VMware Running on Windows Host Security Hole

If you are running VMware on a Windows host configured with host-to-guest shared folders, it is possible for a program running in the guest to gain access to the host’s complete file system and create or modify executable files in sensitive locations.

A vulnerability exists in VMware’s shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host’s file system including the system folder and other security-sensitive files. Exploitation of this vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.

Affected versions include:

  • VMware Workstation 6.0.2 and earlier
  • VMware Workstation 5.5.4 and earlier
  • VMware Player 2.0.2 and earlier
  • VMware Player 1.0.4 and earlier
  • VMware ACE 2.0.2 and earlier
  • VMware ACE 1.0.2 and earlier
The following VMware products are not affected:
  • VMware Server is not affected because it does not use shared folders.
  • No versions of ESX Server, including ESX Server 3i, are affected by this vulnerability. Because ESX Server is based on a bare-metal hypervisor architecture, not a hosted architecture, it does not include any shared folder abilities.
  • VMware Fusion and Linux-hosted VMware products are unaffected.


Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.To disable shared folders in the Global settings:
  1. From the VMware product’s menu, choose Edit > Preferences.
  2. In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.
To disable shared folders for the individual virtual machine settings:
  1. From the VMware product’s menu, choose VM > Settings.
  2. In the Options tab, select Shared Folders and Disable.

Out of the Box, the ASUS Eee PC is Incredibly Insecure

HDM pointed out on the Metasploit blog that the guys from RISE Security rooted an ASUS Eee PC quite easily. They used Metasploit to exploit a Samba vulnerability that was published in July 2007 – almost seven months ago.

Why is ASUS shipping new products with vulnerabilities that are serious enough to allow attackers to gain root access through commonly used security tools such as the Metasploit Framework?

Carl at CandyFOSS doesn’t think this could realistically be exploited, but I’m not so sure.

I’ve searched all over ASUS’s support website, and have not found a downloadable patch for this problem. One of my school districts just ordered 60 Eee PCs , and you can rest assured there’s no way I’m letting these devices out of the box until I can find a fix.

Anyone out there who has one of these machines, can you confirm if there is a patch that is automatically installed through the update process to address this vulnerability?

The ISC has a brief write-up of additional information the Eee PC reveals in it’s default configuration.

SBS 2003 and Microsoft Security Bulletin MS08-006

I was scanning through Microsoft Security Bulletin MS08-006 and saw the Aggregate Severity Rating was ‘Important’ for all versions of Windows XP and Windows 2003. Because no critical ratings were listed, I felt secure in waiting a day or two before applying this patch. I tend to wait for others to find patch problems before I apply them to my vital machines.

Luckily Susan pointed out that in fine print at the bottom of the Security Bulletin is the following:

Note Supported editions of Windows Small Business Server 2003 contain the same affected code as Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2. However, for the ASP Vulnerability (CVE-2008-0075), default configurations of Windows Small Business Server 2003 have a greater exposure to the same vulnerability and therefore merit a severity rating of Critical.

Gee, thanks Microsoft for putting all the effort into making sure security professionals are aware that Small Business Server has this critical vulnerability. Talk about being the red headed stepchild of the server world.

Check out Hello Secure World Virtual Labs

Microsoft’s Hello Secure World web site has some very nice virtual labs all network administrators should take a run through. You’ll be introduced to some of the attacks the bad guys use to try to penetrate our networks, such as Cross Site Scripting and SQL Injection.

This site is definitely targeted towards the MSDN/developer crowd, but any IT professional who deals with web servers or network security should be aware of these potential threats, that target both poorly secured web applications and the users who interact with them.

The site requires Internet Explorer, Java, and Silverlight.

MS08-001 details and exploit video

Here is an interesting, albeit highly technical video analyzing a buffer overflow vulnerability described in MS08-001. I knew assembly language back in college, but it was still tough for me to understand how the code analysis was performed. For those who are not familiar with this security bulletin:

According to ISS, who discovered this issue, “Microsoft Windows TCP/IP is the network communication protocol that is used by all Microsoft operating systems. The two components affected by remote code execution vulnerabilities, IGMPv3 (XFID 39452) and MLDv2 (XFID 39453), are enabled by default. Although MLDv2 is available only on Windows Vista for IPv6 support, IGMPv3 is available on all affected platforms. An attacker does not need to invoke any kind of user interaction to exploit this vulnerability. The lack of user interaction, widespread availability of the protocols, and the possibility of complete compromise of targeted systems means that administrators should treat this vulnerability as highly critical.”

