| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Aug 2014 14:37:21 +0000 From: "Dolev Farhi" <dolevf@...oo.com> To: fulldisclosure@...lists.org Subject: [FD] VMware vm-support multiple vulnerabilities Author: dolevf Date: 18.6.2014 Version: vm-support latest version 0.88 Tested on: Red Hat Enterprise Linux 6 Relevant CVEs: 2014-4199, 2014-4200 1. About the application ------------------------ VMware support is a tool designed to collect diagnostic information such as logs, configuration files and directories, from a virtualized guest system. vm-support is part of the vmware-tools pack. 2. Vulnerabilities Descriptions: ----------------------------- CVE-2014-4199: An attacker is able to over-write system files due to insecure creation of files in /tmp by running vm-support tool, potentially denying service to other users of the system. CVE-2014-4200: An attacker is able to extract sensitive files from the vm-support archive due to it having 0644 permissions and stored in /tmp folder. 3. Release date -------------------- 26.8.2014 4. proof of concept ----------------------- CVE-2014-4199: ============= runcmd "ifconfig -a" "/tmp/ifconfig.$$.txt" runcmd "mount" "/tmp/mount.$$.txt" runcmd "dmesg" "/tmp/dmesg.$$.txt" runcmd "ulimit -a" "/tmp/ulimit-a.$$.txt" CVE-2014-4200: ============= [root@...ver1 tmp]# ls -ld vm-2014-08-26.25023.tar.gz -rw-r--r-- 1 root root 631081 Aug 26 17:19 vm-2014-08-26.25023.tar.gz _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists