Engineers from CoreLabs, the research arm of Core Security, discovered that an attacker could gain complete access to a host system by exploiting this vulnerability in VMware’s desktop software products. The vulnerability could allow an attacker to create or modify executable files on the host operating system.

“What’s most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them,” said Iván Arce, CTO at Core Security Technologies. “Organizations often adopt virtualization technologies with the assumption that the isolation between the host and guest systems will improve their security posture. This vulnerability provides an important wake-up call to security-concerned IT practitioners. It is signals that virtualization is not immune to security flaws and that ‘real’ environments aren’t safe simply because they sit behind virtual environments.”

Vulnerability Details

CoreLabs discovered that a malicious user or software running on a Guest system within VMware’s desktop software (VMware Player, Workstation and ACE) can break out of the isolated environment and gain full access to the Host computer system. The vulnerability was found while investigating a similar vulnerability in VMware Workstation disclosed by Greg McManus of IDefense Labs in March 2007 (CVE-2007-1744, VMware Workstation Shared Folders Directory Traversal Vulnerability).

CoreLabs researchers developing the exploit for CVE-2007-1744 realized that, by using a specially crafted PathName to access a VMware shared folder, it is possible to gain complete access to the Host’s file system. This includes, but is not limited to, creating or modifying executable files in sensitive locations. The vulnerability stems from improper validation of the PathName parameter passed by a potentially malicious program or user in the Guest system to VMware’s Shared Folders mechanism, which in turn passes it to the Host system’s file system.

Exploitation of path traversal vulnerabilities such as one found by CoreLabs, also commonly found in web server software and web applications, generally involve the specification of pathnames that include the “..” substring to escape out of folder access restriction. To prevent this type of attack, it is common to filter out the potentially malicious substring from input received from untrusted sources.

Vulnerable VMware products that implement the Shared Folders feature fail to properly sanitize malicious input in the PathName parameter. Although stricter input validation was implemented to fix the vulnerability disclosed previously (CVE-2007-1744), the shared folder mechanism still provides complete access to the underlying file system of the Host system due to improper handling of strings with multi-byte encodings.

The vulnerability affects VMware Workstation, Player and ACE software and it is only exploitable when Shared Folders are enabled (a default setting) and at least one folder on the Host system is configured for sharing. Organizations seeking an immediate workaround to mitigate risk should disable shared folders in all installations of the vulnerable software. If the Shared Folders feature cannot be fully disabled, configuring it to allow read-only access to the Host folder may still provide limited mitigation. However, because other exploitation scenarios may still exist, CoreLabs recommends that end users update to non-vulnerable versions of VMware Workstation, Player and ACE.

VMware has acknowledged this security problem and stated that it will address the issue within the release schedule of the affected products. To protect against potential attacks in the meantime, Core Security recommends that users immediately take one of the following actions:
Disable Shared Folders for all virtual machines that use the feature.
If the Shared Folders feature is required, configure it for read-only access.
If the Shared Folders feature is required, implement appropriate file system monitoring and access control mechanisms on the Host operating system.
Upgrade your VMware software to a non-vulnerable version.

For more information on this vulnerability and the systems affected, please view the CORE-2007-0930 Security Advisory, “Path Traversal Vulnerability in VMware's Shared Folders Implementation” at http://www.coresecurity.com/?action=item&id=2129.

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their IT infrastructure. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates servers, desktop systems, end users and web applications by identifying what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks.