VMware vielib.dll StartProcess command execution

2007-09-25T00:00:00
ID SAINT:1A0634976091700ED6610057952C74CE
Type saint
Reporter SAINT Corporation
Modified 2007-09-25T00:00:00

Description

Added: 09/25/2007
CVE: CVE-2007-4058
BID: 25118
OSVDB: 42078

Background

VMware is a suite of products supporting the creation and operation of virtual machines, which are self-contained, independent guest operating systems running within a host operating system.

Problem

The StartProcess function in the **vielib.dll** library included in VMware 6.0.0 allows execution of shell commands without checking whether the caller is legitimate. This could allow command execution when a user loads an attacker's web page in Internet Explorer.

Resolution

Set the kill bit for Class ID 7B9C5422-39AA-4C21-BEEF-645E42EB4529 as described in Microsoft Knowledge Base Article 240797, or unregister vielib.dll using regsvr32.

References

<http://www.milw0rm.com/exploits/4244>

Limitations

Exploit works on VMware Workstation 6.0.0 on Windows XP.

Since this exploit uses TFTP, the SAINTexploit host must be able to bind to port 69/UDP.

This exploit requires the PERL threads module to be installed on the SAINTexploit host.

Platforms

Windows