This article briefly describes our findings and our most recent in the three main VMware Windows products find a vulnerability. The affected products include the‘VMware Workstation’, ‘Horizon Client’ (with Local Mode Option), and Player’on.
Successful exploitation of the vulnerability could allow a local attacker on the other users logged in the context of the same host, execute the code.
The impact of either the longitudinal or transverse elevation of privileges, depending on the account permissions, the attacker has The as well as for the user account used on the windows platform the VMware software.
Can be accessed the object
Because of the provisions of these Windows objects reside in the kernel address space and which contains a security descriptor, which led to theoperating systemcan access them.
These descriptors are structures, which contain those objects associated with the security information. Typically, a security descriptor should have a discretionary access control list of legitimate pointer, which will be one or more access control entry fall of。 As shown below:
Figure 1. Discretionary access control list
One ACE describes its user group and is separated from the user, who may or may not access one can be accessed the object, and access type such as read, write, execute, read and write etc...
Because these can be accessed by the object, when we create them, to perform custom access operation, we can set our own security descriptor.
As shown in Figure 1, We want full access to belonging to’A’user group users to the Everyone user group to implement the write+read operation, and for any other people read/perform the operation, but we want from the can access that object to remove Andrew（observed in Figure 1. The
Unless for some reason we need to obtain or deny access to specific users or groups of users, under normal circumstances without our own as can be access to the objects specified security descriptor. These objects will not only allow the user or user group access to the necessary permissions. In fact, when we do not specify a security descriptor, the system can be accessed by the object providing the default DACLS.
If, for example, we create a process, which is running on an account belonging to the Administrators user group in the security context of running in a standard or guest user accounts up and down in another process will not be able to access it, or at least to that process access will have certain restrictions.
In fact, the custom access we created can be accessed by the object may be risky, and can lead to dangerous vulnerabilities. For this reason, developers must carry out the behavior when very careful.
As already mentioned, the security descriptor should have a DACL legitimate pointer, it contains one or more ACES in. However, a DACL can also be empty, which means that for any user the state of the object is denied access. This type of a design error will be possible for any process need to access a specific object to cause a denial of service consequences.
On the other hand, a more serious design error in the custom access can be to access the object found is a NULL DACL pointer is provided to that object's security descriptor. This will allow any user to obtain full access to that object's permissions, even if that object is created in a more high-privilege security context of the user, then the system should refuse to lower the permissions of the user's full access, read|write|execute behavior.
Unfortunately, not all rumors have a happy ending, especially in the real world with a 0day vulnerabilities associated with the scenario. Yes, the use of NULL DACLs can be quite disgusting a phenomenon, because it will cause some security issues arise, and they will not get any appreciation.
Recently, VMware has for the severe of the vulnerabilities to provide a repair patch which we have reported to the. Because the virtual printing device is available, this problem will affect all VMware, Horizon Client (with Local Mode Option),and Player version.
The device allows one to have installed the VMware tools in the virtual machine to access the configuration on the host pointer. Add this device to the virtual machine device, which is set to the default option. However, in recent times more of these product versions, regardless of the user in what circumstances to create a new virtual machine will be added by default on the virtual printing device.
It has been found, the vulnerability is based on a NULL DACL, which consists of vprintproxy. exe process the security descriptor of the allocation, in the host machine, it handles the virtual printing device. Each time the user starts a virtual machine, associated with a vmware-vmx. exe process running in the user to start a virtual machine's security context.
However, if the virtual machine has been turned on a virtual printing device, or when the virtual machine is active, if the user connected to that device, the vmware-vmx. exe process will produce vprintproxy. exe process. Use this step to customize the child process's security descriptor, in which introduced a privilege escalation vulnerability.
Figure 2. Assign a NULL DACL
As shown above, vmware-vmx. the exe calls the SetSecurityDescriptorDacl function, but not for an ACL structure that is used has created the security descriptor's DACL to provide a legitimate pointer R8 register it. Once the new security descriptor is created, 它将被使用在一个CreateProcess函数的调用中来启动vprintproxy.exe it will be created with a NULL DACL is assigned to it's process object.
Figure 3. With a NULL DACL 启动 vprintproxy.exe
The newly created vprintproxy. exe running in the parent process in the security context it turns the user has to start the virtual machine paradigm in the security context of running.