Cookie Consent by Free Privacy Policy Generator ๐Ÿ“Œ CVE-2020-3947: Use-After-Free Vulnerability in the VMware Workstation DHCP Component

๐Ÿ  Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeitrรคge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden รœberblick รผber die wichtigsten Aspekte der IT-Sicherheit in einer sich stรคndig verรคndernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch รผbersetzen, erst Englisch auswรคhlen dann wieder Deutsch!

Google Android Playstore Download Button fรผr Team IT Security



๐Ÿ“š CVE-2020-3947: Use-After-Free Vulnerability in the VMware Workstation DHCP Component


๐Ÿ’ก Newskategorie: Hacking
๐Ÿ”— Quelle: thezdi.com

Ever since introducing the virtualization category at Pwn2Own in 2016, guest-to-host escapes have been a highlight of the contest. This yearโ€™s event was no exception. Other guest-to-host escapes have also come through the ZDI program throughout the year. In fact, VMware released a patch for just such a bug less than a week prior to this yearโ€™s competition. In this blog post, we look into CVE-2020-3947, which was submitted to the ZDI program (ZDI-20-298) in late December by an anonymous researcher. The vulnerability affects the DHCP server component of VMware Workstation and could allow attackers to escalate privileges from a guest OS and execute code on the host OS.

Dynamic Host Configuration Protocol (DHCP)

Dynamic Host Configuration Protocol (DHCP) is used to dynamically assign and manage IP addresses by exchanging DHCP messages between a DHCP client and server. DHCP messages include DHCPDISCOVER, DHCPOFFER, DHCPRELEASE, and several others. All DCHP messages begin with the following common header structure:

Figure 1 - DHCP Header structure

Figure 1 - DHCP Header structure

The Options field of a DHCP message contains a sequence of option fields. The structure of an option field is as follows:

Figure 2 - Option Field Structure

Figure 2 - Option Field Structure

The optionCode field defines the type of option. The value of optionCode is 0x35 and 0x3d for the DHCP message type and client identifier options, respectively.

A DHCP message must contain one DHCP message type option. For the DHCP message type option, the value of the optionLength field is 1 and the optionData field indicates the message type. A value of 1 indicates a DHCPDISCOVER message, while a value of 7 indicates a DHCPRELEASE message. These are the two message types that are important for this vulnerability. DHCPDISCOVER is broadcast by a client to get an IP address, and the client sends DHCPRELEASE to relinquish an IP address.ย 

The Vulnerability

In VMWare Workstation, the vmnetdhcp.exe module provides DHCP server service to guest machines. This startup entry is installed as a Windows service. The vulnerable condition occurs when sending a DHCPDISCOVER message followed by a DHCPRELEASE message repeatedly to a vulnerable DHCP server.

During processing of a DHCPRELEASE message, the DHCP server calls vmnetdhcp! supersede_lease (vmnetdhcp+0x3160). The supersede_lease function then copies data from one lease structure to another. A lease structure contains information such as an assigned client IP address, client hardware address, lease duration, lease status, and so on. The full lease structure is as follows:

Figure 3 - Lease Structure

Figure 3 - Lease Structure

For this vulnerability, the uid and uid_len fields are important. The uid field points to a buffer containing the string data from the optionData field of the client identifier option. The uid_len field indicates the size of this buffer.

supersede_lease first checks whether the string data pointed by the respective uid fields of the source and destination lease are equal. If these two strings match, the function frees the buffer pointed to by the uid field of the source lease. Afterwards, supersede_lease calls write_lease (vmnetdhcp+016e0), passing the destination lease as an argument, to write the lease to an internal table.

Figure 4 โ€“ Compare the uid Fields

Figure 4 โ€“ Compare the uid Fields

Figure 5 - Frees the uid Field

Figure 5 - Frees the uid Field

In the vulnerable condition, meaning when a DHCPDISCOVER message followed by a DHCPRELEASE message is repeatedly received by the server, the respective uid fields of the source and destination lease structures actually point to the same memory location. The supersede_lease function does not check for this condition. As a result, when it frees the memory pointed to by the uid field of the source lease, the uid pointer of the destination lease becomes a hanging pointer. Finally, when write_lease accesses the uid field of the destination lease, a use-after-free (UAF) condition occurs.ย 

Figure 6 - Triggering the Bug

Figure 6 - Triggering the Bug

The Patch

VMware patched this bug and two lesser severity bugs with VMSA-2020-004. The patch to address CVE-2020-3947 contains changes in one function: supersede_lease. The patch comparison of supersede_lease in VMnetDHCP.exe version 15.5.1.50853 versus version 15.5.2.54704 is as follows:

Figure 7 - BinDiff Patch Comparison

Figure 7 - BinDiff Patch Comparison

In the patched version of supersede_lease, after performing the string comparison between the respective uid fields of the source and destination leases, it performs a new check to see if the respective uid fields are actually referencing the same buffer. If they are, the function skips the call to free.

Since there are no workarounds listed, the only way to ensure you are protected from this bug is to apply the patch.

Despite being a well understood problem, UAF bugs continue to be prevalent in modern software. In fact, 15% of the advisories we published in 2019 were the result of a UAF condition. It will be interesting to see if that trend continues in 2020.

