Re: VMSA-2009-0013 VMware Fusion resolves two security issues

[mu-b <mu-b () digit-labs org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All - the first bug is self-explanatory,

> # Kernel denial of service vulnerability
> An integer overflow vulnerability in the vmx86 kernel extension allows
> for a denial of service by an unprivileged user.

The vmx86 kext ioctl handler contains several integer overflows which
lead to kernel heap corruptions. These are probably not exploitable, and
I didn't try given the second bug,

http://www.digit-labs.org/files/exploits/vmware-pop.c

> # Kernel code execution vulnerability
> An ioctl vulnerability in the vmx86 kernel extension allows for
> executing arbitrary code in the kernel context by an unprivileged
> user.

The vmx86 kext ioctl handler permits an unprivileged userland program to
initialize several function pointers via the 0x802E564A ioctl code.
These function pointers are later used from several reachable locations
within the driver, one of which is called immediately after initialization.

http://www.digit-labs.org/files/exploits/vmware-fission.c

- --
mu-b
(mu-b () digit-labs org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrFvGUACgkQY0H9BP42EjxSCACdEzIXe0D8n+VVplyEsuCbPBKS
TjAAnAnHUPOSKrphGeaynF5bIKYQNyPY
=lMJv
-----END PGP SIGNATURE-----