Search...

VMware Player 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)

2017-03-27T00:00:00

ID VMWARE_PLAYER_LINUX_VMSA_2017_0005.NASL
Type nessus
Reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2021-01-02T00:00:00

Description

The version of VMware Player installed on the remote Linux host is 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host arbitrary code execution vulnerability in the drag-and-drop (DND) functionality due to an out-of-bounds memory access error. An attacker within a guest can exploit this issue to execute arbitrary code on the host system.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97989);
  script_version("1.8");
  script_cvs_date("Date: 2019/11/13");

  script_cve_id("CVE-2017-4901");
  script_bugtraq_id(96881);
  script_xref(name:"VMSA", value:"2017-0005");

  script_name(english:"VMware Player 12.x &lt; 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)");
  script_summary(english:"Checks the VMware Player version.");

  script_set_attribute(attribute:"synopsis", value:
"A virtualization application installed on the remote Linux host is
affected by a guest-to-host arbitrary code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of VMware Player installed on the remote Linux host
is 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host
arbitrary code execution vulnerability in the drag-and-drop (DND)
functionality due to an out-of-bounds memory access error. An attacker
within a guest can exploit this issue to execute arbitrary code on the
host system.");
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0005.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Player version 12.5.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-4901");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:player");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("vmware_player_linux_installed.nbin");
  script_require_keys("Host/VMware Player/Version");
  script_exclude_keys("SMB/Registry/Enumerated");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (get_kb_item("SMB/Registry/Enumerated")) audit(AUDIT_OS_NOT, "Linux", "Windows");

version = get_kb_item_or_exit("Host/VMware Player/Version");

fix = '';
if (version =~ "^12\.") fix = '12.5.4';

if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) &lt; 0)
{
  report +=
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
}
else audit(AUDIT_INST_VER_NOT_VULN, "VMware Player", version);

