VMware Inc. markets "several virtualization products which allow multiple virtual computers to run on a single system". Local exploitation of an untrusted library path vulnerability in multiple products distributed by VMware Inc. could allow an attacker to execute arbitrary code with root privileges.
Vulnerable Systems:
* VMware Workstation version 6.0.2.59824 for Linux
* VMware GSX Server version 3.2.1.14497 for Linux
* VMware ESX Server version 3.0.1.32039
The Linux version of VMware products include a program called 'vmware-authd', which is installed set-uid root. When this program is executed, it reads configuration options from the executing user's VMware configuration file. One such option allows the user to specify the directory in which to look for shared library modules needed by theprogram. By loading a specially crafted library, an attacker can execute arbitrary code with elevated privileges.
Analysis:
Exploitation of this vulnerability results in the execution of arbitrary code with root privileges. In order to exploit this vulnerability, an attacker must have access to execute the set-uid vmware-authd binary on an affected system. No additional credentials are needed.
Workaround:
To prevent exploitation of this vulnerability, modify the file permissions for the vmware-authd set-uid binary. Possible choices include removing the set-uid bit, or only allowing members of a trusted group to execute the binary.
