Vigil@nce: VMware, privilege elevation under 64 bits
October 2008 by Vigil@nce
An attacker can elevate his privileges inside a virtual guest running a 64 bits BSD or Windows system.
Consequences: administrator access/rights
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 06/10/2008
VMware ESX Server
VMware ESX Server 3i
The VIGILANCE-VUL-8087 (https://vigilance.aql.fr/tree/1/8087) vulnerability describe an error in the handling of the SwapGS assembler instruction on FreeBSD/amd64, which can be used by an attacker to obtain kernel privileges.
The VMware emulator is impacted by the same vulnerability, which can be exploited in a BSD or Windows (not Linux) system, on a 64 bits platform.
An attacker with a user access inside a 64 bits BSD/Windows guest system can therefore obtain kernel privileges of the guest system. He does not obtain kernel privileges of the host system.
Identifiers: BID-31569, CVE-2008-4279, VIGILANCE-VUL-8148, VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VMSA-2008-0016