VMware 'break out' vulnerability discovered

Stephen Withers
Tuesday, 26 February 2008 05:30

Your IT - Home IT

A vulnerability in VMware's desktop virtualisation products allows malicious software or users to escape the virtualised environment and interact with the host OS.

The flaw lies in the handling of shared folders.

Researchers at Core Security Technologies' CoreLabs have revealed that even though VMware tightened pathname checking for shared folders following the March 2007 discovery of a related vulnerability, it is still possible to gain complete access to the underlying file system through the use of multi-byte encodings.

Once that has been achieved, an attacker could create or modify files on the host operating system, including executables.

The vulnerability applies to Windows-hosted versions of VMware Workstation, Player and ACE. VMware Server is not affected because it does not use shared folders, and nor is ESX Server, which runs under a hypervisor rather than a host OS.

VMware officials have stated that the Mac OS X-based VMware Fusion and the Linux-hosted versions of its products do not have this vulnerability.

"What's most relevant about this vulnerability is it demonstrates how virtual environments can provide an open door to the underlying infrastructures that host them," said Iván Arce, chief technology officer at Core Security Technologies.

VMware recommends disabling shared folders in all virtual machines, but has pointed out that this is the default setting in Workstation 6, Player 2 and ACE 2, and that even though shared folders are enabled by default in Workstation 5, Player 1 and ACE 1, exploitation also requires that one or more folders are set up for sharing in the host operating system.