Bugtraq mailing list archives
Re: VMSA-2009-0013 VMware Fusion resolves two security issues
From: mu-b <mu-b () digit-labs org>
Date: Fri, 02 Oct 2009 09:40:05 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All - the first bug is self-explanatory,
# Kernel denial of service vulnerability An integer overflow vulnerability in the vmx86 kernel extension allows for a denial of service by an unprivileged user.
The vmx86 kext ioctl handler contains several integer overflows which lead to kernel heap corruptions. These are probably not exploitable, and I didn't try given the second bug, http://www.digit-labs.org/files/exploits/vmware-pop.c
# Kernel code execution vulnerability An ioctl vulnerability in the vmx86 kernel extension allows for executing arbitrary code in the kernel context by an unprivileged user.
The vmx86 kext ioctl handler permits an unprivileged userland program to initialize several function pointers via the 0x802E564A ioctl code. These function pointers are later used from several reachable locations within the driver, one of which is called immediately after initialization. http://www.digit-labs.org/files/exploits/vmware-fission.c - -- mu-b (mu-b () digit-labs org) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrFvGUACgkQY0H9BP42EjxSCACdEzIXe0D8n+VVplyEsuCbPBKS TjAAnAnHUPOSKrphGeaynF5bIKYQNyPY =lMJv -----END PGP SIGNATURE-----
Current thread:
- VMSA-2009-0013 VMware Fusion resolves two security issues VMware Security team (Oct 02)
- Re: VMSA-2009-0013 VMware Fusion resolves two security issues mu-b (Oct 02)