maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/linux-hardening/privilege-escalation/README.md', 'src/l

Browse Source
This commit is contained in:
Translator 2025-10-01 10:14:31 +00:00
parent b82a5e4b56
commit a382eda06f
4 changed files with 469 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -110,6 +110,7 @@
- [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
- [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
- [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
- [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
- [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
- [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
- [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)

567
src/linux-hardening/privilege-escalation/README.md
View File

File diff suppressed because it is too large Load Diff

146
src/linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md Normal file
View File

@ -0,0 +1,146 @@
# VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244)
{{#include ../../banners/hacktricks-training.md}}
Questa tecnica sfrutta pipeline di service discovery guidate da regex che analizzano le command line dei processi in esecuzione per dedurre le versioni dei service e quindi eseguire un candidate binary con un flag "version". Quando pattern permissivi accettano percorsi non attendibili controllati dall'attaccante (es. /tmp/httpd), il privileged collector esegue un arbitrary binary da una untrusted location, portando a local privilege escalation. NVISO ha documentato questo in VMware Tools/Aria Operations Service Discovery come CVE-2025-41244.
- Impatto: Local privilege escalation a root (o all'account di discovery privilegiato)
- Causa: Untrusted Search Path (CWE-426) + permissive regex matching of process command lines
- Interessati: open-vm-tools/VMware Tools su Linux (credential-less discovery), VMware Aria Operations SDMP (credential-based discovery via Tools/proxy)
## Come funziona VMware service discovery (panoramica)
- Credential-based (legacy): Aria esegue discovery scripts all'interno del guest tramite VMware Tools usando privileged credentials configurate.
- Credential-less (modern): La discovery logic gira all'interno di VMware Tools, già privilegiata nel guest.
Entrambe le modalità, alla fine, eseguono logica in shell che scansiona i processi con socket in ascolto, estrae un command path corrispondente tramite una regex e esegue il primo token argv con un flag version.
## Causa radice e pattern vulnerabile (open-vm-tools)
In open-vm-tools, lo script plugin serviceDiscovery get-versions.sh confronta i candidate binaries usando espressioni regolari ampie e esegue il primo token senza alcuna validazione del trusted-path:
```bash
get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
```
Viene invocato con pattern permissivi contenenti \S (non-whitespace) che andranno facilmente a corrispondere a percorsi non di sistema in posizioni scrivibili dall'utente:
```bash
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
```
- L'estrazione usa grep -Eo e prende il primo token: ${COMMAND%%[[:space:]]*}
- Nessuna whitelist/allowlist di percorsi di sistema considerati trusted; qualsiasi discovered listener con un nome corrispondente viene eseguito con -v/--version
Questo crea una primitive di esecuzione basata su un percorso di ricerca non trusted: binari arbitrari situati in directory world-writable (e.g., /tmp/httpd) vengono eseguiti da un componente privilegiato.
## Sfruttamento (sia in modalità credential-less che credential-based)
Preconditions
- Puoi eseguire un processo non privilegiato che apre una listening socket sul guest.
- Il discovery job è abilitato e gira periodicamente (storicamente ~5 minuti).
Steps
1) Stage a binary in a path matching one of the permissive regexes, e.g. /tmp/httpd or ./nginx
2) Eseguilo come utente a basso privilegio e assicurati che apra una qualsiasi listening socket
3) Attendi il ciclo di discovery; il privileged collector eseguirà automaticamente: /tmp/httpd -v (o simile), eseguendo il tuo programma come root
Minimal demo (using NVISOs approach)
```bash
# Build any small helper that:
# - default mode: opens a dummy TCP listener
# - when called with -v/--version: performs the privileged action (e.g., connect to an abstract UNIX socket and spawn /bin/sh -i)
# Example staging and trigger
cp your_helper /tmp/httpd
chmod +x /tmp/httpd
/tmp/httpd # run as low-priv user and wait for the cycle
# After the next cycle, expect a root shell or your privileged action
```
Tipica catena dei processi
- Basato su credenziali: /usr/bin/vmtoolsd -> /bin/sh /tmp/VMware-SDMP-Scripts-.../script_...sh -> /tmp/httpd -v -> /bin/sh -i
- Senza credenziali: /bin/sh .../get-versions.sh -> /tmp/httpd -v -> /bin/sh -i
Artefatti (basato su credenziali)
Gli script wrapper SDMP recuperati sotto /tmp/VMware-SDMP-Scripts-{UUID}/ possono mostrare l'esecuzione diretta del percorso malevolo:
```bash
/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stderr"
```
## Generalizing the technique: regex-driven discovery abuse (portable pattern)
Many agents and monitoring suites implement version/service discovery by:
- Enumerating processes with listening sockets
- Grepping argv/command lines with permissive regexes (e.g., patterns containing \S)
- Executing the matched path with a benign flag like -v, --version, -V, -h
If the regex accepts untrusted paths and the path is executed from a privileged context, you get CWE-426 Untrusted Search Path execution.
Abuse recipe
- Name your binary like common daemons that the regex is likely to match: httpd, nginx, mysqld, dataserver
- Place it in a writable directory: /tmp/httpd, ./nginx
- Ensure it matches the regex and opens any port to be enumerated
- Wait for the scheduled collector; you get an automatic privileged invocation of <path> -v
Masquerading note: This aligns with MITRE ATT&CK T1036.005 (Match Legitimate Name or Location) to increase match probability and stealth.
Reusable privileged I/O relay trick
- Build your helper so that on privileged invocation (-v/--version) it connects to a known rendezvous (e.g., a Linux abstract UNIX socket like @cve) and bridges stdio to /bin/sh -i. This avoids on-disk artifacts and works across many environments where the same binary is re-invoked with a flag.
## Detection and DFIR guidance
Hunting queries
- Uncommon children of vmtoolsd or get-versions.sh such as /tmp/httpd, ./nginx, /tmp/mysqld
- Any execution of non-system absolute paths by discovery scripts (look for spaces in ${COMMAND%%...} expansions)
- ps -ef --forest to visualize ancestry trees: vmtoolsd -> get-versions.sh -> <non-system path>
On Aria SDMP (credential-based)
- Inspect /tmp/VMware-SDMP-Scripts-{UUID}/ for transient scripts and stdout/stderr artifacts showing execution of attacker paths
Policy/telemetry
- Alert when privileged collectors execute from non-system prefixes: ^/(tmp|home|var/tmp|dev/shm)/
- File integrity monitoring on get-versions.sh and VMware Tools plugins
## Mitigations
- Patch: Apply Broadcom/VMware updates for CVE-2025-41244 (Tools and Aria Operations SDMP)
- Disable or restrict credential-less discovery where feasible
- Validate trusted paths: restrict execution to allowlisted directories (/usr/sbin, /usr/bin, /sbin, /bin) and only exact known binaries
- Avoid permissive regexes with \S; prefer anchored, explicit absolute paths and exact command names
- Drop privileges for discovery helpers where possible; sandbox (seccomp/AppArmor) to reduce impact
- Monitor for and alert on vmtoolsd/get-versions.sh executing non-system paths
## Notes for defenders and implementers
Safer matching and execution pattern
```bash
# Bad: permissive regex and blind exec
COMMAND=$(get_command_line "$pid" | grep -Eo "/\\S+/nginx(\$|\\s)")
[ -n "$COMMAND" ] && "${COMMAND%%[[:space:]]*}" -v
# Good: strict allowlist + path checks
candidate=$(get_command_line "$pid" | awk '{print $1}')
case "$candidate" in
/usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2)
"$candidate" -v 2>&1 ;;
*)
: # ignore non-allowlisted paths
;;
esac
```
## Riferimenti
- [NVISO You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
- [Broadcom advisory for CVE-2025-41244](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149)
- [open-vm-tools serviceDiscovery/get-versions.sh (stable-13.0.0)](https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/open-vm-tools/services/plugins/serviceDiscovery/get-versions.sh)
- [MITRE ATT&CK T1036.005 Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/)
- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)
{{#include ../../banners/hacktricks-training.md}}

18
src/network-services-pentesting/pentesting-web/vmware-esx-vcenter....md
View File

@ -1,14 +1,26 @@
# VMware ESX / vCenter Pentesting
{{#include ../../banners/hacktricks-training.md}}
# Enumerazione
## Enumerazione
```bash
nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
msf> use auxiliary/scanner/vmware/esx_fingerprint
msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
```
# Bruteforce
## Bruteforce
```bash
msf> auxiliary/scanner/vmware/vmware_http_login
```
Se trovi credenziali valide, puoi utilizzare ulteriori moduli scanner di metasploit per ottenere informazioni.
Se trovi credenziali valide, puoi usare altri moduli scanner di metasploit per ottenere informazioni.
### Vedi anche
Linux LPE via VMware Tools service discovery (CWE-426 / CVE-2025-41244):
{{#ref}}
../../linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
{{#endref}}
{{#include ../../banners/hacktricks-training.md}}