JSON Vulners Source

Initial Source

{"id": "VMWARE_PLAYER_LINUX_VMSA_2017_0005.NASL", "bulletinFamily": "scanner", "title": "VMware Player 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)", "description": "The version of VMware Player installed on the remote Linux host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.", "published": "2017-03-27T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://www.tenable.com/plugins/nessus/97989", "reporter": "This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.vmware.com/security/advisories/VMSA-2017-0005.html"], "cvelist": ["CVE-2017-4901"], "type": "nessus", "lastseen": "2021-01-01T07:00:06", "edition": 30, "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-4901"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788117"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811266", "OPENVAS:1361412562310811265"]}, {"type": "kaspersky", "idList": ["KLA11037"]}, {"type": "exploitdb", "idList": ["EDB-ID:47714"]}, {"type": "zdt", "idList": ["1337DAY-ID-33583"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:C0C12F043C649BD8F0133FA113860E15", "EXPLOITPACK:21FFDFE1156798252B9693294C796DC2"]}, {"type": "nessus", "idList": ["VMWARE_WORKSTATION_LINUX_VMSA_2017_0005.NASL", "VMWARE_WORKSTATION_WIN_VMSA_2017_0005.NASL", "MACOSX_FUSION_VMSA_2017_0005.NASL", "VMWARE_PLAYER_WIN_VMSA_2017_0005.NASL"]}, {"type": "vmware", "idList": ["VMSA-2017-0005"]}], "modified": "2021-01-01T07:00:06", "rev": 2}, "score": {"value": 7.7, "vector": "NONE", "modified": "2021-01-01T07:00:06", "rev": 2}, "vulnersScore": 7.7}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97989);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-4901\");\n script_bugtraq_id(96881);\n script_xref(name:\"VMSA\", value:\"2017-0005\");\n\n script_name(english:\"VMware Player 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)\");\n script_summary(english:\"Checks the VMware Player version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Linux host is\naffected by a guest-to-host arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Player installed on the remote Linux host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Player version 12.5.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4901\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_player_linux_installed.nbin\");\n script_require_keys(\"Host/VMware Player/Version\");\n script_exclude_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (get_kb_item(\"SMB/Registry/Enumerated\")) audit(AUDIT_OS_NOT, \"Linux\", \"Windows\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Player/Version\");\n\nfix = '';\nif (version =~ \"^12\\.\") fix = '12.5.4';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Player\", version);\n", "naslFamily": "General", "pluginID": "97989", "cpe": ["cpe:/a:vmware:player"], "scheme": null, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2020-10-03T13:07:44", "description": "The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 has an out-of-bounds memory access vulnerability. This may allow a guest to execute code on the operating system that runs Workstation or Fusion.", "edition": 3, "cvss3": {"exploitabilityScore": 3.1, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.9, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 6.0}, "published": "2017-06-08T13:29:00", "title": "CVE-2017-4901", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-4901"], "modified": "2017-07-12T01:29:00", "cpe": ["cpe:/a:vmware:fusion:8.0.0", "cpe:/a:vmware:workstation:12.0.1", "cpe:/a:vmware:fusion:8.5.1", "cpe:/a:vmware:workstation:12.5.1", "cpe:/a:vmware:fusion:8.5.3", "cpe:/a:vmware:fusion:8.5.4", "cpe:/a:vmware:workstation:12.0", "cpe:/a:vmware:workstation:12.1.1", "cpe:/a:vmware:fusion:8.5.0", "cpe:/a:vmware:fusion:8.0.2", "cpe:/a:vmware:fusion:8.1.1", "cpe:/a:vmware:workstation:12.5.2", "cpe:/a:vmware:fusion:8.5.2", "cpe:/a:vmware:fusion:8.0.1", "cpe:/a:vmware:fusion:8.1.0", "cpe:/a:vmware:workstation:12.5", "cpe:/a:vmware:workstation:12.5.3", "cpe:/a:vmware:workstation:12.1"], "id": "CVE-2017-4901", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-4901", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:fusion:8.5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.4:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.5.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation:12.5.2:*:*:*:*:*:*:*"]}], "myhack58": [{"lastseen": "2017-07-24T14:20:07", "bulletinFamily": "info", "cvelist": ["CVE-2017-4901", "CVE-2016-7461"], "edition": 1, "description": "0\u00d701 event analysis \n2017 7 on 19 unamer in its github released a for Vmware virtual machine escape exploit source code, using C++. The alleged impact of Vmware Workstation 12.5.5 the previous version, and gives a demonstration of the process, to achieve a from the virtual machine to the host machine The code is executed, the pop-up the familiar calculator. The code is open source, just need the implementation of the calculator portion of the shellcode replaced with other malicious codes that can cause great harm. \nThrough the code combed, found that the exploit for the vulnerability is the month of March is the exposure of CVE-2017-4901 the. About the vulnerability, the long Pavilion security research lab Chaitin Security Research Lab released its 2017 3 months participating in the Pwn2Own hacking contest on this Vmware vulnerabilities digging with the use of a lot of details. \nAnd the vulnerability principle and 2016 years 11 months in 360PwnFest show CVE-2016-7461 this vulnerability the principle is the same, are out in the drag-and-drop function and copy-and-paste function, but the vulnerability is appeared in version4, and the current CVE-2017-4901 appear in Version 3 This version. Vmware to on its announcement: https://www.vmware.com/security/advisories/VMSA-2016-0019.html the. \n0\u00d702 exploit code analysis \nAccording to the exploit code, according to the steps of analysis of the vulnerability of the entire use process. \n\uff081\uff09set version 3.0 version \nBecause the vulnerability exists in DnD and CnP mechanism of Version 3, It is set to DnD and CnP are version3 version. Use the command\u201ctool. capability. dnd_version 3\u201cand tools. capability. copypaste_version 3\u201c in. \n! [](/Article/UploadPic/2017-7/2017724171548832. png? www. myhack58. com) \n\n\uff082\uff09to overflow the heap \nIn order to achieve code execution, the need to overflow the stack object in a function pointer or virtual table pointer. \n! [](/Article/UploadPic/2017-7/2017724171548533. