lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Aug 2018 23:30:48 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: <fulldisclosure@...lists.org>
Subject: CVE-2016-7085 NOT fixed in VMware-player-12.5.9-7535481.exe

Hi @ll,

on February 13, 2016, I sent a vulnerability report regarding the
then current executable installer of VMware-player 7.1.3 to its
vendor.

On September 14, 2016, VMware published
<http://blogs.vmware.com/security/2016/09/vmsa-2016-0014.html> and
<http://www.vmware.com/security/advisories/VMSA-2016-0014.html>

I was NOT AMUSED that it took 7 month to fix this beginner's error.


In January 2018, VMware published VMware-player-12.5.9-7535481.exe,
available via <https://www.vmware.com/go/downloadplayer> from
<https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>,
which shows this vulnerability again (plus THREE others), again
allowing arbitrary code execution WITH escalation of privilege!

Apparently VMware's developers haven't heard of regression tests
yet, and their QA (if they have one) seems sound asleep!


On a fully patched Windows 7 SP1, VMware-player-12.5.9-7535481.exe
loads CredSSP.dll, WSHTCPIP.dll, WSHIP6.dll and RASAdHlp.dll from
its "application directory", typically the user's "Downloads"
directory "%USERPROFILE%\Downloads", instead from Windows'
"system directory" "%SystemRoot%\System32".

For this well-known and well-documented vulnerability see
<https://cwe.mitre.org/data/definitions/426.html> and
<https://cwe.mitre.org/data/definitions/427.html> plus
<https://capec.mitre.org/data/definitions/471.html>.


The application manifest embedded in VMware-player-12.5.9-7535481.exe
specifies "requireAdministrator", so any (rogue) DLL placed by the
unprivileged user in the "Downloads" directory is executed with
administrative rights, resulting in arbitrary code execution WITH
escalation of privilege.

CVSS v3 Base Score: 8.2 (High)  CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS v2 Base Score: 7.8         AV:L/AC:M/Au:N/C:C/I:C/A:C


Demonstration/proof of concept:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. follow the instructions from
   <https://skanthak.homepage.t-online.de/minesweeper.html>
   and build a minefield of 32-bit forwarder DLLs in your "Downloads"
   directory;

2. download
   <https://download3.vmware.com/software/player/file/VMware-player-12.5.9-7535481.exe>,
   and save it in your "Downloads" directory;

3. execute VMware-player-12.5.9-7535481.exe: notice the message
   boxes displayed from the DLLs built in step 1!


stay tuned (and FAR away from ALL executable installers!)
Stefan Kanthak


Timeline:
~~~~~~~~~

2018-06-03    vulnerability report(s) sent to vendor

2018-06-13    vendor acknowledged receipt:
              "We will look into this and provide feedback in due course."

2018-06-14    vendor replies:
              "It is my understanding that Workstation Player 12.x has
               since reached end of general support (in February of 2018)
               as per our Lifecycle Product Matrix
                <https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/support/product-lifecycle-matrix.pdf>."

2018-08-01    report published

Powered by blists - more mailing lists