-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All - the first bug is self-explanatory, > # Kernel denial of service vulnerability > An integer overflow vulnerability in the vmx86 kernel extension allows > for a denial of service by an unprivileged user. The vmx86 kext ioctl handler contains several integer overflows which lead to kernel heap corruptions. These are probably not exploitable, and I didn't try given the second bug, http://www.digit-labs.org/files/exploits/vmware-pop.c > # Kernel code execution vulnerability > An ioctl vulnerability in the vmx86 kernel extension allows for > executing arbitrary code in the kernel context by an unprivileged > user. The vmx86 kext ioctl handler permits an unprivileged userland program to initialize several function pointers via the 0x802E564A ioctl code. These function pointers are later used from several reachable locations within the driver, one of which is called immediately after initialization. http://www.digit-labs.org/files/exploits/vmware-fission.c - -- mu-b (mu-b@xxxxxxxxxxxxxx) "Only a few people will follow the proof. Whoever does will spend the rest of his life convincing people it is correct." - Anonymous, "P ?= NP" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrFvGUACgkQY0H9BP42EjxSCACdEzIXe0D8n+VVplyEsuCbPBKS TjAAnAnHUPOSKrphGeaynF5bIKYQNyPY =lMJv -----END PGP SIGNATURE-----