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-7/2017724171548447. png? www. myhack58. com) \n\uff083\uff09to create Version 3 of the DnD and CnP object \nNeed to query the DnD and CnP version in order to make the settings take effect, you need to send the command to, respectively: vmx. capability. dnd_version and vmx. capability. copypaste_version, these two commands will check the DnD/CnP mechanism of the version,while the version will create two objects, DnD and CnP, wherein version3 corresponding C++object size is 0xA8 in. \n! [](/Article/UploadPic/2017-7/2017724171548410. png? www. myhack58. com) \n\n\uff084\uff09cover the c++object virtual table address \nAccording to the C++object The size of the multiple out of bounds write memory. \n! [](/Article/UploadPic/2017-7/2017724171548411. png? www. myhack58. com) \n! [](/Article/UploadPic/2017-7/2017724171548871. png? www. myhack58. com) \n\n\uff085\uff09through information disclosure to bypass ASLR \nBy command info-set guestinfo. KEY VALUE and info-get guestinfo. KEY to set and get data through these two command followed by the value to reveal objects on the heap, so get the object's virtual table addresses, thereby to obtain the vmware-vmx address. \n\n! [](/Article/UploadPic/2017-7/2017724171548887. png? www. myhack58. com) \n\uff086\uff09to achieve code execution \nAccording to information leaked to judge the overflow of which is a C++object, DnD or CnP are. According to determine the type, respectively, the use of ROP to bypass DEP, stitching shellcode after the completion of the Trojan configuration. \nCnP type object overflow using the structure: \nCover the object a virtual table of addresses that point to the fake virtual table, and then sends a CP command, the trigger virtual function call. \n! [](/Article/UploadPic/2017-7/2017724171549799. png? www. myhack58. com) \n\nWherein SetGlobalPointer function to send unity. window. contents. start command, by the command specified in the parameters width and height, write a 64-bit stack migration gadget address. \n\n! [](/Article/UploadPic/2017-7/2017724171549100. png? www. myhack58. com) \nDnD type of object overflow using the structure: \n\n! [](/Article/UploadPic/2017-7/2017724171549941. png? www. myhack58. com) \nSend the payload to complete the configuration \n! [](/Article/UploadPic/2017-7/2017724171550957. png? www. myhack58. com) \n\n0x03 exploit the use of \nThe author in his github mentioned above, because there is no Windows LFH randomization process better, so did not achieve perfect utilization. During the test, the virtual machine does appear to use the unstable situation: a direct crash or pop up the computer after the virtual machine exit. Tested version: Vmware Workstation Pro 12.5.1 Build build-4542065 it. \n\uff081\uff09the pop-up calculator after. \n! [](/Article/UploadPic/2017-7/2017724171550552. png? www. myhack58. com) \n\n\n! [](/Article/UploadPic/2017-7/2017724171551299. png? www. myhack58. com)\n\n**[1] [[2]](<88117_2.htm>) [next](<88117_2.htm>)**\n", "modified": "2017-07-24T00:00:00", "published": "2017-07-24T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/88117.htm", "id": "MYHACK58:62201788117", "title": "Vmware virtual machine escape Vulnerability CVE-2017-4901\uff09Exploit code analysis and use-vulnerability and early warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2019-07-17T14:22:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4901"], "description": "The host is installed with VMware Fusion\n and is prone to memory corruption vulnerability.", "modified": "2019-07-05T00:00:00", "published": "2017-08-01T00:00:00", "id": "OPENVAS:1361412562310811266", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811266", "type": "openvas", "title": "VMware Fusion Memory Corruption Vulnerability-VMSA-2017-0005 (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Fusion Memory Corruption Vulnerability-VMSA-2017-0005 (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:fusion\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811266\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2017-4901\");\n script_bugtraq_id(96881);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-08-01 18:03:57 +0530 (Tue, 01 Aug 2017)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"VMware Fusion Memory Corruption Vulnerability-VMSA-2017-0005 (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Fusion\n and is prone to memory corruption vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the\n drag-and-drop (DnD) function in VMware Workstation which has an out-of-bounds\n memory access vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a guest\n to execute code on the operating system that runs Fusion.