Headline
CVE-2009-1143: 264577 – (CVE-2009-1142, CVE-2009-1143) app-emulation/open-vm-tools (CVE-2009-1142, CVE-2009-1143)
An issue was discovered in open-vm-tools 2009.03.18-154848. Local users can bypass intended access restrictions on mounting shares via a symlink attack that leverages a realpath race condition in mount.vmhgfs (aka hgfsmounter).
Description Robert Buchholz (RETIRED) 2009-04-02 00:37:17 UTC
** Please note that this issue is confidential and no information should be disclosed until it is made public, see “Whiteboard” for a date **
Thomas Biege reported the following flaws:
CVE-2009-1142 If vmware-user-suid-wrapper is setuid root and the function ChmodChownDirectory() (depends on define TOGGLE_VMBLOCK) is enabled it seems a local user can use links in /tmp to chown root:root arbitrary dirs and even chmod to 777.
CVE-2009-1143 mount.vmhgfs/hgfsmounter is dereferencing symlinks in the mount target (mountPoint) using "realpath()", not considering race conditions. This can be exploited to mount given shares to arbitrary targets.
Comment 1 Aaron Bauman (RETIRED) 2016-11-20 12:13:22 UTC
Mike, can you confirm if this is still a vulnerability that is present? Details are somewhat sparse as the bug is still not publically released and SUSE still has a restriction on their bug.
Comment 3 Aaron Bauman (RETIRED) 2016-12-07 12:59:09 UTC
Please see previous comment.
Comment 4 Yury German 2019-03-11 02:59:34 UTC
This is from 2016 - Can we close this bug?