VMware Virtual Image Editing Framework – DLL Untrusted Library Loading Execution Code
Author(s): Ivan Sanchez & Hernan Hegykozi
Contact Us: firstname.lastname@example.org
Versions: VMware Virtual Image Editing Framework 4.0.0 build-111735
Product: VMware Virtual Image Editing Framework
Vendor Notified: VMware Inc.
We have discovered that the product “VMware Virtual Image Editing Framework 4.0.0 build-111735″ presents a big hole as regard to DLL hijacking;The basis of this exploit is the way in which Python works and how it loads DLL files used by many applications, if an application calls a DLL without specifying an absolute path Windows will conduct a search for the DLL file in various set locations.
\\Internet -Share\\loginblocker.exe + vmwarebase.dll
( vmwarebase.dll will execute the evil code when the end user open /run the APP )
C:\Program Files\VMware\VMware Workstation\Resources\loginblocker.exe +
Some interesting findings:
- Clicking a link to a remote shared folder on a web page will open this share in Windows Explorer without a warning for 67% of all Internet Explorer users.
- Clicking a link to a remote shared folder in an e-mail message will open this share in Windows Explorer without a warning for all Outlook, Windows Mail and Windows Live Mail users, regardless of their default web browser. (E-mail is the most likely vector for targeted attacks on corporate and government networks.)
- In contrast to Internet Explorer, we found no way to launch Windows Explorer via a hyperlink from Firefox, Chrome or Opera, while Safari does open a remote shared folder when the web page containing the link comes from a local drive (e.g., attacker sends an HTML file to the user via e-mail.)
- The Protected View makes Word 2010 and Excel 2010 less suitable for binary planting attacks, as documents originating from Internet or received via Outlook require the user to confirm a security warning before hyperlinks are enabled.
All in all, it appears that most attack scenarios don’t include any security warnings. Users should therefore be careful when opening any hyperlinks – not just on web pages, but also in e-mail, documents and IM messages.