Full title: VMWare Setuid vmware-mount Unsafe popen(3) 
Category: local exploits
Platform: macOS
VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us.

# 0day.today @ http://0day.today/