maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/network-services-pentesting/pentesting-web/vmware-esx-v

Browse Source
This commit is contained in:
Translator 2025-10-01 10:25:40 +00:00
parent 068ed2294f
commit 84d15d1943
4 changed files with 507 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -110,6 +110,7 @@
- [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
- [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
- [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
- [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
- [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
- [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
- [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)

645
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

146
src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md Normal file
View File

@ -0,0 +1,146 @@
# VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244)
{{#include ../../banners/hacktricks-training.md}}
Mbinu hii inatumia pipelines za ugundaji huduma zinazotegemea regex ambazo huchambua mistari ya amri ya michakato inayofanya kazi ili kubaini toleo la service kisha kutekeleza binary inayoweza kuwa mgombea kwa flag ya "version". Wakati pattern zilizo permissive zinakubali njia zisizo salama, zinazoendeshwa na mshambuliaji (kwa mfano, /tmp/httpd), collector yenye haki za juu hutekeleza binary yoyote kutoka kwenye eneo lisilo salama, ikitoa escalation ya ruhusa ya ndani. NVISO ilidokeza hili katika VMware Tools/Aria Operations Service Discovery kama CVE-2025-41244.
- Impact: Local privilege escalation to root (or to the privileged discovery account)
- Root cause: Untrusted Search Path (CWE-426) + permissive regex matching of process command lines
- Affected: open-vm-tools/VMware Tools on Linux (credential-less discovery), VMware Aria Operations SDMP (credential-based discovery via Tools/proxy)
## How VMware service discovery works (high level)
- Credential-based (legacy): Aria inatekeleza script za discovery ndani ya guest kupitia VMware Tools kwa kutumia credentials za privilegi zilizo konfigurishwa.
- Credential-less (modern): Logic ya discovery inaendeshwa ndani ya VMware Tools, tayari ikiwa na haki za juu ndani ya guest.
Viwendo vyote vinakimbia mantiki ya shell inayoscan processes zenye sockets za kusikiliza, inachota njia ya command inayofanana kupitia regex, na kisha inatekeleza argv token ya kwanza kwa flag ya version.
## Root cause and vulnerable pattern (open-vm-tools)
Katika open-vm-tools, script ya plugin ya serviceDiscovery get-versions.sh inalinganisha candidate binaries kwa kutumia regular expressions pana na inatekeleza argv token ya kwanza bila uthibitisho wowote wa trusted-path:
```bash
get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
```
Inaitwa kwa patterns zenye uvumilivu zinazojumuisha \S (isiyo-blanki) ambazo zitafanana kwa urahisi na njia zisizo za mfumo katika maeneo yanayoweza kuandikwa na mtumiaji:
```bash
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
```
- Utoaji unatumia grep -Eo na inachukua tokeni ya kwanza: ${COMMAND%%[[:space:]]*}
- Hakuna whitelist/allowlist ya njia za mfumo zilizoaminika; listener yoyote iliyogunduliwa yenye jina linalolingana hufanywa execute na -v/--version
Hili linaunda primitive ya utekelezaji kupitia untrusted search path: binaries yoyote iliyoko katika world-writable directories (mf., /tmp/httpd) hufanywa execute na sehemu yenye ruhusa za juu.
## Utekelezaji (hali zote bila cheti na kwa kutumia cheti)
Preconditions
- Unaweza kuendesha mchakato usio na ruhusa ambao unafungua listening socket kwenye guest.
- Discovery job imewezeshwa na inaendeshwa kwa vipindi (kwa kihistoria ~dakika 5).
Steps
1) Weka binary katika njia inayolingana na moja ya permissive regexes, mf., /tmp/httpd au ./nginx
2) Iendeshe kama mtumiaji mwenye ruhusa ndogo na hakikisha inafungua listening socket yoyote
3) Subiri mzunguko wa discovery; privileged collector itaendesha moja kwa moja: /tmp/httpd -v (au sawa), ikiwasha programu yako kama root
Minimal demo (ikitumia mbinu ya NVISO)
```bash
# Build any small helper that:
# - default mode: opens a dummy TCP listener
# - when called with -v/--version: performs the privileged action (e.g., connect to an abstract UNIX socket and spawn /bin/sh -i)
# Example staging and trigger
cp your_helper /tmp/httpd
chmod +x /tmp/httpd
/tmp/httpd # run as low-priv user and wait for the cycle
# After the next cycle, expect a root shell or your privileged action
```
Mfuatano wa kawaida wa mchakato
- Credential-based: /usr/bin/vmtoolsd -> /bin/sh /tmp/VMware-SDMP-Scripts-.../script_...sh -> /tmp/httpd -v -> /bin/sh -i
- Credential-less: /bin/sh .../get-versions.sh -> /tmp/httpd -v -> /bin/sh -i
Vibaki (credential-based)
Scripts za wrapper za SDMP zilizopatikana chini ya /tmp/VMware-SDMP-Scripts-{UUID}/ zinaweza kuonyesha utekelezaji wa moja kwa moja wa njia isiyo ya kawaida:
```bash
/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stderr"
```
## Kuiboresha mbinu: regex-driven discovery abuse (portable pattern)
Wakala wengi na suites za ufuatiliaji hufanya ugundaji wa toleo/huduma kwa:
- Kuorodhesha michakato yenye sockets za kusikiliza
- Kufanya grep kwenye argv/line za amri kwa regex zenye uvumilivu (mfano, patterns zenye \S)
- Kutekeleza njia iliyoendana na hiyo kwa bendera isiyokuwa hatari kama -v, --version, -V, -h
Ikiwa regex inakubali njia zisizo salama na njia hiyo inatekelezwa kutoka kwa muktadha wa mamlaka, utapata CWE-426 Untrusted Search Path execution.
Mwongozo wa matumizi mabaya
- Jina binary yako kama daemons za kawaida ambazo regex inaweza kuzipata: httpd, nginx, mysqld, dataserver
- Iweka kwenye directory inayoweza kuandikwa: /tmp/httpd, ./nginx
- Hakikisha inafanana na regex na inafungua bandari yoyote itakayoorodheshwa
- Subiri collector iliyopangwa; utapata uanzishaji wa kiotomatiki wa <path> -v kwa nafasi za juu
Masquerading note: Hii inaendana na MITRE ATT&CK T1036.005 (Match Legitimate Name or Location) ili kuongeza uwezekano wa kufanana na kupunguza kugunduliwa.
Reusable privileged I/O relay trick
- Jenga helper yako ili wakati inapoanzishwa kwa hadhi ya juu (-v/--version) iungane na rendezvous inayojulikana (mfano, Linux abstract UNIX socket kama @cve) na iunganishe stdio na /bin/sh -i. Hii inazuia artifacts zilizo kwenye diski na inafanya kazi katika mazingira mengi ambapo binary ile ile inarudiwa na bendera.
## Ugunduzi na mwongozo wa DFIR
Maswali ya ufuatiliaji
- Watoto wasio wa kawaida wa vmtoolsd au get-versions.sh kama /tmp/httpd, ./nginx, /tmp/mysqld
- Utekelezaji wowote wa njia za absolute zisizo za system na scripts za discovery (angalia nafasi katika expansions za ${COMMAND%%...})
- ps -ef --forest kwa kuona miti ya asili: vmtoolsd -> get-versions.sh -> <non-system path>
Katika Aria SDMP (credential-based)
- Kagua /tmp/VMware-SDMP-Scripts-{UUID}/ kwa scripts za muda na artifacts za stdout/stderr zinazoonyesha utekelezaji wa njia za mshambuliaji
Sera/telemetri
- Onyesha tahadhari wakati collectors wenye mamlaka wanaanzisha kutoka viongozo visivyo vya system: ^/(tmp|home|var/tmp|dev/shm)/
- Ufuatiliaji wa uadilifu wa faili kwenye get-versions.sh na VMware Tools plugins
## Kupunguza madhara
- Sasisha: Tumia updates za Broadcom/VMware kwa CVE-2025-41244 (Tools and Aria Operations SDMP)
- Zima au zuia ugundaji usio na nyaraka inapowezekana
- Thibitisha njia za kuaminika: zuia utekelezaji kwa directories zilizo kwenye allowlist (/usr/sbin, /usr/bin, /sbin, /bin) na tu binaries zilizoeleweka kwa usahihi
- Epuka regex zenye uvumilivu zenye \S; chagua paths za absolute zilizo wazi na majina ya amri yaliyosanidiwa (anchored, explicit)
- Punguza mamlaka kwa discovery helpers pale inapowezekana; tumia sandbox (seccomp/AppArmor) kupunguza athari
- Fuatilia na onya kuhusu vmtoolsd/get-versions.sh zinapoendesha paths zisizo za system
## Vidokezo kwa walinda na watekelezaji
Mfumo salama zaidi wa mechi na utekelezaji
```bash
# Bad: permissive regex and blind exec
COMMAND=$(get_command_line "$pid" | grep -Eo "/\\S+/nginx(\$|\\s)")
[ -n "$COMMAND" ] && "${COMMAND%%[[:space:]]*}" -v
# Good: strict allowlist + path checks
candidate=$(get_command_line "$pid" | awk '{print $1}')
case "$candidate" in
/usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2)
"$candidate" -v 2>&1 ;;
*)
: # ignore non-allowlisted paths
;;
esac
```
## Marejeo
- [NVISO You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
- [Broadcom advisory for CVE-2025-41244](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149)
- [open-vm-tools serviceDiscovery/get-versions.sh (stable-13.0.0)](https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/open-vm-tools/services/plugins/serviceDiscovery/get-versions.sh)
- [MITRE ATT&CK T1036.005 Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/)
- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)
{{#include ../../banners/hacktricks-training.md}}

19
src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md
View File

@ -1,13 +1,26 @@
# Uhesabu
# VMware ESX / vCenter Pentesting
{{#include ../../banners/hacktricks-training.md}}
## Enumeration
```bash
nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
msf> use auxiliary/scanner/vmware/esx_fingerprint
msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
```
# Bruteforce
## Bruteforce
```bash
msf> auxiliary/scanner/vmware/vmware_http_login
```
Ikiwa utapata ithibitisho halali, unaweza kutumia moduli zaidi za skana za metasploit kupata taarifa.
Ikiwa unapata credentials halali, unaweza kutumia metasploit scanner modules zaidi kupata taarifa.
### Angalia pia
Linux LPE kupitia VMware Tools service discovery (CWE-426 / CVE-2025-41244):
{{#ref}}
../../linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}