According to Steve Gibson in his Security Now podcast episode #126, it’s just a matter of time until someone writes a nasty worm to exploit the vulnerability in the Windows TCP/IP stack described in Microsoft Security Bulletin MS08-001. Microsoft states that an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Interestingly enough, the severity of this vulnerability is different depending on which version of Windows you are running. It’s considered a moderate risk for Windows 2000 SP4, important for Windows Server 2003 SP1 and SP2, and critical for Windows XP SP2, Windows Small Business Server 2003 SP2, and Windows Vista.

Keep an eye on KB 941644 for any new information on this vulnerability. You can also read a three part post on the Microsoft Security Vulnerability Research & Defense Technet blog with lots of technical details. Now, in part three, Microsoft makes it sound difficult, if not highly improbable, to exploit this flaw.

But Dave says on the DailyDave

“You’ll be able to trigger it every time, especially on a local LAN”

and in an infoworld.com article he states

“It reliably crashes Windows machines. In fact, it blue-screened our print server by accident — this is a broadcast attack, after all.”

and Holly on the iss.net blog notes

“This leads to one of the things that make this set of vulnerabilities so unique. These issues are kernel-level vulnerabilities in TCP/IP and are so low in the stack that most host-based protection products would miss them. Even if you have IPS in your host product, the standard APIs that protection vendors hook into on XP and Windows 2000 do not provide protection at this low level in TCP/IP” … “So, the problem with most host-based protection against this TCP/IP kernel vulnerability is that many products will never see an attack. Standard AV won’t work and neither would behavior blocking, including generic buffer overflow protection, because they don’t monitor at that low of a level and the exploit would never make it past the TCP/IP stack. For most, the only true way to protect against this attack is to apply the patch or disable multicast functionality in its entirety, which disables a lot of good things like some streaming media applications, some file distribution systems, etc.”

You’ll want to scan your network with a tool like the Microsoft Baseline Security Analyzer (MBSA), which allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. Once you identify unpatched machines, get the updates applied as soon as possible, since neither a perimeter nor desktop firewall will protect your Windows machines from potential exploits.

[updated 01-30-2008]

Immunity Inc has a flash video detailing their working exploit of this security problem. It looks like this is no longer at the proof of concept stage.

Printer spamming on port 9100

Jeremiah Grossman posted about an interesting proof of concept paper Aaron Weaver wrote about spamming printers from the Internet. He is able to perform this cross-site printing exploit that uses RAW IP printing on port 9100 to print out ascii art on an unsuspecting user’s printer.

I decided to try this out for myself on my two Xerox printers at the office. I loaded up a web browser and pointed it to the printers IP address and port 9100, ala This caused the printer to spit out a fairly benign page detailing my browser’s GET request.

While this accomplishment in itself is not that exciting, Jeremiah had already shown how easy it is to determine internal IP addressing details in his Black Hat 2007 presentation, Hacking The Internet From The Intranet. Check out the simple script at http://www.reglos.de/myaddress/ that displays a visitor’s internal IP address, even if you’re visiting the site from behind a NAT router or firewall. Imagine some clever JavaScript discovering all devices listening on port 9100, all from the Internet!

Aaron goes on to discuss and give examples of possible attack vectors this could potentially use to spam your printer. Give his paper a look, it’s only four pages long and very easy to read and understand. And if you want to find all printers on your network listening on port 9100, run an nmap scan like the following:

nmap -p9100

You can also read about using netcat to print to port 9100 here.

Free application vulnerability scanners from Secunia

I was reading Claus’ Grand Stream Dreams site today and came across a post where he mentioned Secunia’s Software Inspector, a free online application vulnerability scanner that will search your computer for software with known security issues. It’s a Java applet which doesn’t require installation and performed a through system scan quite quickly.

Within a few minutes I had a report of common programs I had installed on my system, what the version was, and if the particular version had any known vulnerabilities. Adobe Flash 9 was one of the programs flagged as being an insecure release, and I was provided a link to download a secure version of the software.

