oss-sec mailing list archives
Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools
From: Jacob Bachmeyer <jcb62281 () gmail com>
Date: Thu, 25 Sep 2025 20:45:56 -0500
On 9/25/25 01:38, VMware PSIRT wrote:
[...] [...] However, as you can see we are performing realpath() check after we completed the open() but before we read anything from the file. So, there is no use of pathname after realpath() call here.
That does not close the race window.An attacker can rename() a directory out of the way, plant a symlink while you open() the file, then rename() the directory back into place between your open() and realpath() calls.
While double-checking the man page to be sure that rename(2) will do that, I found the renameat2(2) call with the RENAME_EXCHANGE flag, with an example of swapping a symlink and a non-empty directory... this appears to be a supported use...
-- Jacob
Current thread:
- Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools Solar Designer (Sep 23)
- Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools VMware PSIRT (Sep 25)
- Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools Matthew Fernandez (Sep 25)
- Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools Jacob Bachmeyer (Sep 25)
- Re: CVE-2025-22247 - Insecure file handling vulnerability in open-vm-tools VMware PSIRT (Sep 25)