w00w00 Security Advisory - http://www.w00w00.org/ Title: VMware 1.1.2 Symlink Vulnerability Platforms: Linux Distributions with VMware 1.1.2 (build 364) Discovered: 17th January, 2000 Local: Yes. Remote: No. Author: harikiri Vendor Status: Notified. Last Updated: N/A 1. Overview VMware stores temporary log files within the /tmp directory. It does not check whether all of these files exist prior to creation, resulting in the potential for a symlink attack. 2. Background VMware is a commercial application that enables the operation of "guest" operating systems within the host system. This is performed via the use of Virtual Machine technology. Due to the low-level requirements of VMware, it is necessary to run the program at a high privilege level, typically root. 3. Issue VMware creates the file "/tmp/vmware-log" on startup. The existance and owner of the file is not checked prior to writing startup information to the file. NOTE: VMware uses other files in the /tmp directory. The one cited above is only a single example. 4. Impact Local users may create a symlink from an arbitrary file to /tmp/vmware-log. When VMware is executed, the file pointed to by the symlink will be overwritten. This may be used as a local denial of service attack. There may also be a method to gain elevated privileges via the symlink attack, though none is known at this time. 5. Recommendation Wait for a fix from the vendor. A temporary work is to set $TMPDIR to something sane, or create the symlink yourself and have it point to /dev/null, so that no one else can have it point to something bad. 6. References - VMware Inc: http://www.vmware.com/ - w00w00 Security Development: http://www.w00w00.org/