HackDig : Dig high-quality web security articles for hackers

CVE-2017-11741 Local root privesc in Hashicorp vagrant-vmware-fusion <= 4.0.23

2017-08-02 13:50

A couple of weeks ago I disclosed a local root privesc in Hashicorp's
vagrant-vmware-fusion plugin:

https://m4.rkw.io/blog/cve20177642-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4020.html

The initial patch they released was 4.0.21 which unfortunately contained a bugthat prevented it from working at all on mac systems so I was unable to test it.I then had to give my mac to Apple for a couple of weeks for some repairs so

only got around to testing 4.0.22 at the end of last week.

Unfortunately, 4.0.22 is still exploitable and the subsequent release of 4.0.23did not fix the issue. Hashicorp reacted much faster this time, taking only afew days to issue a patch instead of a few months and 4.0.24 does fix the issue.


As discussed before the plugin installs a "sudo helper" encrypted ruby script

and four architecture-specific wrappers into
~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.22/bin

vagrant_vmware_desktop_sudo_helper
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64
vagrant_vmware_desktop_sudo_helper_wrapper_linux_386
vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64

The wrapper that matches the system architecture will be made suid root thefirst time any vagrant box is up'd. When a vagrant box is started the wrapperscript elevates privileges and then executes the ruby sudo helper script.


Previously I exploited the unsanitised system("ruby") call to simply invoke thewrapper directly and execute an arbitrary fake "ruby" script in the current PATH.This is now mitigated with 4.0.22 because the wrapper refuses to execute if it's

not being called by vagrant.

Unfortunately it's still possible to exploit it because the wrapper executes thesudo helper as root, and the sudo helper is not root-owned so we can overwrite itwith any arbitrary ruby code which will then get executed as root when vagrant up

is run.

The issue was reported to Hashicorp on 27/07/17 and fixed on 01/08/17.

PoC: https://m4.rkw.io/blog/cve201711741-local-root-privesc-in-hashicorp-vagrantvmwarefusion--4023.html


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 0/guA/7102/erusolcsidlluf/gro.stsilces

Read:2870 | Comments:0 | Tags:No Tag

“CVE-2017-11741 Local root privesc in Hashicorp vagrant-vmware-fusion <= 4.0.23”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud