Researcher: Critical vulnerability found in VMware's desktop apps

Core Security Technologies said Monday that it has discovered vulnerability in VMware's desktop virtualization software that allows an attacker to gain complete control a system and launch executable files on the host operating system.

The discovery is notable given that virtualization security is largely uncharted territory. However, it doesn't take a rocket scientist to figure out virtualization could be some fertile ground for hackers.

Core Security also said that it has released an exploit for the VMware vulnerability to prove it exists. The release of the exploit coincides with VMware's VMworld Europe show in France.

Update: I had wondered about why the exploit was released instead of an advisory being issued. Here's what Core Security CTO Ivan Arce had to say:

We released a security advisory that includes full technical details and proof of concept code because we believe it to be necessary to help vulnerable users to assess if they are vulnerable or not and to deploy and test their risk mitigation mechanisms.

Also, there is a simple workaround to prevent exploitation that is clearly described in our and VMware's advisory. Our advisory includes proof-of-concept code (code designed to prove that a vulnerability exists) not a fully functional exploit.

Core's purpose in publishing security advisories is to inform potentially vulnerable organizations of security problems we've discovered and to provide guidance on how to address them to minimize their exposure. We've been doing that for free, as a way to give back to the IT security community for the past 13 years.

As for the details, CoreLabs--Core Security's research group--said a malicious user--or an application--running on VMware's desktop software can break out of its "isolated environment" and gain access to the system. The company found the vulnerability while researching a similar flaw--technically a VMware Workstation Shared Folders Directory Traversal Vulnerability--discovered by Greg McManus at iDefense Labs almost a year ago.

In a statement, Core Security outlined the following:

CoreLabs researchers developing the exploit for CVE-2007-1744 realized that, by using a specially crafted PathName to access a VMware shared folder, it is possible to gain complete access to the Host's file system. This includes, but is not limited to, creating or modifying executable files in sensitive locations. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism, which in turn passes it to the Host system's file system.

Exploitation of path traversal vulnerabilities such as one found by CoreLabs, also commonly found in web server software and web applications, generally involve the specification of pathnames that include the ".." substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources.

Vulnerable VMware products that implement the Shared Folders feature fail to properly sanitize malicious input in the PathName parameter. Although stricter input validation was implemented to fix the vulnerability disclosed previously (CVE-2007-1744), the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings.

The vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when Shared Folders are enabled (a default setting) and at least one folder on the Host system is configured for sharing.

VMware plans to fix these issues in upcoming releases. For now Core Security recommends that users disable shared folders for all virtual machines that use the feature. If that's not possible, configure shared folders for read-only access, implement file system monitoring and access control, or upgrade your VMware software.