\");\n\n script_tag(name:\"affected\", value:\"VMware Fusion 8.x before 8.5.5 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Fusion version 8.5.5\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0005.html\");\n\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_vmware_fusion_detect_macosx.nasl\");\n script_mandatory_keys(\"VMware/Fusion/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^8\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"8.5.5\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"8.5.5\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-17T14:21:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4901"], "description": "The host is installed with VMware Workstation\n and is prone to memory corruption vulnerability.", "modified": "2019-07-05T00:00:00", "published": "2017-08-01T00:00:00", "id": "OPENVAS:1361412562310811265", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811265", "type": "openvas", "title": "VMware Workstation Memory Corruption Vulnerability-VMSA-2017-0005 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Workstation Memory Corruption Vulnerability-VMSA-2017-0005 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811265\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2017-4901\");\n script_bugtraq_id(96881);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-08-01 17:03:57 +0530 (Tue, 01 Aug 2017)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"VMware Workstation Memory Corruption Vulnerability-VMSA-2017-0005 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Workstation\n and is prone to memory corruption vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to error in the\n drag-and-drop (DnD) function in VMware Workstation which has an out-of-bounds\n memory access vulnerability.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a guest\n to execute code on the operating system that runs Workstation.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation 12.x before 12.5.4 on\n Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation version\n 12.5.4 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0005.html\");\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Workstation/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^12\\.\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"12.5.4\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"12.5.4\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2020-09-02T12:00:27", "bulletinFamily": "info", "cvelist": ["CVE-2017-4901"], "description": "### *Detect date*:\n03/14/2017\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn out-of-bounds memory access vulnerability in the DnD (drag-and-drop) function was found in VMware Workstation Pro and VMware Workstation Player. By exploiting this vulnerability malicious users can execute arbitrary code on the operating system running VMware Workstation Pro or VMware Workstation Player.\n\n### *Affected products*:\nVMware Workstation Pro 12.x before 12.5.4 \nVMware Workstation Player 12.x before 12.5.4\n\n### *Solution*:\nUpdate to the latest version \n[Download VMware Workstation Pro](<https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation_pro/12_0>)\n\n### *Original advisories*:\n[VMware Security Advisory](<https://www.vmware.com/security/advisories/VMSA-2017-0005.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[VMware Workstation](<https://threats.kaspersky.com/en/product/VMware-Workstation/>)\n\n### *CVE-IDS*:\n[CVE-2017-4901](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-4901>)7.5Critical\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 43, "modified": "2020-06-18T00:00:00", "published": "2017-03-14T00:00:00", "id": "KLA11037", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11037", "title": "\r KLA11037Arbitrary code execution vulnerability in VMware products ", "type": "kaspersky", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2019-11-25T14:34:44", "description": "", "published": "2017-08-08T00:00:00", "type": "exploitdb", "title": "VMware WorkStation 12.5.5 - Virtual Machine Escape", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-4901"], "modified": "2017-08-08T00:00:00", "id": "EDB-ID:47714", "href": "https://www.exploit-db.com/exploits/47714", "sourceData": "# VMware Escape Exploit\r\n\r\nVMware Escape Exploit before VMware WorkStation 12.5.5\r\n\r\nHost Target: Win10 x64\r\n\r\nCompiler: VS2013 \r\n\r\nTest on VMware 12.5.2 build-4638234\r\n\r\n# Known issues\r\n\r\n* Failing to heap manipulation causes host process crash.\r\n* Not quite elaborate because I'm not good at doing heap \"fengshui\" on winows LFH.\r\n\r\n# FAQ\r\n\r\n* Q: Error in reboot vmware after crashing process.\r\n* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.\r\n\r\n\r\n![](https://github.com/unamer/vmware_escape/raw/master/cve-2017-4901/exp.gif)\r\n\r\n\r\nEDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47714.zip\r\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://www.exploit-db.com/download/47714"}], "zdt": [{"lastseen": "2019-12-04T14:16:54", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2019-11-25T00:00:00", "title": "VMware WorkStation 12.5.5 - Virtual Machine Escape Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-4901"], "modified": "2019-11-25T00:00:00", "id": "1337DAY-ID-33583", "href": "https://0day.today/exploit/description/33583", "sourceData": "# VMware Escape Exploit\r\n\r\nVMware Escape Exploit before VMware WorkStation 12.5.5\r\n\r\nHost Target: Win10 x64\r\n\r\nCompiler: VS2013 \r\n\r\nTest on VMware 12.5.2 build-4638234\r\n\r\n# Known issues\r\n\r\n* Failing to heap manipulation causes host process crash.\r\n* Not quite elaborate because I'm not good at doing heap \"fengshui\" on winows LFH.\r\n\r\n# FAQ\r\n\r\n* Q: Error in reboot vmware after crashing process.\r\n* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.