VMware Fusion contains a local privilege escalation vulnerability that allows an attacker to inject a malicious path into the system-wide PATH environment variable.
VMware Fusion Professional v15.5.5
CWE-269: Improper Privilege Management
During a startup, VMware Fusion updates the “Public” path in /etc/paths.d/com.vmware.fusion.public using a leading path determined at runtime. A user with standard permissions can make a copy of the application, execute it from an untrusted location, and the value defined in com.vmware.fusion.public will be updated to this location. All interactive sessions, including the root user, will then have the untrusted location set in the system PATH environment variable. A trojan horse binary could be added that would be executed if it were not found in the standard directories. It is also possible to embed code into the path, which will be executed upon login by any user on the system.
The exploit is a two-stage process. The first stage creates an entire copy of the VMware Fusion application using hard links to save space.
The second stage is to execute VMware Fusion from the path where stage one copied it. This kicks off several processes in the background, waits five seconds, and then kills the application. When this stage completes, the com.vmware.fusion.public file in /etc/paths.d will contain a path set to a location we control.
The full exploit can be downloaded from our Github repo at https://github.com/Critical-Start/Team-Ares/blob/master/CVE-2020-3980/CVE-2020-3980.sh.
Proof of Concept
The following proof of concept shows the exploit running as the test05 standard user.
When the exploit finishes, the system PATH environment variable is updated to include /Users/test05/.vmware.stager.Gagas/VMware Fusion.app/Contents/Public.
Now when any user logs in interactively, the system PATH environment variable will include the path that we control. Any application that does not specify the full path or reset the PATH variable could potentially be tricked into executing a malicious binary from this location. It is also possible to silently cause the user logging in to execute arbitrary commands.
06/03/2020 – Vulnerability reported to the vendor
07/08/2020 – Vendor confirms the vulnerability
07/29/2020 – Vendor requests extension due to issues
09/14/2020 – Vendor advisory and patch released. VMSA-2020-0020
Vulnerability discovered by Rich Mirch, Senior Penetration Tester for TEAMARES at CRITICALSTART