[NT] Virtual PC Services Insecure Temporary File Creation (MS04-005)

From: SecuriTeam (support_at_securiteam.com)
Date: 02/11/04

  • Next message: SecuriTeam: "[NT] Internet Explorer/Outlook double null character DoS"
    To: list@securiteam.com
    Date: 11 Feb 2004 15:53:07 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Virtual PC Services Insecure Temporary File Creation (MS04-005)
    ------------------------------------------------------------------------

    SUMMARY

    Virtual PC is a popular x86 virtual machine emulator capable running
    several guest operating systems under the Mac OS X and Windows platforms.
    Virtual PC provides a set of services for managing network sharing
    capabilities under Mac OS X. These services are spawned from the setuid
    root binary, VirtualPC_Services, which creats several temporary files when
    it is executed. The VirtualPC_Services does not check for several unsafe
    conditions prior to creation of these temporary files. As a result an
    attacker with interactive login access to the system may leverage insecure
    temporary files to become root or overwrite critical system files.

    DETAILS

    Affected Software:
     * Microsoft Virtual PC for Mac version 6.0 -
    <http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/misc/vpc6_1_1.xml&secid=100&ssid=1&flgnosysreq=True> Download the update
     * Microsoft Virtual PC for Mac version 6.01 -
    <http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/misc/vpc6_1_1.xml&secid=100&ssid=1&flgnosysreq=True> Download the update
     * Microsoft Virtual PC for Mac version 6.02 -
    <http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/misc/vpc6_1_1.xml&secid=100&ssid=1&flgnosysreq=True> Download the update
     * Microsoft Virtual PC for Mac version 6.1 -
    <http://www.microsoft.com/mac/downloads.aspx?pid=download&location=/mac/download/misc/vpc6_1_1.xml&secid=100&ssid=1&flgnosysreq=True> Download the update

    Mitigating factors:
     * An attacker must have valid logon credentials to exploit the
    vulnerability. The vulnerability could not be exploited remotely without a
    valid user account.

     * Systems that are secured by using best practices are at reduced risk
    from this vulnerability. Standard best practices recommend only allowing
    trusted users to log on to systems interactively.

    @stake has identified a vulnerability within the setuid root binary,
    VirtualPC_Services, due to its inability to check for dangerous
    conditions prior to temporary file creation. ?This vulnerability allows an
    attacker to truncate and overwrite arbitrary files in
    addition to creation of arbitrary files with insecure file permissions. ?

    Using this vulnerability it is feasible for an attacker to gain root
    privileges on the system. The VirtualPC_Services binary creates a
    log file upon startup as /tmp/VPCServices_Log. ?An attacker may create a
    symbolic link in the /tmp/ directory as VPCServices_Log
    pointing to an arbitrary file to be overwritten when the
    VirtualPC_Services binary is executed. However, when the symbolic link
    points to a non-existent file a new file is created with file permissions
    determined by the unprivileged user's umask(2) settings.

    Vendor Response:
    Microsoft has an updated version of the software available.

    Download information available at:
    <http://www.microsoft.com/technet/security/bulletin/MS04-005.asp>
    http://www.microsoft.com/technet/security/bulletin/MS04-005.asp.

    Frequently Asked Questions:
    What is the scope of the vulnerability?
     This is a privilege elevation vulnerability. An attacker who successfully
    exploited this vulnerability on the Macintosh platform could gain complete
    control over the system. This would give the attacker the ability to take
    any action that they want on a system such as adding, deleting, or
    modifying data. It could also give the attacker the ability to delete or
    to create user accounts with root access.

    The vulnerability could only be exploited by an attacker who has
    credentials to log on to the computer interactively. Since restricted
    users are not normally permitted to logon to mission critical servers this
    vulnerability primarily of concern on workstations or other multi-user
    computers.

    What causes the vulnerability?
    A vulnerability results because of the method by which Virtual PC for Mac
    uses a specific temporary file during execution. The method used to treat
    the log file does not correctly validate the contents within the file.

    What is Virtual PC for Mac?
    Microsoft Virtual PC for Mac version 6.1 allows users to run Microsoft
    Windows? applications on the Macintosh platform Virtual PC for Mac version
    6.1 marks the first release of the product since Microsoft acquired it
    from Connectix in February, 2003.

    Can I install the update if I am running a previous version of Virtual PC
    for Mac?
    Yes - this update will bring the version of Virtual PC for Mac to version
    6.1.1. It is supported for Virtual PC 6.0, 6.01, 6.02, and 6.1. Updating
    to Virtual PC for Mac version 6.1.1 will help protect users from this
    vulnerability as well as enable users of Connectix Virtual PC for Mac to
    transition product support to Microsoft.

    What is wrong with the way that Microsoft Virtual PC for Mac handles
    temporary files?
    The vulnerability lies in the way that a temporary file is created when
    Microsoft Virtual PC is running. It could be possible for an attacker to
    insert code in such a way that Virtual PC will run the code at system
    level privileges.

    Why does this pose a security vulnerability?
    The vulnerability could provide a way for a process to cause Virtual PC to
    run arbitrary code on the Macintosh.

    What might an attacker use the vulnerability to do?
    To exploit this vulnerability, an attacker would have to start Virtual PC
    for Mac and then run a specially-designed program that could exploit the
    vulnerability by accessing the temporary file in a specific way. This
    vulnerability could then allow an attacker to gain complete control over
    the system.

    Who could exploit the vulnerability?
    A user with a valid user account on the system could seek to exploit the
    vulnerability.

    Which systems are primarily at risk from the vulnerability?
    Workstations and multi-user systems are primarily at risk. Servers are
    only at risk if users who do not have sufficient administrative
    credentials are given the ability to log on to servers and to run
    programs. However, best practices strongly discourage allowing these types
    of credentials.

    Could this vulnerability be anonymously exploited over the Internet?
    No. The attacker must be able to log on to the specific system that they
    want to attack. The attacker cannot load and run a malicious program
    remotely without already having access to an account on the remote
    computer.

    What does the update do?
    The update addresses the vulnerability by changing the way that Virtual PC
    for Mac uses the temporary file.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:advisories@atstake.com>
    George Gal of @Stake.

    The original article can be found at:
    <http://www.atstake.com/research/advisories/2004/a021004-1.txt>
    http://www.atstake.com/research/advisories/2004/a021004-1.txt.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Internet Explorer/Outlook double null character DoS"

    Relevant Pages

    • [NT] Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability (MS08-071)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Graphics Device Interface Integer Overflow Vulnerability ... Exploitation allows an attacker to execute arbitrary code with the ... targeted user to view a specially crafted image file. ...
      (Securiteam)
    • [NEWS] @Mail Web Interface Multiple Security Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... attacker to point it to mailbox of any registered user in @Mail system. ... Vulnerability 2: SQL database install - Multiple SQL Injection ...
      (Securiteam)
    • [NT] EMC Legato Networker DoS and Multiple Buffer Overflows
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... EMC Legato Networker DoS and Multiple Buffer Overflows ... The vulnerability specifically exists due to improper handling of ... is sent by an attacker, it is possible to overwrite portions of heap ...
      (Securiteam)
    • [UNIX] IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IBM Informix Dynamic Server DBLANG Directory Traversal Vulnerability ... Local exploitation of a directory traversal vulnerability in IBM Corp.'s ... attacker can cause set-uid binaries to use Native Language Support ...
      (Securiteam)
    • [NEWS] IBM Lotus Domino IMAP Buffer Overflow Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... IBM Lotus Domino IMAP Buffer Overflow Vulnerability ... Remote exploitation of a buffer overflow vulnerability within IBM Corp.'s ... This allows an attacker to take complete control of the compromised ...
      (Securiteam)