After updating my vulnerable programs, I decided to try Secunia’s Personal Software Inspector (PSI), which is also free for personal use. This small program is installed locally and operates much like the online scanner, but the personal version boasts it can identify 300,000 unique application versions, while the online scanner can only do 110,000 software packages.

For further detail read Claus’ excellent review or check out the Secunia product pages. You can also search Secunia’s security advisories by product or vendor to see just how many of your software products contain known vulnerabilities.

Howto: Create a bootable Backtrack 2.0 USB flash drive

The Backtrack 2.0 final distribution is probably the finest collection of open source network penetration, security, and auditing tools currently available. I use this software for some network penetration testing and security auditing work I perform. I suggest only using these tools on networks you own or have permission to audit because of potential legal ramifications. That being said, here’s what the Backtrack 2.0 is all about.

According to the remote-exploit web site,

“BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes.

It’s evolved from the merge of the two wide spread distributions Whax and Auditor Security Collection. By joining forces and replacing these distribution the BackTrack could gain a massive popularity and was voted in 2006 as #1 at the surveil of insecure.org. Security professionals as well as new-comers are using it as their favorite toolset all over the globe.”

Backtrack 2.0 contains over 300 security tools, and it can be downloaded here. You can find detailed notes that describe how to install Backtrack to a hard drive, and don’t forget to check out the wiki, which details installing Backtrack in many different configurations.

Now that you know what Backtrack 2 contains and why you might want to use it, here’s the quick instructions for creating a bootable USB stick installation from a Windows machine (Vista Business, in this instance).

1) Format your USB drive using FAT32. Do not perform a quick format.

2) Download the Backtrack 2 final .iso and open it with your favorite compression/extraction program. I like Universal Extractor, aka UniExtract.

3) Copy the boot and BT directories from the Backtrack .iso and copy them to your USB drive.

4) Open a command prompt by clicking StartRun and typing cmd then press enter.

Note: if you’re using Windows Vista you’ll need to open an elevated command prompt, which can do more things than a regular command prompt. To do this, click the Windows Vista icon, right click Command Prompt and select Run as administratorContinue.

5) Change to the drive letter associated with your USB drive. If you don’t know what letter your USB drive is, and you cannot figure it out, this may not be the best software for you to use.

6) Type cd boot and press enter to change to the boot directory on your USB drive.

7) Type bootinst.bat and press enter to make your USB drive bootable. You be asked to press any key to continue. Once the batch file completes you should be able to restart your machine and boot from the Backtrack USB drive.

Parting Notes

Creating the bootable USB drive from the Backtrack GUI Installer did not work for me for whatever reason, and neither did the BackTrack 2.0 Downloader and USB-Stick burner for Windows. Maybe it has to do with using a newer 8 GB flash drive, I’m not sure. There are also many other methods you can try if this doesn’t work for you, just Google it.

You can also try using the MySlax Creator to add drivers, patches, and other modules to your Backtrack.iso file. irongeek.com has a nice video showing you exactly what needs to be done to integrate these updates into your distribution.

The ACPO Good Practice Guide for Computer-Based Electronic Evidence

This guide, written with law enforcement officers in mind, is a great introductory guide to incident response. It’s chock full of information and suggestions regarding securing a potential crime scene and preserving digital evidence.

I don’t specialize in security, but I’ve participated in more than a few investigations, including one with the FBI. This is a great primer on what actions to take before the security specialists arrive on the scene.

The guide stresses four primary principals:

Principle 1:
No action taken by law enforcement agencies or their
agents should change data held on a computer or storage
media which may subsequently be relied upon in court.

Principle 2:
In circumstances where a person finds it necessary
to access original data held on a computer or on storage
media, that person must be competent to do so and be
able to give evidence explaining the relevance and the
implications of their actions.

Principle 3:
An audit trail or other record of all processes applied
to computer-based electronic evidence should be created
and preserved. An independent third party should be able
to examine those processes and achieve the same result.

Principle 4:
The person in charge of the investigation (the case
officer) has overall responsibility for ensuring that the
law and these principles are adhered to.

Other good information on incident response can be found at
Organizational Models for Computer Security Incident Response Teams (CSIRTS) and the FIRST Security Reference Index.


Get every new post delivered to your Inbox.

Join 32 other followers