Vigil@nce: VMware Workstation, VIX API, privilege elevation via vmrun
April 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
On Linux, a local attacker can use the vmrun command of VMware
Workstation/VIX, in order to administer machines.
– Severity: 2/4
– Creation date: 30/03/2011
IMPACTED PRODUCTS
– VMware Workstation
DESCRIPTION OF THE VULNERABILITY
The /usr/bin/vmrun utility is installed on Linux with VMware VIX
API and VMware Workstation. It can be used to control a virtual
machine (list, start, stop, etc.). The root password is required
to use vmrun.
When it starts, vmrun loads a library. However, depending on the
Linux filesystem configuration, a local attacker can create this
library in a directory which is searched before standard
directories. In this case, the attacker can run vmrun with no
authentication.
On Linux, a local attacker can therefore use the vmrun command of
VMware Workstation/VIX, in order to administer machines.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/VMware-Workstation-VIX-API-privilege-elevation-via-vmrun-10502