lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <bd00e7bbabb6478e64abaa52521e3204@rkw.io>
Date: Wed, 02 Aug 2017 09:34:46 +0100
From: Mark Wadham <fd@....io>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2017-11741 Local root privesc in Hashicorp
 vagrant-vmware-fusion <= 4.0.23

A couple of weeks ago I disclosed a local root privesc in Hashicorp's
vagrant-vmware-fusion plugin:

https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4020.html

The initial patch they released was 4.0.21 which unfortunately contained 
a bug
that prevented it from working at all on mac systems so I was unable to 
test it.
I then had to give my mac to Apple for a couple of weeks for some 
repairs so
only got around to testing 4.0.22 at the end of last week.

Unfortunately, 4.0.22 is still exploitable and the subsequent release of 
4.0.23
did not fix the issue.  Hashicorp reacted much faster this time, taking 
only a
few days to issue a patch instead of a few months and 4.0.24 does fix 
the issue.

As discussed before the plugin installs a "sudo helper" encrypted ruby 
script
and four architecture-specific wrappers into
~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.22/bin

vagrant_vmware_desktop_sudo_helper
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64
vagrant_vmware_desktop_sudo_helper_wrapper_linux_386
vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64

The wrapper that matches the system architecture will be made suid root 
the
first time any vagrant box is up'd.  When a vagrant box is started the 
wrapper
script elevates privileges and then executes the ruby sudo helper 
script.

Previously I exploited the unsanitised system("ruby") call to simply 
invoke the
wrapper directly and execute an arbitrary fake "ruby" script in the 
current PATH.
This is now mitigated with 4.0.22 because the wrapper refuses to execute 
if it's
not being called by vagrant.

Unfortunately it's still possible to exploit it because the wrapper 
executes the
sudo helper as root, and the sudo helper is not root-owned so we can 
overwrite it
with any arbitrary ruby code which will then get executed as root when 
vagrant up
is run.

The issue was reported to Hashicorp on 27/07/17 and fixed on 01/08/17.

PoC: 
https://m4.rkw.io/blog/cve201711741-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4023.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists