OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
VMWare Tools susceptible to binary planting by hijack

moshezcomsecglobal.com
Date: Tue Sep 04 2012 - 10:43:14 CDT


Security Advisory - VMWare Tools susceptible to binary planting by hijack
=========================================================================
Summary : VMWare Tools susceptible to binary planting
Date : 4 September 2012
Affected versions : Product versions prior to -
                                        Workstation 8.0.4
                                        Player 4.0.4
                                        Fusion 4.1.2
                                        View 5.1
                                        ESX 5.0 P03
                                        ESX 4.1 U3
                                        Not affected: ESX 4.0, ESX 3.5
CVE reference : CVE-2012-1666

Details
================
VMWare Tools handles many functions involved with host-guest interactivity,
providing a richer environment for the end-user and server administrators alike.
Part of VMWare Tools responsibilities is handling printer services through host
and is called by a third-party acquired tool (ThinPrint).

During initiation, which occurs during many steps throughout printer comm.
negotiation, a non-existent dynamic-link library is called, resulting in an
unqualified dynamic-link library call to 'tpfc.dll'.

A user with local disk access can carefuly construct a DLL that suits the
pattern that is being traversed by the client and implement it somewhere along
the search path and the client will load it seamlessly.

Impact
================
After the DLL has been implemented, an unsuspected user that will run printer
services, for example, will cause it to load, resulting in arbitrary code
execution under user's privilege level.

This vector of attack is mainly used in a local privilege escalation scenarios,
user credential harvesting and can be used by malware to disguise itself,
amongst other uses.

Proof of Concept
================

        #include <windows.h>

        int hijack_poc ()
        {
          WinExec ( "calc.exe" , SW_NORMAL );
          return 0 ;
        }
          
        BOOL WINAPI DllMain
                 ( HINSTANCE hinstDLL ,
                        DWORD dwReason ,
                        LPVOID lpvReserved )
        {
          hijack_poc () ;
          return 0 ;
        }

Solution
================
Official patches were delivered by vendor and can be fetched from www.vmware.com

Credits
================
The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.

Timeline
=================
4 September 2012
Security advisory released by Comsec Consulting
31 August 2012
Vendor finished on deploying fixes to products, release notes published
13 March 2012
Vendor started to implement fixes to products
14 February 2012
First response from vendor
13 February 2012
Bug reported by Moshe Zioni from Comsec Global Consulting
to VMWare and third-party printer driver developers in sync

References
=================
VMWare
http://www.vmware.com
Release notes
https://www.vmware.com/support/vsphere4/doc/vsp_esxi41_u3_rel_notes.html#resolvedissuessecurity

Comsec Global Consulting
http://www.comsecglobal.com/