Australia's Leading Computer Emergency Response Team

ESB-2005.1013 -- [Win][Linux] -- VMware NAT Service vulnerable to buffer overflow via FTP PORT/EPRT commands
Date: 28 December 2005
Original URL: http://www.auscert.org.au/render.html?cid=21&it=5871

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                       ESB-2005.1013 -- [Win][Linux]
VMware NAT Service vulnerable to buffer overflow via FTP PORT/EPRT commands
                             28 December 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           VMWare Workstation 5.5 and prior
                   VMWare GSX Server 3.2 and prior
                   VMWare ACE 1.0.1 and prior
                   VMWare Player 1.0 and prior
Publisher:         US-CERT
Operating System:  Windows
                   Linux variants
Impact:            Root Compromise
                   Administrator Compromise
                   Execute Arbitrary Code/Commands
Access:            Remote/Unauthenticated
CVE Names:         CVE-2005-4459

Original Bulletin: http://www.kb.cert.org/vuls/id/856689

- --------------------------BEGIN INCLUDED TEXT--------------------

US-CERT Vulnerability Note VU#856689

VMware NAT Service vulnerable to buffer overflow via FTP PORT/EPRT commands

Overview

   The VMware NAT Service used in multiple VMware products contains a buffer
   overflow in the way it handles FTP PORT and EPRT commands. An attacker
   could execute arbitrary code with the privileges of the NAT service or
   cause a denial of service.

I. Description

   VMware virtualization software provides Network Address Translation (NAT)
   for guest systems to access networks. The VMware NAT Service does not
   adequately validate parameters to the PORT and EPRT commands. As a result,
   specially crafted PORT or EPRT commands can trigger a buffer overflow.
   VMware Workstation, GSX Server, ACE, and Player products for Windows,
   Linux, and Solaris host platforms are affected. Additional information
   is available in VMware Knowledge Base Answer ID 2000.

   To exploit this vulnerability, an attacker would need to convince a user
   to run code provided by the attacker on a VMware guest/virtual system.
   The attacker could then cross the boundary of the guest system and run
   arbitrary code within the context of the NAT process on the VMware host
   system. This attack vector may be of particular concern to users who
   intentionally run untrusted code in VMware environments. An attacker
   could also exploit this vulnerability remotely if the VMware NAT Service
   is configured to forward connections to guest/virtual systems. By default,
   the VMware NAT Service is not configured to forward connections, and in
   either scenario it may be necessary for the attacker to connect to an
   FTP server in order to issue crafted PORT or EPRT commands.

II. Impact

   An attacker could execute arbitrary code with the privileges of the
   VMware NAT Service (Local System on Windows platforms, root on Linux
   platforms) or cause a denial of service.

III. Solution

Upgrade

   This vulnerability is addressed in:

       * VMware Workstation 5.5.1
       * VMware GSX Server 3.2.1
       * VMware ACE 1.0.2
       * VMware Player 1.0.1

   The latest releases of these products are available from the VMware
   Download Center.

Disable VMware NAT Service

   Disable the VMware NAT Service as described in VMware Knowledge Base
   Answer ID 2002.

Systems Affected

   Vendor	Status	    Date Updated
   VMware	Vulnerable	21-Dec-2005

References

   http://archives.neohapsis.com/archives/fulldisclosure/2005-12/1068.html
   http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2000
   http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=2002
   http://www.vmware.com/download/
   http://www.ietf.org/rfc/rfc1631.txt
   http://www.ietf.org/rfc/rfc2428.txt
   http://secunia.com/advisories/18162/
   http://www.securityfocus.com/bid/15998
   http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4459

Credit

   This vulnerability was reported by Tim Shelton.

This document was written by Art Manion.
Other Information
Date Public	12/21/2005
Date First Published	12/21/2005 05:26:43 PM
Date Last Updated	12/23/2005
CERT Advisory	 
CVE Name	CVE-2005-4459
Metric	4.36
Document Revision	24



- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ7ILPyh9+71yA2DNAQJdsgQAlBNeDVTSDLAENb2PQmQD39KrvysFGSVR
IVYHX9XccMgrEV72biGTQ/LO8+G/ZnyKTKOasHVZWu6wNLcMQmPN//89ol5txC66
g7FQprpPWKj4jvuAfCnssMY8yxRQrcghjPZ785zkd49MzSXYXHrinrnXdJQuFZ3U
9e23nqakKLg=
=5u7g
-----END PGP SIGNATURE-----