CVE-2017-4918: VMware Horizon macOS client code injection vulnerability analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201787898
Type myhack58
Reporter 佚名
Modified 2017-07-16T00:00:00


This article I want to discuss under the VMware Horizon macOS client version 4. 4. 0, the 5164329 of a code injection vulnerability, which can be used to obtain local root privileges. The good news is this issue already in the latest version is fix. 0x01 analysis On my MAC the above understanding of“Open the VMware View Client Services”SUID binary after found it. ! I think it is in the Horizon of remote USB services for internal use, and only after the start enter the administrator credentials to be used. ! In order to further investigate the binary, I used the latest Fireeye app Monitor. app. It is a macOS on the process monitoring tool procmon to. ! Based on through the Monitor. app to capture all behavior, it is clear the“Open the VMware View Client Services”are services. sh package. For script file the SUID bit is ignored can be understood. After carefully browsing this after the script, I identified the following screenshot the highlighted part is the code injected into the vulnerability of the Start point. Although I don't know./ vmware-usbarbitrator inner workings, but I immediately noted that it should be an in-depth investigation of this binary. I am a non-admin user can set environment variables VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS, which in SUID execution of the script in use. ! In a further browse command-line option, I'm sure I can use the-kext flag to load a custom kernel extension. ! However, there are other two problems: 1. Kernel extensions in only to have root to: wheel permissions to load 2. In addition, the KEXT must have Apple's signature The present embodiment of the LPE I ignored the question 2. So I disabled the SIP. ! Let's focus on Question 1. In order to successfully load the kernel extension, binary must have the root:wheel permissions. However, for a normal user, it is impossible for any local file to set this file system permissions. Fortunately, I've spent a lot of time to learn the Tools On Air in the file system. So I know the only thing is I have to use NFS. This is possible because of NFS allow the server to specify the file system permissions, even if the user mount. I know of any other local or remote file system, will in some way ignore file ownership limit. Therefore, the next step is to use NFS to export a remote folder on my Kali Linux. ! Use the Finder“connect to server”to mount it. ! Create a simple KEXT ! And update the info. plist file to meet the need simple to add a dictionary to the“IOKitPersonalities”) ! Copy this KEXT to the NFS server its permissions will meet the“root:wheel”needs, and finally, we can start to really use. ! In order to do this, simple set VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS environment variable to before we create the KEXT and run the“Open the VMware View Client Services.”the Now you can load it. ! Thus we can in an ordinary user account permissions under the kernel context get code execution capability. 0x02 suggested solutions Filter or clear the environment variables VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS and VMWARE_VIEW_USBD_LOG_OPTIONS it. 0x03 disclosure time 2017-04-21: to report issues 2017-04-24: VMware begins to investigate 2017-06-06: fix 2017-06-08: update Horizon version 4. 5, and released a security Bulletin VMSA-2017-0011