VMware vielib.dll StartProcess command execution

Added: 09/25/2007
CVE: CVE-2007-4058
BID: 25118
OSVDB: 42078

Background

VMware is a suite of products supporting the creation and operation of virtual machines, which are self-contained, independent guest operating systems running within a host operating system.

Problem

The StartProcess function in the vielib.dll library included in VMware 6.0.0 allows execution of shell commands without checking whether the caller is legitimate. This could allow command execution when a user loads an attacker's web page in Internet Explorer.

Resolution

Set the kill bit for Class ID 7B9C5422-39AA-4C21-BEEF-645E42EB4529 as described in Microsoft Knowledge Base Article 240797, or unregister vielib.dll using regsvr32.

References

http://www.milw0rm.com/exploits/4244

Limitations

Exploit works on VMware Workstation 6.0.0 on Windows XP.

Since this exploit uses TFTP, the SAINTexploit host must be able to bind to port 69/UDP.

This exploit requires the PERL threads module to be installed on the SAINTexploit host.

Platforms

Windows

Back to exploit index