CVE-2009-1143: Exploiting the open-vm-tools Vulnerability to Bypass Access Restrictions on Mounting Shares

In this post, we'll explore the CVE-2009-1143 vulnerability that was discovered in open-vm-tools 2009.03.18-154848. First, we'll understand the issue and its implications, then we'll dive into its technical details, including the code snippet and original references. Lastly, we'll discuss an exploit to leverage this vulnerability to demonstrate how local users can bypass intended access restrictions on mounting shares.

Understanding the Issue

The vulnerability discovered in open-vm-tools 2009.03.18-154848 revolves around a symlink attack. The attack takes advantage of a realpath race condition in mount.vmhgfs (also known as hgfsmounter). The vulnerability allows local users to bypass intended access restrictions on mounting shares. Simply put, a malicious user can access shared resources that should be protected.

Technical Details

The core of this vulnerability lies in the way mount.vmhgfs (hgfsmounter) resolves the real path to the shared directory. When mounting a shared folder, it’s essential to know the actual physical path of that folder. The hgfsmounter uses the ‘realpath' function to resolve the path, which is prone to race conditions. A race condition occurs when the output of a process depends on the relative timing of events, which could be the order in which processes are scheduled to run.

Let’s look at the affected portion of the code in mount.vmhgfs

...
char *realPath;
int rc;

realPath = realpath(path, NULL);
if ((realPath == NULL) || (strlen(realPath) == )) {
   fprintf(stderr, "Error: unable to obtain the canonical path "
           "for '%s': %s\n", path, strerror(errno));
   return EX_USAGE;
}
...

As we can see, ‘realpath’ is used to resolve the path and store it in the ‘realPath’ variable. This is the point where the race condition vulnerability arises.

1. CVE-2009-1143 - The official CVE page providing a brief explanation of the vulnerability.
2. VMware Security Advisory VMSA-2009-0009 - A security advisory from VMware discussing the vulnerability and affected products.

Exploit Details

To exploit this vulnerability, an attacker must create a symbolic link pointing to a folder that's not intended for mounting. This symlink needs to be created during the hgfsmounter's execution, i.e., while realpath is resolving the path. If successful, the attacker will gain unauthorized access to the restricted shared folder.

3. During the mount process, while realpath is resolving the path, switch the evil-symlink to point to the restricted folder the attacker wishes to access.

Conclusion

The CVE-2009-1143 vulnerability in open-vm-tools 2009.03.18-154848 highlights the importance of correctly handling path resolution to avoid race conditions. As demonstrated, it allows local users to bypass intended access restrictions on mounting shares by leveraging a symlink attack. It's crucial to patch this vulnerability to maintain a secure environment and prevent unauthorized access to protected resources.

Timeline

Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/28/2022 18:22:00 UTC