vm-support 0.88 File Overwrite / Information Disclosure

2014-08-26T00:00:00
ID PACKETSTORM:128006
Type packetstorm
Reporter Dolev Farhi
Modified 2014-08-26T00:00:00

Description

                                        
                                            `Author: dolevf  
Date: 18.6.2014  
Version: vm-support latest version 0.88  
Tested on: Red Hat Enterprise Linux 6  
Relevant CVEs: 2014-4199, 2014-4200  
  
  
1. About the application  
------------------------  
VMware support is a tool designed to collect diagnostic information such   
as logs, configuration files and directories, from a virtualized guest   
system.  
vm-support is part of the vmware-tools pack.  
  
  
2. Vulnerabilities Descriptions:  
-----------------------------  
CVE-2014-4199: An attacker is able to over-write system files due to   
insecure creation of files in /tmp by running vm-support tool,   
potentially denying service to other users of the system.  
CVE-2014-4200: An attacker is able to extract sensitive files from the   
vm-support archive due to it having 0644 permissions and stored in /tmp   
folder.  
  
  
  
3. Release date  
--------------------  
26.8.2014  
  
  
4. proof of concept  
-----------------------  
  
CVE-2014-4199:  
=============  
runcmd "ifconfig -a" "/tmp/ifconfig.$$.txt"  
runcmd "mount" "/tmp/mount.$$.txt"  
runcmd "dmesg" "/tmp/dmesg.$$.txt"  
runcmd "ulimit -a" "/tmp/ulimit-a.$$.txt"  
  
  
  
CVE-2014-4200:  
=============  
[root@server1 tmp]# ls -ld vm-2014-08-26.25023.tar.gz  
-rw-r--r-- 1 root root 631081 Aug 26 17:19 vm-2014-08-26.25023.tar.gz  
  
  
  
  
  
  
`