Jump to content
Nytro

CVE-2017-4918: Code Injection in VMware Horizon’s macOS Client

Recommended Posts

Posted
Jul 102017

 

In this blog post I want to discuss a code injection vulnerability in VMware Horizon‘s macOS Client Version 4.4.0 (5164329) that can be abused to gain local root privileges. The good news is, that it has already been fixed in the latest available version. I found it after learning about the “Open VMware View Client Services” SUID binary on my Mac.

Screen-Shot-2017-04-21-at-21.28.31.png

I think it is used internally by Horizon’s remote USB services and is only exploitable after they have been started once by entering administrative credentials.

Screen-Shot-2017-04-22-at-20.34.49.png

To investigate the binary further, I used the newly released Fireeye application Monitor.app. It basically is Process Monitor (procmon) for macOS.

Screen-Shot-2017-04-21-at-21.30.07.png

Based on the activities as captured by Monitor.app it was clear that “Open VMware View Client Services” was basically a wrapper around “services.sh”. This makes sense as the SUID bit is ignored for script files.

After taking a closer look at this script, I identified the highlighted line in the following screenshot as a starting point for a possible code injection vulnerability. Although I had no idea about the inner workings of “./vmware-usbarbitrator” this binary was immediately my focus for further investigations. The reason for this is that I – as a non-admin user – am able to set the content of the environment variable VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS – that is used in an SUID executed script. Screen-Shot-2017-04-21-at-21.31.03.png

After taking a closer look at the possible command line options I was pretty sure I could abuse this setup to load a custom kernel extension by abusing the –kext flag. Screen-Shot-2017-04-21-at-21.31.30.png

However, there are two further problems:

  1. Kernel Extensions are only loaded if they are owned by root : wheel
  2. Additionally, KEXTs the have to be signed by Apple.

In the course of this LPE I will ignore issue #2. Hence, I disabled SIP.

Screen-Shot-2017-04-21-at-22.06.19.png

So let’s focus on issue #1. To successfully load a kernel extension the binary has to be owned by root : wheel. However, for a normal user it is impossible to set this file system permissions on a any local file. Luckily, I had already invested plenty of time to learn about the In’s and Out’s of file systems at Tools On Air. So I knew, the only thing I had to do was to abuse NFS. This is possible because NFS allows the server to specify the file system permissions, even if mounted by a user. Any other local or remote file system I know of, ignores files owned by root in some way. So my next step was to simply export a remote folder (on my Kali Linux I always carry around with me) using NFS…

Screen-Shot-2017-04-21-at-22.16.47.png

… and mount it using Finder’s “Connect to Server”.

Screen-Shot-2017-04-21-at-21.33.30-1.png

After creating a simple KEXT …Screen-Shot-2017-04-21-at-21.31.53.png

and updating the Info.plist file to meet the requirements (simply add a dictionary “IOKitPersonalities”) we are ready! Screen-Shot-2017-04-21-at-21.32.00.png

After copying this KEXT to the NFS server and adapting its permissions to meet the “root:wheel” requirement, we are finally able to start the real exploitation.

Screen-Shot-2017-04-21-at-22.36.17.png

To do so simply set the “VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS” environment variable to our previously create KEXT and run “Open VMware View Client Services”. This is enough to load it!

Screen-Shot-2017-04-21-at-22.45.21.png

Hence, we gained code execution from a normal user’s account within the kernel context!

Suggested Solution

Filter or clear the environment variables VMWARE_VIEW_USBARBITRATOR_LOG_OPTIONS and VMWARE_VIEW_USBD_LOG_OPTIONS.

Disclosure Timeline

21-04-2017: The issues has been documented and reported
24-04-2017: VMware started investigating
06-06-2017: Fix ready
08-06-2017: Updated Horizon version 4.5 alongside security advisory VMSA-2017-0011 released

 

 

Sursa: https://bogner.sh/2017/07/cve-2017-4918-code-injection-in-vmware-horizons-macos-client/

  • Upvote 1

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...