Virtualization Pro

Jan 8 2009   6:47PM GMT

Solution for VMware Player security vulnerability

Texiwill Edward Haletky Profile: Texiwill

The gang at Milw0rm have posted one of the few exploits against VMware’s desktop line of products, specifically VMware Player version 2.5.1. This exploits the vmwarebase.dll file when running VMware Player on Windows systems. There is no chance of being able to run generic code through this exploit. In addition, VMware ESX, VMware ESXi, VMware Server and older versions of VMware Player are unaffected.

The issue occurs when you pass long usernames or passwords into VMware-Authd which will cause the application to crash. While it is restarted, a DoS attack could occur which would keep crashing the application and possibly filling up disk space with crash files as well.

VMware has been very responsive to this vulnerability and a fix is already completed. Check out this VMware thread for some more details. This type of response is quite commendable.

Milw0rm is a great resource for exploits of any kind, but since it is used by hackers it is best to access this site from a system you do not mind rebuilding occasionally; a VM works as does using The Onion Ring (TOR) plug-in for Firefox and Internet Explorer. It is best to be overly cautious when browsing sites that hackers create and visit, though they often have the latest exploits and attacks available.

Another good site is prometric.com, which hosts the 100 top hacker sites. As always be cautious when accessing any of these sites.

A hearty “good job” to VMware for their response to this and all other security issues!

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: