a. VMware Tools Incorrect Folder Permissions Privilege Escalation
The access control list of the VMware Tools folder is incorrectly set. Exploitation of this issue may lead to local privilege escalation on Windows-based Guest Operating Systems.
VMware would like to thank Tavis Ormandy for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2012-1518 to this issue.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory 2012-0007.
# The text itself is copyright (C) VMware Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(58744);
script_version("1.22");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id("CVE-2012-1518");
script_xref(name:"VMSA", value:"2012-0007");
script_name(english:"VMSA-2012-0007 : VMware hosted products and ESXi/ESX patches address privilege escalation");
script_summary(english:"Checks esxupdate output for the patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote VMware ESXi / ESX host is missing a security-related patch."
);
script_set_attribute(
attribute:"description",
value:
"a. VMware Tools Incorrect Folder Permissions Privilege Escalation
The access control list of the VMware Tools folder is incorrectly
set. Exploitation of this issue may lead to local privilege
escalation on Windows-based Guest Operating Systems.
VMware would like to thank Tavis Ormandy for reporting this issue
to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2012-1518 to this issue."
);
script_set_attribute(
attribute:"see_also",
value:"http://lists.vmware.com/pipermail/security-announce/2012/000181.html"
);
script_set_attribute(attribute:"solution", value:"Apply the missing patch.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'White_Phosphorus');
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.0");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esx:4.1");
script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:esxi:5.0");
script_set_attribute(attribute:"patch_publication_date", value:"2012/04/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2012/04/13");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"VMware ESX Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/VMware/release", "Host/VMware/version");
script_require_ports("Host/VMware/esxupdate", "Host/VMware/esxcli_software_vibs");
exit(0);
}
include("audit.inc");
include("vmware_esx_packages.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/VMware/release")) audit(AUDIT_OS_NOT, "VMware ESX / ESXi");
if (
!get_kb_item("Host/VMware/esxcli_software_vibs") &&
!get_kb_item("Host/VMware/esxupdate")
) audit(AUDIT_PACKAGE_LIST_MISSING);
init_esx_check(date:"2012-04-12");
flag = 0;
if (
esx_check(
ver : "ESX 4.0",
patch : "ESX400-201203401-SG",
patch_updates : make_list("ESX400-201205401-SG", "ESX400-201206401-SG", "ESX400-201209401-SG", "ESX400-201302401-SG", "ESX400-201305401-SG", "ESX400-201310401-SG", "ESX400-201404401-SG")
)
) flag++;
if (
esx_check(
ver : "ESX 4.1",
patch : "ESX410-201201401-SG",
patch_updates : make_list("ESX410-201204401-SG", "ESX410-201205401-SG", "ESX410-201206401-SG", "ESX410-201208101-SG", "ESX410-201211401-SG", "ESX410-201301401-SG", "ESX410-201304401-SG", "ESX410-201307401-SG", "ESX410-201312401-SG", "ESX410-201404401-SG", "ESX410-Update03")
)
) flag++;
if (esx_check(ver:"ESXi 5.0", vib:"VMware:tools-light:5.0.0-0.10.608089")) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:esx_report_get());
else security_hole(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");