lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 02 Aug 2017 09:34:46 +0100
From: Mark Wadham <>
Subject: [FD] CVE-2017-11741 Local root privesc in Hashicorp
 vagrant-vmware-fusion <= 4.0.23

A couple of weeks ago I disclosed a local root privesc in Hashicorp's
vagrant-vmware-fusion plugin:

The initial patch they released was 4.0.21 which unfortunately contained 
a bug
that prevented it from working at all on mac systems so I was unable to 
test it.
I then had to give my mac to Apple for a couple of weeks for some 
repairs so
only got around to testing 4.0.22 at the end of last week.

Unfortunately, 4.0.22 is still exploitable and the subsequent release of 
did not fix the issue.  Hashicorp reacted much faster this time, taking 
only a
few days to issue a patch instead of a few months and 4.0.24 does fix 
the issue.

As discussed before the plugin installs a "sudo helper" encrypted ruby 
and four architecture-specific wrappers into


The wrapper that matches the system architecture will be made suid root 
first time any vagrant box is up'd.  When a vagrant box is started the 
script elevates privileges and then executes the ruby sudo helper 

Previously I exploited the unsanitised system("ruby") call to simply 
invoke the
wrapper directly and execute an arbitrary fake "ruby" script in the 
current PATH.
This is now mitigated with 4.0.22 because the wrapper refuses to execute 
if it's
not being called by vagrant.

Unfortunately it's still possible to exploit it because the wrapper 
executes the
sudo helper as root, and the sudo helper is not root-owned so we can 
overwrite it
with any arbitrary ruby code which will then get executed as root when 
vagrant up
is run.

The issue was reported to Hashicorp on 27/07/17 and fixed on 01/08/17.


Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists