Researcher: Critical vulnerability found in VMware's desktop apps

Researcher: Critical vulnerability found in VMware's desktop apps

Summary: Core Security Technologies said Monday that it has discovered vulnerability in VMware's desktop virtualization software that allows an attacker to gain complete control a system and launch executable files on the host operating system.The discovery is notable given that virtualization security is largely uncharted territory.


Core Security Technologies said Monday that it has discovered vulnerability in VMware's desktop virtualization software that allows an attacker to gain complete control a system and launch executable files on the host operating system.

The discovery is notable given that virtualization security is largely uncharted territory. However, it doesn't take a rocket scientist to figure out virtualization could be some fertile ground for hackers.

Core Security also said that it has released an exploit for the VMware vulnerability to prove it exists. The release of the exploit coincides with VMware's VMworld Europe show in France.

Update: I had wondered about why the exploit was released instead of an advisory being issued. Here's what Core Security CTO Ivan Arce had to say:

We released a security advisory that includes full technical details and proof of concept code because we believe it to be necessary to help vulnerable users to assess if they are vulnerable or not and to deploy and test their risk mitigation mechanisms.

Also, there is a simple workaround to prevent exploitation that is clearly described in our and VMware's advisory. Our advisory includes proof-of-concept code (code designed to prove that a vulnerability exists) not a fully functional exploit.

Core's purpose in publishing security advisories is to inform potentially vulnerable organizations of security problems we've discovered and to provide guidance on how to address them to minimize their exposure. We've been doing that for free, as a way to give back to the IT security community for the past 13 years.

As for the details, CoreLabs--Core Security's research group--said a malicious user--or an application--running on VMware's desktop software can break out of its "isolated environment" and gain access to the system. The company found the vulnerability while researching a similar flaw--technically a VMware Workstation Shared Folders Directory Traversal Vulnerability--discovered by Greg McManus at iDefense Labs almost a year ago.

In a statement, Core Security outlined the following:

CoreLabs researchers developing the exploit for CVE-2007-1744 realized that, by using a specially crafted PathName to access a VMware shared folder, it is possible to gain complete access to the Host's file system. This includes, but is not limited to, creating or modifying executable files in sensitive locations. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware's Shared Folders mechanism, which in turn passes it to the Host system's file system.

Exploitation of path traversal vulnerabilities such as one found by CoreLabs, also commonly found in web server software and web applications, generally involve the specification of pathnames that include the ".." substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources.

Vulnerable VMware products that implement the Shared Folders feature fail to properly sanitize malicious input in the PathName parameter. Although stricter input validation was implemented to fix the vulnerability disclosed previously (CVE-2007-1744), the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings.

The vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when Shared Folders are enabled (a default setting) and at least one folder on the Host system is configured for sharing.

VMware plans to fix these issues in upcoming releases. For now Core Security recommends that users disable shared folders for all virtual machines that use the feature. If that's not possible, configure shared folders for read-only access, implement file system monitoring and access control, or upgrade your VMware software.

Topics: Hardware, Security, Virtualization, VMware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Shared Folder are enabled by default ?

    On my VMWare Workstation 6.0.2 build-59824 setup, the option "Shared Folders" is set to DISABLED. I have not changed it, it came that way by default. This contradicts the statement that it is ENABLED by default.
  • what do I think?

    I think these 'Core Security' people are grand-standers, and that you are helping them on their perceived way of getting attention.

    How can it possibly be moral to launch an exploit at the time a company is exhibiting at a fair?

    If it is so simple as a multi-byte error in an earlier fix from VMware, why not just tell them, and let it get fixed?

    This whole security game is getting to be just that - a game.

    No respect for foolish programmers or worse who are responsible.
    Narr vi
    • So only the hackers should know?

      Naw, tell the world so they can protect themselves.
      • NoAx, believe it's a little simpler than that

        Hackers only know if they find it. Telling alerts script kiddies, and the hackers who don't know, who in spite of the new 'all-powerful' image, typically probably don't know at all.

        Companies should have a reasonable interval, given notice so they can fix themselves. If they don't, then your argument becomes potentially more valid.

        Right now, it is a ransom game. You can tell by the nasty comments all around, and the refusal to acknowledge when the companies understandably don't appreciate certain security-profiteers-hacker behaviour.
        Narr vi
      • I totally agree.

        Just like IE, WMP, Outlook, Word, Excel, etc. vulnerabilities should be published immediately. That way everyone can take steps to protect themselves while they wait for MS to (maybe - if they feel like it) issue the fix in 30,29,28... days.
        • but who is 'everyone', Leto?

          Conservatively, 99.44% (Old Ivory commercial) of software customers will never hear of these 'service to community' advisories.

          The hackers will. And 'service to community' gets another feather.

          I'm sorry, but I don't see a help to prevent infections here. Rather, more likelihood the exploit is propagated long before a fix can be made, tested, and rolled out in practical terms.

          I would like it to be otherwise, of course.
          Narr vi
          • You missed the sarcasm.

            I was pointing out how inane his position truly is by extending his position to something he'd totally oppose.
          • Fair enough, Leto

            and thanks for the memories of Dune...
            Narr vi
    • And I would bet these Core Security people

      would have you in court if you told the world that the lock on their homes could be easilly by-passed, explained how to unlock the door with out a key, and then someone robbed them blind.
      • Updated fyi

        I added a statement for Core on why they released the code without an advisory.
        Larry Dignan
        • thanks, Larry,

          and it's helpful to see how they perceive matters.

          However, it seems to me the real situation is more like my answer to Leto above, no?

          I just am glad my young niece uses her parents' Mac, so she's somewhat less likely to have to look at the ugliness of these things.

          Narr vi
    • How can it be moral...

      for companies to keep releasing crap for software?
      • Your generalization isn't helpful

        Get off your high horse and start developing exploit free software if you think it's such a slam dunk.

        It's a lot like writing scripts. Sometimes you don't know there are errors or problems with the script until you run it or give it to others to run. You can only stare at the same lines of code so mnany times before the eyes go numb. At some point one has to put a stake in the ground and say "I believe it's cooked and ready for prime time". If problems or exploits are found, the author should take responsibility in resolving the issue ASAP so as not to negatively impact his/her own environment, or the environment of others.
  • But Virtualization is so secure.....

    Isn't this the entire idea behind sand web browsers. So if you can tunnel outside of the sand box, the point is pretty much defeated.

    Thanks VMware.
  • I disable shared folders

    Shared folders ISN'T needed.

    If your guest VM is a unix variant, you have at your disposal secure shell (ssh) which allows you to access the host file system in a secure manner. If it isn't, simply install Cygwin which includes ssh.

    Another solution is Samba with the share accessible by only ssh.

    Be safe.
    D T Schmitz
  • People who have no experience level...

    ...needn't offer criticisms. It shows.
    D T Schmitz
  • RE: Researcher: Critical vulnerability found in VMware's desktop apps

    CoreLabs staff found the vulnerability in October, while investigating a similar vulnerability in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007.

    "Since October we have been exchanging e-mails with the VMware security team," said Arce. "The fix was supposed to be released in December, then January, then February. The workaround is simple and easy, so rather than continue to wait, we felt we should inform the users, and then wait for an official response."
  • 2 typos in the opening paragraph

    Proof read, my friends, proof read.
  • WRONG !! Ver 6 sharing is DISABLED

    Release of this seems timed to damage VMWARE, not to help users.

    The original report should have been researched by ZDNet.
  • RE: Researcher: Critical vulnerability found in VMware's desktop apps

    This is really a non-issue. Try doing some research before releasing such an inflammatory article, full of typo's and FALSE information. Vmware shared folders are DISABLED by default, How do you find an exploit and miss such a thing????

    Not only that, when you go into the settings to change shared folders from the default of disabled, you can't miss the warning that states:

    "Shared folders expose your files to programs in the virtual machine. This may put your computer and your data at risk. Only enable shared folders if you trust the virtual machine with your data"

    you can pick disabled, always enabled, or enabled until next power off or suspend.

    SO it's pretty much fully explained in Vmware WITHOUT the need to release an exploit or even an advisory. All this adds to Vmware's own warning in the software is a "here's how".

    Big deal