Sunday, February 14, 2010

Easily Detecting VMware Instances Vulnerable to CVE-2009-3733

A tool called gueststealer was released at Shmoocon 2010. Gueststealer is a Perl script that can be used to grab arbitrary files from VMware instances vulnerable to CVE-2009-3733. VMware instances vulnerable to this can be exploited to pull things like a .vmem file or even the VMware container file with the entire file system of the virtualized machine. Once that is done sensitive data could then be extracted.

The author of this article has created a nmap script that can be used to search for VMware instances vulnerable to this directory traversal problem. The nmap script works well and you should consider using it to not only scan your potentially vulnerable Internet-facing machines, but also internal systems. Also at this URL is a link to the gueststealer Perl script.

VMware's bulletin describing the issue is available here.

So grab the nmap script, find your vulnerable machines, use the gueststealer Perl script as needed to convince anyone that needs convincing that the problem is real and requires action, and then patch.

email: david @

No comments:

Post a Comment