Secure Network - Security Research Advisory Vuln name: VMware Studio 2 directory traversal Systems affected: VMware Studio 2.0.0.946-172280 Systems not affected: -- Severity: High Local/Remote: Remote Vendor URL: http://www.vmware.com Author(s): Claudio Criscione - c.criscione@securenetwork.it Vendor disclosure: 06/07/2009 Vendor acknowledged: 06/07/2009 Vendor patch release: 01/09/2009 Public disclosure: 09/09/2009 Advisory number: SN-2009-03 Advisory URL: http://securenetwork.it/research/ CVE-2009-2968 *** SUMMARY *** VMware Studio provides mechanisms for authoring, on-site management, distributing and deployment of production-ready virtual appliances. An arbitrary file upload vulnerability, due to a path traversal in a file upload script, has been identified. *** VULNERABILITY DETAILS *** Due to an improper sanitization of user' input, a support component of VMware Studio's web interface can be tricked into uploading a file to any directory (according to the web server's user permission), failing to remove the file afterwards. The vulnerability lies in the upload-tar.py file, which can be reached at the following URL: service/depot/upload-tar.py. The script will accept any form providing a file named "servicetar", writing its content on the file system, as can be seen: --------- data = item.file.read() [..] temp_dir = tempfile.mkdtemp() f = open(temp_dir + "/" + item.filename, 'w') f.write(data) --------- *** EXPLOIT *** An attacker can trivially upload any file on the server, possibly in the /opt/vmware/share/htdocs directory, where any python file will be executed, resulting in arbitrary code execution on the server. In order to trigger the path traversal, filename has to be prepended by the usual "../" string. *** FIX INFORMATION *** The issue was fixed in the final release of VMware 2.0 *** WORKAROUNDS *** -- ********************* *** LEGAL NOTICES *** ********************* Secure Network (www.securenetwork.it) is an information security company, which provides consulting and training services, and engages in security research and development. We are committed to open, full disclosure of vulnerabilities, cooperating whenever possible with software developers for properly handling disclosure. This advisory is copyright 2009 Secure Network S.r.l. Permission is hereby granted for the redistribution of this alert, provided that it is not altered except by reformatting it, and that due credit is given. It may not be edited in any way without the express consent of Secure Network S.r.l. Permission is explicitly given for insertion in vulnerability databases and similars, provided that due credit is given to Secure Network. The information in the advisory is believed to be accurate at the time of publishing based on currently available information. This information is provided as-is, as a free service to the community by Secure Network research staff. There are no warranties with regard to this information. Secure Network does not accept any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. If you have any comments or inquiries, or any issue with what is reported in this advisory, please inform us as soon as possible. E-mail: securenetwork@securenetwork.it GPG/PGP key: http://www.securenetwork.it/pgpkeys/Secure%20Network.asc Phone: +39 02 24 12 67 88