lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4AC5BC65.4020906@digit-labs.org>
Date: Fri, 02 Oct 2009 09:40:05 +0100
From: mu-b <mu-b@...it-labs.org>
To: full-disclosure@...ts.grok.org.uk
Cc: bugtraq@...urityfocus.com
Subject: Re: VMSA-2009-0013 VMware Fusion resolves two security issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All - the first bug is self-explanatory,

> # Kernel denial of service vulnerability
> An integer overflow vulnerability in the vmx86 kernel extension allows
> for a denial of service by an unprivileged user.

The vmx86 kext ioctl handler contains several integer overflows which
lead to kernel heap corruptions. These are probably not exploitable, and
I didn't try given the second bug,

http://www.digit-labs.org/files/exploits/vmware-pop.c

> # Kernel code execution vulnerability
> An ioctl vulnerability in the vmx86 kernel extension allows for
> executing arbitrary code in the kernel context by an unprivileged
> user.

The vmx86 kext ioctl handler permits an unprivileged userland program to
initialize several function pointers via the 0x802E564A ioctl code.
These function pointers are later used from several reachable locations
within the driver, one of which is called immediately after initialization.

http://www.digit-labs.org/files/exploits/vmware-fission.c

- --
mu-b
(mu-b@...it-labs.org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrFvGUACgkQY0H9BP42EjxSCACdEzIXe0D8n+VVplyEsuCbPBKS
TjAAnAnHUPOSKrphGeaynF5bIKYQNyPY
=lMJv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