mailing list archives
Re: VMSA-2009-0013 VMware Fusion resolves two security issues
From: mu-b <mu-b () digit-labs org>
Date: Fri, 02 Oct 2009 09:40:05 +0100
-----BEGIN PGP SIGNED MESSAGE-----
All - the first bug is self-explanatory,
# Kernel denial of service vulnerability
An integer overflow vulnerability in the vmx86 kernel extension allows
for a denial of service by an unprivileged user.
The vmx86 kext ioctl handler contains several integer overflows which
lead to kernel heap corruptions. These are probably not exploitable, and
I didn't try given the second bug,
# Kernel code execution vulnerability
An ioctl vulnerability in the vmx86 kernel extension allows for
executing arbitrary code in the kernel context by an unprivileged
The vmx86 kext ioctl handler permits an unprivileged userland program to
initialize several function pointers via the 0x802E564A ioctl code.
These function pointers are later used from several reachable locations
within the driver, one of which is called immediately after initialization.
(mu-b () digit-labs org)
"Only a few people will follow the proof. Whoever does will
spend the rest of his life convincing people it is correct."
- Anonymous, "P ?= NP"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----