Security: Path Traversal vulnerability in VMware’s shared folders implementation

Core Security discovered a serious bug in Shared Folders implementation available in VMware Workstation, Player and ACE:

A vulnerability was found in VMware’s shared folders mechanism that grants users of a Guest system read and write access to any portion of the Host’s file system including the system folder and other security-sensitive files. Exploitation of these vulnerability allows attackers to break out of an isolated Guest system to compromise the underlying Host system that controls it.

Successful exploitation requires that the Shared Folder’s feature to be enabled which is the default on VMware products that have the feature AND at least one folder of the Host system is configured for sharing…

The famous security firm also developed an exploit to prove the risks of this vulnerability which is available here (source code only), along with a long explaination of the flaw.

Core Security initially discovered the bug in October 2007 and, following full disclosure code of ethics, informed VMware before anything else. Despite an immediate answer, VMware delayed the release of the bug fix for months until the security firm decided to publish this advisory to push for a remedy.

At today the only remedy available is to disable the Shared Folders.