VMware Remote Console 'connect' Method Remote Format String Vulnerability

Bugtraq ID:	39396
Class:	Input Validation Error
CVE:	CVE-2009-3732
Remote:	Yes
Local:	No
Published:	Apr 09 2010 12:00AM
Updated:	Oct 01 2012 07:10PM
Credit:	Alexey Sintsov from Digital Security Research Group
Vulnerable:	VMWare Infrastructure Client (Vsphere) 4 VMWare ESX Server 4.0 Gentoo Linux
Not Vulnerable:

VMware Remote Console 'connect' Method Remote Format String Vulnerability

VMware Remote Console is prone to a remote format string vulnerability.

Successful exploits may allow an attacker to execute arbitrary code. Failed attacks may cause denial-of-service conditions.

NOTE: This issue was previously covered in BID 39345 (VMware Hosted Products VMSA-2010-0007 Multiple Remote and Local Vulnerabilities), but has been given its own record to better document it.

VMware Remote Console 'connect' Method Remote Format String Vulnerability

The following proof-of-concept call for the ActiveX control is available:

objectVMRC.connect ("host" ,"username" ,"password", "%x:%x:%x:%x:%x:%x:%x:%x:%x" ,"X" ,2);

VMware Remote Console 'connect' Method Remote Format String Vulnerability

Solution:
Updates are available; please see the references for more information.

VMware Remote Console 'connect' Method Remote Format String Vulnerability

References:

• [DSECRG-09-053] VMware Remote Console - format string vulnerability (Digital Security Research Group)
  
• Microsoft Knowledge Base Article 240797 (Microsoft)
  
• VMware Homepage (VMware)
  
• [DSecRG-09-053] VMware Remoute Console - format string (Alexandr Polyakov )
  
• VMSA-2010-0007.1 VMware hosted products, vCenter Server and ESX patches resolve (VMware)