TippingPoint Digital Vaccine Laboratories
DID YOU KNOW... DVLabs and our Zero Day Initiative were credited with discovering 17 Microsoft vulnerabilities in 2006 alone.

VMWare VMnc Codec Frame Decompression Remote Code Execution Vulnerability

TPTI-10-16: December 3rd, 2010


Affected Vendors

Affected Products

Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of multiple VMWare products. User interaction is required in that a user must visit a malicious web page or open a malicious video file.

Upon installation VMWare Workstation, Server, Player, and ACE register vmnc.dll as a video codec driver to handle compression and decompression of the fourCC type 'VMnc'. This format is used primarily by Workstation to capture remote framebuffer recordings of sessions within a virtual machine. The resulting video is stored within an AVI container file. While playing back such files the function responsible for handling ICM_DECOMPRESS driver messages implicitly trusts a size value while decompressing a frame. An attacker can utilize this to miscalculate a destination pointer. This leads to the corruption of a heap buffer on a later call to memcpy with user-controlled source data. This can be leveraged to execute arbitrary code on the host system under the context of the current user.

Vendor Response

VMWare, Inc. has issued an update to correct this vulnerability. More details can be found at:

Disclosure Timeline

    2010-06-16 - Vulnerability reported to vendor
    2010-12-03 - Coordinated public release of advisory


This vulnerability was discovered by: