Vulnerability in VMWare Workstation installer. Not a 0-day anymore.

The only reason for mentioning the vulnerability is… Bragging. Yes, I’m going to brag about the first vulnerability I had discovered and reported before the CVE was issued =) I found several vulnerabilities earlier, but all of them already had a CVE published, so it was useless.

The vulnerability in VMWare Workstation and Player installer allowed criminal to launch any code you may embed into a .htm page. Well, the page must be placed in the same directory where the installer is placed and it will shoot your computer only if you are installing the new version, but, hey, it’s my firstling and my work is not to look for those! =)

What it looked like before version 7.1.2:

1) If we have a folder where there is an index.htm file and, say, VMWare Workstation 7.1.1 file

image

2) and run our installation, then, after elevation prompt all of a sudden:

image

What the heck is this???!!! Well, this is what our malicious .htm file does. Of course, no one is going to click the link if it looks like this (and with such a text), though… Well, that’s another story. Nevertheless, if we will succeed in putting into that file some script or will make the page look like installer window and place some link in it… Then our malicious file will be executed with elevated privileges.

Very narrow attack vector, of course, but still I’m glad it is closed now.

P.S. Of course bragging is not the only reason to write about this topic: finding the issue gave me two more ideas for discussion, so consider this article as an introductory one.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s