Local Privilege Escalation Vulnerability Discovered in VMware Fusion | Critical Start
Learn real world attack and defense strategies with Adversarial Emulation and Active Defense training from TEAMARES
TEAMARES launches Breach Attack as a Service for quick testing whenever your environment changes.
Webinar Series | Once More unto the Breach | Lessons Learned from Billion Dollar Breaches

Local Privilege Escalation Vulnerability Discovered in VMware Fusion


Summary:
VMware Fusion contains a local privilege escalation vulnerability that allows an attacker to inject a malicious path into the system-wide PATH environment variable.

Versions Tested:
VMware Fusion Professional v15.5.5

Product:
https://www.vmware.com/products/fusion.html

Security Advisories:
https://www.vmware.com/security/advisories/VMSA-2020-0020.html

CVE Number:
CVE-2020-3980

CVSS Score:
6.7

CWE:
CWE-269: Improper Privilege Management

  

Vulnerability Details

During a startup, VMware Fusion updates the “Public” path in /etc/paths.d/com.vmware.fusion.public using a leading path determined at runtime. A user with standard permissions can make a copy of the application, execute it from an untrusted location, and the value defined in com.vmware.fusion.public will be updated to this location. All interactive sessions, including the root user, will then have the untrusted location set in the system PATH environment variable. A trojan horse binary could be added that would be executed if it were not found in the standard directories. It is also possible to embed code into the path, which will be executed upon login by any user on the system.

The exploit is a two-stage process. The first stage creates an entire copy of the VMware Fusion application using hard links to save space.

The second stage is to execute VMware Fusion from the path where stage one copied it. This kicks off several processes in the background, waits five seconds, and then kills the application. When this stage completes, the com.vmware.fusion.public file in /etc/paths.d will contain a path set to a location we control.

The full exploit can be downloaded from our Github repo at https://github.com/Critical-Start/Team-Ares/blob/master/CVE-2020-3980/CVE-2020-3980.sh.

 

Proof of Concept

The following proof of concept shows the exploit running as the test05 standard user.

When the exploit finishes, the system PATH environment variable is updated to include /Users/test05/.vmware.stager.Gagas/VMware Fusion.app/Contents/Public.

Now when any user logs in interactively, the system PATH environment variable will include the path that we control. Any application that does not specify the full path or reset the PATH variable could potentially be tricked into executing a malicious binary from this location. It is also possible to silently cause the user logging in to execute arbitrary commands.

 

Timeline:

06/03/2020 – Vulnerability reported to the vendor
07/08/2020 – Vendor confirms the vulnerability
07/29/2020 – Vendor requests extension due to issues
09/14/2020 – Vendor advisory and patch released. VMSA-2020-0020

 

Credit:

Vulnerability discovered by Rich Mirch, Senior Penetration Tester for TEAMARES at CRITICALSTART

Let's Talk

Get in Touch
PREVIOUS RESOURCE
NEXT RESOURCE
Path 11 Copy 3 Created with Sketch.

Related Content

Categories