Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:28552
HistorySep 07, 2012 - 12:00 a.m.

VMWare Tools susceptible to binary planting by hijack

2012-09-0700:00:00
vulners.com
10
JSON

Security Advisory - VMWare Tools susceptible to binary planting by hijack

Summary : VMWare Tools susceptible to binary planting
Date : 4 September 2012
Affected versions : Product versions prior to -
Workstation 8.0.4
Player 4.0.4
Fusion 4.1.2
View 5.1
ESX 5.0 P03
ESX 4.1 U3
Not affected: ESX 4.0, ESX 3.5
CVE reference : CVE-2012-1666

Details

VMWare Tools handles many functions involved with host-guest interactivity,
providing a richer environment for the end-user and server administrators alike.
Part of VMWare Tools responsibilities is handling printer services through host
and is called by a third-party acquired tool (ThinPrint).

During initiation, which occurs during many steps throughout printer comm.
negotiation, a non-existent dynamic-link library is called, resulting in an
unqualified dynamic-link library call to 'tpfc.dll'.

A user with local disk access can carefuly construct a DLL that suits the
pattern that is being traversed by the client and implement it somewhere along
the search path and the client will load it seamlessly.

Impact

After the DLL has been implemented, an unsuspected user that will run printer
services, for example, will cause it to load, resulting in arbitrary code
execution under user's privilege level.

This vector of attack is mainly used in a local privilege escalation scenarios,
user credential harvesting and can be used by malware to disguise itself,
amongst other uses.

Proof of Concept

#include <windows.h> 

int hijack_poc () 
{ 
  WinExec ( "calc.exe" , SW_NORMAL );
  return 0 ; 
} 
  
BOOL WINAPI DllMain 
	 (	HINSTANCE hinstDLL , 
		DWORD dwReason ,
		LPVOID lpvReserved ) 
{ 
  hijack_poc () ;
  return 0 ;
}

Solution

Official patches were delivered by vendor and can be fetched from www.vmware.com

Credits

The issue was responsibly reported by Moshe Zioni from Comsec Global Consulting.

Timeline

4 September 2012
Security advisory released by Comsec Consulting
31 August 2012
Vendor finished on deploying fixes to products, release notes published
13 March 2012
Vendor started to implement fixes to products
14 February 2012
First response from vendor
13 February 2012
Bug reported by Moshe Zioni from Comsec Global Consulting
to VMWare and third-party printer driver developers in sync

References

VMWare
http://www.vmware.com
Release notes
https://www.vmware.com/support/vsphere4/doc/vsp_esxi41_u3_rel_notes.html#resolvedissuessecurity

Comsec Global Consulting
http://www.comsecglobal.com/

Related

openvas 5
prion 1
securityvulns 1
ubuntucve 1
packetstorm 1
cve 1
nessus 1
openvas
openvas
VMware Workstation Insecure 'tpfc.dll' Code Execution Vulnerability (Windows)
2017-02-01 00:00:00
VMware Player Insecure 'tpfc.dll' Code Execution Vulnerability (Linux)
2017-02-01 00:00:00
VMware Fusion Insecure 'tpfc.dll' Code Execution Vulnerability (Mac OS X)
2017-02-01 00:00:00
prion
prion
Design/Logic Flaw
2012-09-08 10:28:00
securityvulns
securityvulns
VMWare Tools privilege escalation
2012-09-07 00:00:00
ubuntucve
ubuntucve
CVE-2012-1666
2012-09-08 00:00:00
packetstorm
packetstorm
VMWare Tools Binary Planting
2012-09-05 00:00:00
cve
cve
CVE-2012-1666
2012-09-08 10:28:00
nessus
nessus
VMSA-2012-0012 : VMware ESXi update to third-party library
2012-07-13 00:00:00
JSON
Related for SECURITYVULNS:DOC:28552
openvas5prion1securityvulns1ubuntucve1packetstorm1cve1nessus1