CVE-2008-0923

Name of the Vulnerable Software and Affected Versions VMWare ACE versions 1.0.2 through 2.0.2 VMWare Player versions 1.0.4 through 2.0.2 VMWare Workstation versions 5.5.4 through 6.0.2

Description A directory traversal issue in the Shared Folders feature allows guest OS users to read and write arbitrary files on the host OS. This is achieved by using a multibyte string that produces a wide character string containing .. (dot dot) sequences, which bypasses the protection mechanism. An example of such a string is %c0%2e%c0%2e.

Recommendations For VMWare ACE versions 1.0.2 through 2.0.2, consider disabling the Shared Folders feature until a patch is available. For VMWare Player versions 1.0.4 through 2.0.2, restrict access to the Shared Folders feature to minimize the risk of exploitation. For VMWare Workstation versions 5.5.4 through 6.0.2, avoid using the Shared Folders feature with untrusted guest OS users until the issue is resolved.