VMware Virtual Image Editing Framework – DLL Untrusted Library Loading Execution Code

Author(s): Ivan Sanchez & Hernan Hegykozi
Contact Us: security@evilcode.com.ar
Versions: VMware Virtual Image Editing Framework 4.0.0 build-111735
Date: 05/09/2011
Product: VMware Virtual Image Editing Framework
Vendor Notified: VMware Inc.

We have discovered that the product “VMware Virtual Image Editing Framework 4.0.0 build-111735″ presents a big hole as regard to DLL hijacking;The basis of this exploit is the way in which Python works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations.

POC:
\\Internet -Share\\loginblocker.exe + vmwarebase.dll

( vmwarebase.dll will execute the evil code when the end user open /run the APP )

Extension Affected:

C:\Program Files\VMware\VMware Workstation\Resources\loginblocker.exe +
vmwarebase.dll


Vector Attack:

Some interesting findings:

  • Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users.
  • Clicking a link to a remote shared folder in an e-mail message will open this share in Windows Explorer without a warning for all Outlook, Windows Mail and Windows Live Mail users, regardless of their default web browser. (E-mail is the most likely vector for targeted attacks on corporate and government networks.)
  • In contrast to Internet Explorer, we found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive (e.g., attacker sends an HTML file to the user via e-mail.)
  • The Protected View makes Word 2010 and Excel 2010 less suitable for binary planting attacks, as documents originating from Internet or received via Outlook require the user to confirm a security warning before hyperlinks are enabled.
All in all, it appears that most  attack scenarios don’t include any security warnings. Users should therefore be careful when opening any hyperlinks – not just on web pages, but also in e-mail, documents and IM messages.

 

Leave a Reply