This vulnerability was discovered by Nahuel Riva and Gerardo Richarte from
the CORE IMPACT Exploit Writers Team (EWT).
The VMware vulnerabilities that originally triggered research and
subsequent discovery of the buffer overflow vulnerability in OpenBSD’s
dhcpd were found by Neel Mehta and Ryan Smith from IBM X-Force [3].
Since the advisory from IBM X-Force lists 3 apparently distinct bugs
(using 3 different CVE names) but provides no technical details to
uniquely identify each one of them we’ve decided to roll a dice and picked
CVE-2007-0063 as the one to identify the bug reported in this advisory.
* An anonymous researcher reported a stack-based buffer overflow
related to U3D model files with a crafted extension block
(CVE-2009-1855).
* Jun Mao and Ryan Smith of iDefense Labs reported an integer
overflow related to the FlateDecode filter, which triggers a
heap-based buffer overflow (CVE-2009-1856).
* Haifei Li of Fortinet's FortiGuard Global Security Research Team
reported a memory corruption vulnerability related to TrueType fonts
06/05/2009 - Tentative disclosure date of 06/09/2009 set
06/09/2009 - Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Jun Mao and Ryan Smith, iDefense
Labs
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
This release fixes several vulnerabilities in the DHCP server
that could enable a specially crafted packets to gain system-level
privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security
Systems X-Force for discovering and researching these
vulnerabilities.
Hosted products
---------------
07/28/2009 Public disclosure via MS09-035 out-of-band bulletin
07/29/2009 Material presented at BlackHat USA
IX. CREDIT
This vulnerability was discovered by Ryan Smith of iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
07/29/2009 Material presented at BlackHat USA
08/11/2009 Public disclosure via MS09-037
IX. CREDIT
This vulnerability was discovered by Ryan Smith of iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
After a standard system upgrade you need to reboot your computer to
effect the necessary changes.
Details follow:
Neel Mehta and Ryan Smith discovered that the VMWare Player DHCP server
did not correctly handle certain packet structures. Remote attackers
could send specially crafted packets and gain root privileges.
(CVE-2007-0061, CVE-2007-0062, CVE-2007-0063)
Rafal Wojtczvk discovered multiple memory corruption issues in VMWare
07/29/2009 Material presented at BlackHat USA
08/11/2009 Microsoft publishes MS09-037
IX. CREDIT
This vulnerability was discovered by Ryan Smith of iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
Description
===========
Multiple vulnerabilities have been discovered in several VMware
products. Neel Mehta and Ryan Smith (IBM ISS X-Force) discovered that
the DHCP server contains an integer overflow vulnerability
(CVE-2007-0062), an integer underflow vulnerability (CVE-2007-0063) and
another error when handling malformed packets (CVE-2007-0061), leading
to stack-based buffer overflows or stack corruption. Rafal Wojtczvk
(McAfee) discovered two unspecified errors that allow authenticated
