having 0644 permissions and stored in /tmp folder.
3. Release date
--------------------
26.8.2014
4. proof of concept
-----------------------
CVE-2014-4199:
=============
runcmd "ifconfig -a" "/tmp/ifconfig.$$.txt"
runcmd "mount" "/tmp/mount.$$.txt"
runcmd "dmesg" "/tmp/dmesg.$$.txt"
runcmd "ulimit -a" "/tmp/ulimit-a.$$.txt"
CVE-2014-4200:
=============
[root () server1 tmp]# ls -ld vm-2014-08-26.25023.tar.gz
-rw-r--r-- 1 root root 631081 Aug 26 17:19 vm-2014-08-26.25023.tar.gz
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information