You can find me on Twitter @nktropy, and follow the team for the latest in exploit techniques and security patches.

...



๐Ÿ“Œ VMware Workstation Pro/Workstation Player bis 12.5.2 vmware-vmx Environment Variable erweiterte Rechte


๐Ÿ“ˆ 36.93 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player up to 12.5.2 vmware-vmx Environment Variable privilege escalation


๐Ÿ“ˆ 36.93 Punkte

๐Ÿ“Œ VMware brings Kubernetes to its VMware Fusion and VMware Workstation solutions


๐Ÿ“ˆ 33.83 Punkte

๐Ÿ“Œ VMware Workstation up to 6.0.1 Build 55017 DHCP Server Stack-based memory corruption


๐Ÿ“ˆ 32.09 Punkte

๐Ÿ“Œ VMware Patches for Bugs in DHCP Service (Workstation, Fusion, Horizon, VMRC), (Fri, Mar 13th)


๐Ÿ“ˆ 32.09 Punkte

๐Ÿ“Œ #0daytoday #DHCP Turbo 4.61298 - (DHCP Turbo 4) Unquoted Service Path Vulnerability [#0day #Exploit]


๐Ÿ“ˆ 30.46 Punkte

๐Ÿ“Œ VMware Patched Critical Guest-to-Host Vulnerability Affecting VMware Workstation Pro


๐Ÿ“ˆ 29.37 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player bis 12.4.x Installer setup64.exe erweiterte Rechte


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player bis 12.4.x Installer setup64.exe erweiterte Rechte


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player bis 12.5.2 SVGA Driver NULL Pointer Dereference Denial of Service


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware kรผndigt Workstation 14 Pro und Workstation 14 Player an


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player up to 12.4.x Installer setup64.exe privilege escalation


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player up to 12.5.2 SVGA Driver Out-of-Bounds denial of service


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player bis 12.5.2 SVGA Driver Out-of-Bounds Denial of Service


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Pro/Workstation Player up to 12.5.2 SVGA Driver NULL Pointer Dereference denial of service


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Player/Workstation Pro up to 14.1.5/15.0.2 on Windows COM Class privilege escalation


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ VMware Workstation Player/Workstation Pro up to 14.1.5/15.0.2 on Windows VMX Process privilege escalation


๐Ÿ“ˆ 29.25 Punkte

๐Ÿ“Œ CVE-2022-20847 | Cisco IOS XE 9000 DHCP Message resource management (cisco-sa-wlc-dhcp-dos-76pCjPxK)


๐Ÿ“ˆ 28.42 Punkte

๐Ÿ“Œ CVE-2019-12703 | Cisco SPA122 ATA Web-based Management Interface DHCP Request cross site scripting (cisco-sa-20191016-spa-dhcp-xss)


๐Ÿ“ˆ 28.42 Punkte

๐Ÿ“Œ CVE-2015-6933 | VMware Workstation/Fusion/ESXi/Player VMware Tools HGFS Kernel Memory access control (BID-79958 / ID 87924)


๐Ÿ“ˆ 27.33 Punkte

๐Ÿ“Œ Microsoft Windows XP/2000/Server 2003 DHCP Response DHCP ACK spoofing


๐Ÿ“ˆ 27.24 Punkte

๐Ÿ“Œ [local] DHCP Turbo 4.61298 - 'DHCP Turbo 4' Unquoted Service Path


๐Ÿ“ˆ 27.24 Punkte

๐Ÿ“Œ Cisco ASA/Firepower Threat Defense DHCP Module DHCP Packet resource consumption


๐Ÿ“ˆ 27.24 Punkte

๐Ÿ“Œ Cisco Prime Network Registrar DHCP Server DHCP Request input validation


๐Ÿ“ˆ 27.24 Punkte

๐Ÿ“Œ Cisco IOS/IOS XE DHCP Server DHCP Packet input validation


๐Ÿ“ˆ 27.24 Punkte

๐Ÿ“Œ dhcpDialog - A dhcp scope management script for ISC dhcp server


๐Ÿ“ˆ 27.24 Punkte

๐Ÿ“Œ Understanding Latest DHCP DNS Vulnerabilities and How DHCP Exploits work in Active Directory


๐Ÿ“ˆ 27.24 Punkte

๐Ÿ“Œ How to Install Kali Linux 2018.1 + VMware Tools + Review on VMware Workstation [2018]


๐Ÿ“ˆ 26.15 Punkte

๐Ÿ“Œ Welchen nutzen hat VMware vCenter fรผr VMware Workstation oder umgekehrt und wenn รผberhaupt?


๐Ÿ“ˆ 26.15 Punkte

๐Ÿ“Œ Welchen nutzen hat VMware vCenter fรผr VMware Workstation oder umgekehrt und wenn รผberhaupt?


๐Ÿ“ˆ 26.15 Punkte

๐Ÿ“Œ Sicherheitsupdate fรผr VMware Workstation und VMware Player


๐Ÿ“ˆ 26.15 Punkte

๐Ÿ“Œ VMware Workstation/Fusion/ESXi/Player VMware Tools HGFS Kernel Memory Pufferรผberlauf


๐Ÿ“ˆ 26.15 Punkte











matomo