VMware has made patches available to prevent data in certain VMDK files being used as a virtual disk descriptor following a vulnerability report from me.

In brief: These patches address an issue where a virtual machine user might be able to gain read / write access to arbitrary ESXi host files and execute arbitrary code on the host system given particular vSphere permissions.

I will not describe the vulnerability further at this time. For environments where untrusted users may manage their own VM disks, I would urge consulting the following material.

For further information, please see VMware Security Advisory VMSA-2013-0016 and KB articles 2066856 and 2034095, as well as JPCERT/CC JVN#13154935.

I would like to thank JPCERT/CC for assisting with the report and VMware, and to acknowledge related earlier work of security researchers at ERNW GmbH.