VMware vmrun Command Format String Flaw Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1023835|
SecurityTracker URL: http://securitytracker.com/id/1023835
(Links to External Site)
Date: Apr 9 2010
Root access via local system, User access via local system|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): VIX API (Linux) 1.6.x, Workstation (Linux) 6.5.x, Player (Linux) 2.5.x, Server (Linux) 2.5, Fusion (Mac OS/X) 2.x|
A vulnerability was reported in VMware. A local user can obtain elevated privileges on the target system.|
A local user can execute a specially crafted vmrun command. Then, when the target user lists processes, arbitrary code may be executed on the target system with the privileges of the target user.
Linux-based systems are affected.
Thomas Toth-Steiner reported this vulnerability.
A local user can cause arbitrary code to be executed with the privileges on the target user.|
The vendor has issued a fix (VIX API (Linux) 1.7, Workstation (Linux) 6.5.4 build 246459, Player (Linux) 2.5.4 build 246459, Fusion (Mac OS/X 2.0.7) build 246742).|
The vendor's advisory will be available at:
Vendor URL: www.vmware.com/security/advisories/ (Links to External Site)
Input validation error, State error|
Source Message Contents
Date: Fri, 09 Apr 2010 16:40:21 +0000|
i. Linux-based vmrun format string vulnerability
A format string vulnerability in vmrun could allow arbitrary code
If a vmrun command is issued and processes are listed, code could
be executed in the context of the user listing the processes.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-1139 to this issue.
VMware would like to thank Thomas Toth-Steiner for reporting this
issue to us.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
VIX API any Windows not affected
VIX API 1.6.x Linux upgrade to VIX API 1.7 or later
VIX API 1.6.x Linux64 upgrade to VIX API 1.7 or later
Workstation 7.x any not affected
Workstation 6.5.x Windows not affected
Workstation 6.5.x Linux 6.5.4 build 246459 or later
Player 3.x any not affected
Player 2.5.x Windows not affected
Player 2.5.x Linux 2.5.4 build 246459 or later
Ace any Windows not affected
Server 2.x Windows not affected
Server 2.x Linux not being fixed at this time
Fusion 3.x Mac OS/X not affected
Fusion 2.x Mac OS/X 2.0.7 build 246742 or later
ESXi any any not affected
ESX any any not affected