\r\n\r\n\r\n![](https://github.com/unamer/vmware_escape/raw/master/cve-2017-4901/exp.gif)\r\n\r\n\r\nEDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47714.zip\r\n\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://0day.today/exploit/33583"}], "exploitpack": [{"lastseen": "2020-04-01T20:40:47", "description": "\nVMware WorkStation 12.5.5 - Virtual Machine Escape", "edition": 1, "published": "2017-08-08T00:00:00", "title": "VMware WorkStation 12.5.5 - Virtual Machine Escape", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-4901"], "modified": "2017-08-08T00:00:00", "id": "EXPLOITPACK:21FFDFE1156798252B9693294C796DC2", "href": "", "sourceData": "# VMware Escape Exploit\n\nVMware Escape Exploit before VMware WorkStation 12.5.5\n\nHost Target: Win10 x64\n\nCompiler: VS2013 \n\nTest on VMware 12.5.2 build-4638234\n\n# Known issues\n\n* Failing to heap manipulation causes host process crash.\n* Not quite elaborate because I'm not good at doing heap \"fengshui\" on winows LFH.\n\n# FAQ\n\n* Q: Error in reboot vmware after crashing process.\n* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.\n\n\n![](https://github.com/unamer/vmware_escape/raw/master/cve-2017-4901/exp.gif)\n\n\nEDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47714.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T20:40:47", "description": "\nVMware WorkStation 12.5.3 - Virtual Machine Escape", "edition": 1, "published": "2019-06-06T00:00:00", "title": "VMware WorkStation 12.5.3 - Virtual Machine Escape", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-4901", "CVE-2017-4905"], "modified": "2019-06-06T00:00:00", "id": "EXPLOITPACK:C0C12F043C649BD8F0133FA113860E15", "href": "", "sourceData": "# VMware Escape Exploit\n\nVMware Escape Exploit before VMware WorkStation 12.5.3\n\nHost Target: Win10 x64\n\nCompiler: VS2013 \n\nTest on VMware 12.5.2 build-4638234\n\n# Known issues\n\n* Failing to heap manipulation causes host process crash. (About 50% successful rate )\n* Not quite elaborate because I'm not good at doing heap \"fengshui\" on winows LFH.\n\n# FAQ\n\n* Q: Error in reboot vmware after crashing process.\n* A: Just remove ***.lck** folder in your vm directory or wait a while and have a coffee :).Here is a simple [script](https://raw.githubusercontent.com/unamer/vmware_escape/master/cve-2017-4901/cleanvm.bat) I used to clean up.\n\n\n![](https://github.com/unamer/vmware_escape/raw/master/CVE-2017-4905_and_uaf/exploit.gif)\n\n# Reference\n\n* https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/\n\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47715.zip", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-22T10:55:14", "description": "The version of VMware Workstation installed on the remote Linux host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.", "edition": 31, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-24T00:00:00", "title": "VMware Workstation 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4901"], "modified": "2017-03-24T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_LINUX_VMSA_2017_0005.NASL", "href": "https://www.tenable.com/plugins/nessus/97940", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97940);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2017-4901\");\n script_bugtraq_id(96881);\n script_xref(name:\"VMSA\", value:\"2017-0005\");\n\n script_name(english:\"VMware Workstation 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Linux host is\naffected by a guest-to-host arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Linux host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Workstation version 12.5.4 or later. Alternatively,\ndisable both the drag-and-drop function and the copy-and-paste\nfunction.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4901\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/24\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_linux_installed.nbin\");\n script_require_keys(\"Host/VMware Workstation/Version\", \"Settings/ParanoidReport\");\n script_exclude_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nif (get_kb_item(\"SMB/Registry/Enumerated\")) audit(AUDIT_OS_NOT, \"Linux\", \"Windows\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Workstation/Version\");\n\nfix = '';\nif (version =~ \"^12\\.\") fix = '12.5.4';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Workstation\", version);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:30:03", "description": "The version of VMware Fusion installed on the remote macOS or Mac OS X\nhost is 8.x prior to 8.5.5. It is, therefore, affected by a\nguest-to-host arbitrary code execution vulnerability in the\ndrag-and-drop (DND) functionality due to an out-of-bounds memory\naccess error. An attacker within a guest can exploit this issue to\nexecute arbitrary code on the host system.", "edition": 35, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-24T00:00:00", "title": "VMware Fusion 8.x < 8.5.5 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4901"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:fusion"], "id": "MACOSX_FUSION_VMSA_2017_0005.NASL", "href": "https://www.tenable.com/plugins/nessus/97939", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97939);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-4901\");\n script_bugtraq_id(96881);\n script_xref(name:\"VMSA\", value:\"2017-0005\");\n\n script_name(english:\"VMware Fusion 8.x < 8.5.5 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (macOS)\");\n script_summary(english:\"Checks the VMware Fusion version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote macOS or Mac OS X\nhost is affected by a guest-to-host arbitrary code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Fusion installed on the remote macOS or Mac OS X\nhost is 8.x prior to 8.5.5. It is, therefore, affected by a\nguest-to-host arbitrary code execution vulnerability in the\ndrag-and-drop (DND) functionality due to an out-of-bounds memory\naccess error. An attacker within a guest can exploit this issue to\nexecute arbitrary code on the host system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Fusion version 8.5.5 or later. Alternatively,\ndisable both the drag-and-drop function and the copy-and-paste\nfunction.