Vigil@nce: VMware, privilege elevation under 64 bits
October 2008 by Vigil@nce
SYNTHESIS
An attacker can elevate his privileges inside a virtual guest
running a 64 bits BSD or Windows system.
Gravity: 2/4
Consequences: administrator access/rights
Provenance: user account
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 06/10/2008
IMPACTED PRODUCTS
– VMware ACE
– VMware ESX Server
– VMware ESX Server 3i
– VMware Player
– VMware Server
– VMware Workstation
DESCRIPTION
The VIGILANCE-VUL-8087 (https://vigilance.aql.fr/tree/1/8087)
vulnerability describe an error in the handling of the SwapGS
assembler instruction on FreeBSD/amd64, which can be used by an
attacker to obtain kernel privileges.
The VMware emulator is impacted by the same vulnerability, which
can be exploited in a BSD or Windows (not Linux) system, on a 64
bits platform.
An attacker with a user access inside a 64 bits BSD/Windows guest
system can therefore obtain kernel privileges of the guest system.
He does not obtain kernel privileges of the host system.
CHARACTERISTICS
Identifiers: BID-31569, CVE-2008-4279, VIGILANCE-VUL-8148,
VMSA-2008-0014, VMSA-2008-0014.1, VMSA-2008-0014.2, VMSA-2008-0016