VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) - Nessus

High   Plugin ID: 92943

This page contains detailed information about the VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 92943
Name: VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)
Filename: macosx_fusion_vmsa_2016_0010.nasl
Vulnerability Published: 2016-08-04
This Plugin Published: 2016-08-12
Last Modification Time: 2019-11-14
Plugin Version: 1.7
Plugin Type: local
Plugin Family: MacOS X Local Security Checks
Dependencies: macosx_fusion_detect.nasl
Required KB Items [?]: Host/local_checks_enabled, installed_sw/VMware Fusion

Vulnerability Information

Severity: High
Vulnerability Published: 2016-08-04
Patch Published: 2016-08-04
CVE [?]: CVE-2016-5330
CPE [?]: cpe:/a:vmware:fusion

Synopsis

A virtualization application installed on the remote Mac OS X host is affected by an arbitrary code execution vulnerability.

Description

The version of VMware Fusion installed on the remote Mac OS X host is 8.1.x prior to 8.1.1. It is, therefore, affected by an arbitrary code execution vulnerability in the Shared Folders (HGFS) feature due to improper loading of Dynamic-link library (DLL) files from insecure paths, including the current working directory, which may not be under user control. A remote attacker can exploit this vulnerability, by placing a malicious DLL in the path or by convincing a user into opening a file on a network share, to inject and execute arbitrary code in the context of the current user.

Solution

Upgrade to VMware Fusion 8.1.1 or later.

Note that VMware Tools on Windows-based guests that use the Shared Folders (HGFS) feature must also be updated to completely mitigate the vulnerability.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) vulnerability:

  1. Metasploit: exploit/windows/misc/vmhgfs_webdav_dll_sideload
    [DLL Side Loading Vulnerability in VMware Host Guest Client Redirector]
  2. Exploit-DB: exploits/windows/local/41711.rb
    [EDB-41711: VMware Host Guest Client Redirector - DLL Side Loading (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS Score Source [?]: CVE-2016-5330
CVSS V2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C
CVSS Base Score:4.4 (Medium)
Impact Subscore:6.4
Exploitability Subscore:3.4
CVSS Temporal Score:3.6 (Low)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:3.6 (Low)
CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
CVSS Base Score:7.8 (High)
Impact Subscore:5.9
Exploitability Subscore:1.8
CVSS Temporal Score:7.2 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:7.2 (High)

Go back to menu.

Plugin Source

This is the macosx_fusion_vmsa_2016_0010.nasl nessus plugin source code. This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. 

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(92943);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/14");

  script_cve_id("CVE-2016-5330");
  script_bugtraq_id(92323);
  script_xref(name:"VMSA", value:"2016-0010");

  script_name(english:"VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)");
  script_summary(english:"Checks Fusion version.");

  script_set_attribute(attribute:"synopsis", value:
"A virtualization application installed on the remote Mac OS X host is
affected by an arbitrary code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of VMware Fusion installed on the remote Mac OS X host is
8.1.x prior to 8.1.1. It is, therefore, affected by an arbitrary code
execution vulnerability in the Shared Folders (HGFS) feature due to
improper loading of Dynamic-link library (DLL) files from insecure
paths, including the current working directory, which may not be under
user control. A remote attacker can exploit this vulnerability, by
placing a malicious DLL in the path or by convincing a user into
opening a file on a network share, to inject and execute arbitrary
code in the context of the current user.");
  script_set_attribute(attribute:"see_also", value:"http://www.vmware.com/security/advisories/VMSA-2016-0010.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Fusion 8.1.1 or later.

Note that VMware Tools on Windows-based guests that use the Shared
Folders (HGFS) feature must also be updated to completely mitigate the
vulnerability.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5330");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'DLL Side Loading Vulnerability in VMware Host Guest Client Redirector');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/08/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/08/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/08/12");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:fusion");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"MacOS X Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("macosx_fusion_detect.nasl");
  script_require_keys("Host/local_checks_enabled", "installed_sw/VMware Fusion");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("install_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("Host/local_checks_enabled");

os = get_kb_item("Host/MacOSX/Version");
if (!os) audit(AUDIT_OS_NOT, "Mac OS X");

install = get_single_install(app_name:"VMware Fusion", exit_if_unknown_ver:TRUE);
version = install['version'];
path = install['path'];

fix = '';
if (version =~ "^8\.1\.") fix = '8.1.1';

if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report +=
    '\n  Path              : ' + path +
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_report_v4(port:0, extra:report, severity:SECURITY_WARNING);
}
else audit(AUDIT_INST_PATH_NOT_VULN, "VMware Fusion", version, path);

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/macosx_fusion_vmsa_2016_0010.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\macosx_fusion_vmsa_2016_0010.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/macosx_fusion_vmsa_2016_0010.nasl

Go back to menu.

How to Run

Here is how to run the VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select MacOS X Local Security Checks plugin family.
  6. On the right side table select VMware Fusion 8.1.x < 8.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) plugin ID 92943.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl macosx_fusion_vmsa_2016_0010.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a macosx_fusion_vmsa_2016_0010.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - macosx_fusion_vmsa_2016_0010.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state macosx_fusion_vmsa_2016_0010.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: VMSA | VMware Security Advisory: See also: Similar and related Nessus plugins:
  • 92944 - VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)
  • 92945 - VMware Player 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)
  • 92949 - ESXi 5.0 / 5.1 / 5.5 / 6.0 Multiple Vulnerabilities (VMSA-2016-0010) (remote check)
  • 92946 - VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010) (Linux)
  • 92947 - VMware Workstation 12.1.x < 12.1.1 Shared Folders (HGFS) Guest DLL Hijacking Arbitrary Code Execution (VMSA-2016-0010)
  • 51078 - VMware Fusion < 2.0.8 (VMSA-2010-0018)
  • 51079 - VMware Fusion < 3.1.2 (VMSA-2010-0018)
  • 58792 - VMware Fusion 4.x < 4.1.2 (VMSA-2012-0007)
  • 64919 - VMware Fusion 4.1 < 4.1.4 / 5.0 < 5.0.2 VMCI Privilege Escalation (VMSA-2013-0002)
  • 73670 - VMware Fusion 6.x < 6.0.3 OpenSSL Library Multiple Vulnerabilities (VMSA-2014-0004) (Heartbleed)
  • 76452 - VMware Fusion < 5.0.5 / 6.0.4 OpenSSL Library Multiple Vulnerabilities
  • 97939 - VMware Fusion 8.x < 8.5.5 Drag-and-Drop Feature Guest-to-Host Code Execution (VMSA-2017-0005) (macOS)
  • 99103 - VMware Fusion 8.x < 8.5.6 Multiple Vulnerabilities (VMSA-2017-0006) (macOS)
  • 105485 - VMware Fusion 8.x < 8.5.9 Multiple Vulnerabilities (VMSA-2017-0021) (VMSA-2018-0002) (Spectre) (macOS)
  • 105781 - VMware Fusion 8.x < 8.5.10 / 10.x < 10.1.1 Multiple Vulnerabilities (VMSA-2018-0004) (VMSA-2018-0005) (Spectre) (macOS)
  • 111758 - VMware Fusion 10.x < 10.1.3 Speculative Execution Side Channel Vulnerability (Foreshadow) (VMSA-2018-0020) (macOS)
  • 111977 - VMware Fusion 10.x < 10.1.3 Out-of-Bounds Write Vulnerabilities (VMSA-2018-0022) (macOS)
  • 118884 - VMware Fusion 10.x < 10.1.4 / 11.x < 11.0.1 vmxnet3 Guest-to-Host Code Execution Vulnerability (VMSA-2018-0027) (macOS)
  • 131128 - VMware Fusion 11.0.x < 11.5.1 Multiple Vulnerabilities (VMSA-2019-0020, VMSA-2019-0021)
  • 134628 - VMware Fusion 11.x < 11.5.2 Multiple Vulnerabilities (VMSA-2020-0004)
  • 134974 - VMware Fusion 11.0.x < 11.5.2 Multiple Vulnerabilities (VMSA-2020-0005)
  • 76965 - VMware Horizon View Client < 3.0.0 Multiple SSL Vulnerabilities (VMSA-2014-0006) (Mac OS X)
  • 100839 - VMware Horizon View Client 2.x / 3.x / 4.x < 4.5.0 Startup Script Command Injection (VMSA-2017-0011) (macOS)
  • 77331 - VMware OVF Tool 3.x < 3.5.2 Multiple OpenSSL Vulnerabilities (VMSA-2014-0006) (Mac OS X)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file macosx_fusion_vmsa_2016_0010.nasl version 1.7. For more plugins, visit the Nessus Plugin Library.

Go back to menu.