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4901\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/24\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"installed_sw/VMware Fusion\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\ninstall = get_single_install(app_name:\"VMware Fusion\", exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^8\\.\") fix = '8.5.5';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Fusion\", version, path);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:00:24", "description": "The version of VMware Workstation installed on the remote Windows host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.", "edition": 34, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-24T00:00:00", "title": "VMware Workstation 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4901"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_WIN_VMSA_2017_0005.NASL", "href": "https://www.tenable.com/plugins/nessus/97941", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97941);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-4901\");\n script_bugtraq_id(96881);\n script_xref(name:\"VMSA\", value:\"2017-0005\");\n\n script_name(english:\"VMware Workstation 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Windows host is\naffected by a guest-to-host arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote Windows host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Workstation version 12.5.4 or later. Alternatively,\ndisable both the drag-and-drop function and the copy-and-paste\nfunction.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4901\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/24\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Workstation\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nappname = 'VMware Workstation';\n\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^12\\.\") fix = \"12.5.4\";\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:00:06", "description": "The version of VMware Player installed on the remote Windows host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.", "edition": 30, "cvss3": {"score": 9.9, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}, "published": "2017-03-27T00:00:00", "title": "VMware Player 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-4901"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:player"], "id": "VMWARE_PLAYER_WIN_VMSA_2017_0005.NASL", "href": "https://www.tenable.com/plugins/nessus/97990", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97990);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-4901\");\n script_bugtraq_id(96881);\n script_xref(name:\"VMSA\", value:\"2017-0005\");\n\n script_name(english:\"VMware Player 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005)\");\n script_summary(english:\"Checks the VMware Player version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Windows host is\naffected by a guest-to-host arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Player installed on the remote Windows host\nis 12.x prior to 12.5.4. It is, therefore, affected by a guest-to-host\narbitrary code execution vulnerability in the drag-and-drop (DND)\nfunctionality due to an out-of-bounds memory access error. An attacker\nwithin a guest can exploit this issue to execute arbitrary code on the\nhost system.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2017-0005.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Player version 12.5.4 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-4901\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_player_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Player\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\ninstall = get_single_install(app_name:\"VMware Player\", exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^12\\.\") fix = '12.5.4';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Player\", version, path);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2019-11-06T16:05:27", "bulletinFamily": "unix", "cvelist": ["CVE-2017-4901"], "description": "a. VMware Workstation and Fusion out-of-bounds memory access vulnerability\n\nThe drag-and-drop (DnD) function in VMware Workstation and Fusion has an out-of-bounds memory access vulnerability. This may allow a guest to execute code on the operating system that runs Workstation or Fusion. \n\n\n**Workaround** \nOn Workstation Pro and Fusion, the issue cannot be exploited if both the drag-and-drop function and the copy-and-paste (C&P) function are disabled. Refer to the Reference section on documentation how to disable these functions. This workaround is not available on Workstation Player. \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-4901 to this issue. \n \nColumn 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.\n", "edition": 5, "modified": "2017-03-14T00:00:00", "published": "2017-03-14T00:00:00", "id": "VMSA-2017-0005", "href": "https://www.vmware.com/security/advisories/VMSA-2017-0005.html", "title": "VMware Workstation and Fusion updates address critical out-of-bounds memory access vulnerability", "type": "vmware", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

VMware Player 12.x &lt; 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)

Description

VMware Player 12.x < 12.5.4 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (Linux)