BUGTRAQ Digest - 23 Jan 2000 to 24 Jan 2000 (#2000-21) Subject: VMware 1.1.2 Symlink Vulnerability Date: Mon, 24 Jan 2000 08:48:43 -0600 From: harikiri <[EMAIL PROTECTED]> ------------------------------------------------- w00w00 Security Advisory - http://www.w00w00.org/ Title: VMware 1.1.2 Symlink Vulnerability Platforms: Linux Distributions with VMware 1.1.2 (build 364) Discovered: 17th January, 2000 Local: Yes. Remote: No. Author: harikiri <[EMAIL PROTECTED]> Vendor Status: Notified. Last Updated: N/A 1. Overview VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack. 2. Background VMware is a commercial application that enables the operation of "guest" operating systems within the host system. This is performed via the use of Virtual Machine technology. Due to the low-level requirements of VMware, it is necessary to run the program at a high privilege level, typically root. 3. Issue VMware creates the file "/tmp/vmware-log" on startup. The existance and owner of the file is not checked prior to writing startup information to the file. NOTE: VMware uses other files in the /tmp directory. The one cited above is only a single example. 4. Impact Local users may create a symlink from an arbitrary file to /tmp/vmware-log. When VMware is executed, the file pointed to by the symlink will be overwritten. This may be used as a local denial of service attack. There may also be a method to gain elevated privileges via the symlink attack, though none is known at this time. 5. Recommendation Wait for a fix from the vendor. 6. References - VMware Inc: http://www.vmware.com/ - w00w00 Security Development: http://www.w00w00.org/ -- To unsubscribe, send mail to [EMAIL PROTECTED] with the body "unsubscribe ilug-cal" and an empty subject line. FAQ: http://www.ilug-cal.org/help/faq_list.html
