Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: VMSA-2009-0013 VMware Fusion resolves two security issues
From: mu-b <mu-b () digit-labs org>
Date: Fri, 02 Oct 2009 09:40:05 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

All - the first bug is self-explanatory,

# Kernel denial of service vulnerability
An integer overflow vulnerability in the vmx86 kernel extension allows
for a denial of service by an unprivileged user.

The vmx86 kext ioctl handler contains several integer overflows which
lead to kernel heap corruptions. These are probably not exploitable, and
I didn't try given the second bug,

http://www.digit-labs.org/files/exploits/vmware-pop.c

# Kernel code execution vulnerability
An ioctl vulnerability in the vmx86 kernel extension allows for
executing arbitrary code in the kernel context by an unprivileged
user.

The vmx86 kext ioctl handler permits an unprivileged userland program to
initialize several function pointers via the 0x802E564A ioctl code.
These function pointers are later used from several reachable locations
within the driver, one of which is called immediately after initialization.

http://www.digit-labs.org/files/exploits/vmware-fission.c

- --
mu-b
(mu-b () digit-labs org)

  "Only a few people will follow the proof. Whoever does will
     spend the rest of his life convincing people it is correct."
        - Anonymous, "P ?= NP"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkrFvGUACgkQY0H9BP42EjxSCACdEzIXe0D8n+VVplyEsuCbPBKS
TjAAnAnHUPOSKrphGeaynF5bIKYQNyPY
=lMJv
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]