VMware Tools for Windows Remote Binary Planting Vulnerability
3 Sep. 2010
Summary
A "binary planting" vulnerability in VMware Tools for Windows allows local or remote (possibly Internet-based) attackers to deploy and execute malicious code on virtual Windows machines in the context of logged-on users.
Vulnerable Systems:
* VMware Tools for Windows build 91707
* VMware Tools for Windows version 7.8.4 build 126130
As a result of an incorrect dynamic link library loading in VMware Tools for Windows, an attacker can cause her malicious DLL to be loaded and executed from local drives, a remote Windows share, and even a share located on Internet.
All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open any file from this network location with any Windows application - which should require minimal social engineering. Since Windows systems by default have the Web Client service running - which makes remote network shares accessible via WebDAV -, the malicious DLL can also be deployed from an Internet-based network share as long as the intermediate firewalls allow outbound HTTP traffic to the Internet.
A systematic attack could deploy malicious code to a large number of virtual Windows workstations in a short period of time, possibly as an Internet worm.
Patch Availability:
VMware has issued a security bulletin and published remediated versions of VMware Workstation, Player, ACE, Server and Fusion, and patches for ESX and ESXi that fix this issue: http://www.vmware.com/security/advisories/VMSA-2010-0007.html
Warning: It is not enough to install the new version or the patch; it is also necessary to upgrade VMware Tools in each affected virtual machine. On VMware Workstation, Player, ACE, Server and Fusion, the user will be automatically prompted to upgrade, while there will be no such prompt on ESX and ESXi. The upgrade of VMware Tools requires a subsequent reboot of the virtual machine.
Workaround:
A firewall blocking outbound WebDAV traffic (in addition to blocking all Windows Networking protocols) could stop an Internet-based attack.
Stopping the Web Client service could stop Internet-based attacks as long as the network firewall stops outbound Microsoft Networking protocols. This would not, however, stop remote LAN-based attacks where the attacker is able to place a malicious DLL on a network share inside the target (e.g., corporate) network.
