mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Translated ['src/network-services-pentesting/pentesting-web/vmware-esx-v
This commit is contained in:
Translator
parent
8c080f7da8
commit
e5218690c8
@ -110,6 +110,7 @@
|
||||
- [Checklist - Linux Privilege Escalation](linux-hardening/linux-privilege-escalation-checklist.md)
|
||||
- [Linux Privilege Escalation](linux-hardening/privilege-escalation/README.md)
|
||||
- [Android Rooting Frameworks Manager Auth Bypass Syscall Hook](linux-hardening/privilege-escalation/android-rooting-frameworks-manager-auth-bypass-syscall-hook.md)
|
||||
- [Vmware Tools Service Discovery Untrusted Search Path Cve 2025 41244](linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md)
|
||||
- [Arbitrary File Write to Root](linux-hardening/privilege-escalation/write-to-root.md)
|
||||
- [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
|
||||
- [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,146 @@
|
||||
# VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
本技术滥用基于正则的 service discovery 管道,这些管道解析正在运行的进程命令行以推断服务版本,然后使用 "version" 标志执行候选二进制。当宽松的模式接受不受信任、由攻击者控制的路径(例如 /tmp/httpd)时,具有特权的采集程序会从该不受信任的位置执行任意二进制,从而导致本地权限提升。NVISO 在 VMware Tools/Aria Operations Service Discovery 中记录了这项问题,标识为 CVE-2025-41244。
|
||||
|
||||
- Impact: Local privilege escalation to root (or to the privileged discovery account)
|
||||
- Root cause: Untrusted Search Path (CWE-426) + permissive regex matching of process command lines
|
||||
- Affected: open-vm-tools/VMware Tools on Linux (credential-less discovery), VMware Aria Operations SDMP (credential-based discovery via Tools/proxy)
|
||||
|
||||
## How VMware service discovery works (high level)
|
||||
|
||||
- Credential-based (legacy): Aria executes discovery scripts inside the guest via VMware Tools using configured privileged credentials.
|
||||
- Credential-less (modern): Discovery logic runs within VMware Tools, already privileged in the guest.
|
||||
|
||||
Both modes ultimately run shell logic that scans processes with listening sockets, extracts a matching command path via a regex, and executes the first argv token with a version flag.
|
||||
|
||||
## Root cause and vulnerable pattern (open-vm-tools)
|
||||
|
||||
In open-vm-tools, the serviceDiscovery plugin script get-versions.sh matches candidate binaries using broad regular expressions and executes the first token without any trusted-path validation:
|
||||
```bash
|
||||
get_version() {
|
||||
PATTERN=$1
|
||||
VERSION_OPTION=$2
|
||||
for p in $space_separated_pids
|
||||
do
|
||||
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
|
||||
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
|
||||
done
|
||||
}
|
||||
```
|
||||
它以包含 \S (non-whitespace) 的宽松模式被调用,这些模式会轻易匹配位于用户可写位置的非系统路径:
|
||||
```bash
|
||||
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
|
||||
get_version "/usr/(bin|sbin)/apache\S*" -v
|
||||
get_version "/\S+/mysqld($|\s)" -V
|
||||
get_version "\.?/\S*nginx($|\s)" -v
|
||||
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
|
||||
get_version "/\S+/dataserver($|\s)" -v
|
||||
```
|
||||
- 提取使用 grep -Eo 并取第一个标记:${COMMAND%%[[:space:]]*}
|
||||
- 没有受信任系统路径的白名单/允许列表;任何具有匹配名称的已发现监听器都会以 -v/--version 被执行
|
||||
|
||||
This creates an untrusted search path execution primitive: arbitrary binaries located in world-writable directories (e.g., /tmp/httpd) get executed by a privileged component.
|
||||
|
||||
## 利用(包括无凭证和基于凭证的模式)
|
||||
|
||||
先决条件
|
||||
- 你可以在客户机上运行一个非特权进程,该进程打开一个监听套接字。
|
||||
- 发现任务已启用并定期运行(历史上约每 5 分钟)。
|
||||
|
||||
步骤
|
||||
1) 将二进制文件放置到匹配某个宽松正则 (permissive regexes) 的路径中,例如 /tmp/httpd 或 ./nginx
|
||||
2) 以低权限用户运行它,并确保它打开了某个监听套接字
|
||||
3) 等待发现周期;特权收集器会自动执行:/tmp/httpd -v(或类似),以 root 身份运行你的程序
|
||||
|
||||
Minimal demo (using NVISO’s approach)
|
||||
```bash
|
||||
# Build any small helper that:
|
||||
# - default mode: opens a dummy TCP listener
|
||||
# - when called with -v/--version: performs the privileged action (e.g., connect to an abstract UNIX socket and spawn /bin/sh -i)
|
||||
# Example staging and trigger
|
||||
cp your_helper /tmp/httpd
|
||||
chmod +x /tmp/httpd
|
||||
/tmp/httpd # run as low-priv user and wait for the cycle
|
||||
# After the next cycle, expect a root shell or your privileged action
|
||||
```
|
||||
典型进程谱系
|
||||
- 基于凭证: /usr/bin/vmtoolsd -> /bin/sh /tmp/VMware-SDMP-Scripts-.../script_...sh -> /tmp/httpd -v -> /bin/sh -i
|
||||
- 无凭证: /bin/sh .../get-versions.sh -> /tmp/httpd -v -> /bin/sh -i
|
||||
|
||||
工件 (基于凭证)
|
||||
恢复的 SDMP wrapper scripts 位于 /tmp/VMware-SDMP-Scripts-{UUID}/,可能显示对恶意路径的直接执行:
|
||||
```bash
|
||||
/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stderr"
|
||||
```
|
||||
## Generalizing the technique: regex-driven discovery abuse (portable pattern)
|
||||
|
||||
许多 agents 和监控套件通过以下方式实现版本/服务发现:
|
||||
- 枚举具有监听套接字的进程
|
||||
- 在 argv/命令行上使用宽松的正则进行匹配(例如包含 \S 的模式)
|
||||
- 使用无害的标志执行匹配到的路径,例如 -v、--version、-V、-h
|
||||
|
||||
如果正则接受不受信任的路径且该路径在特权上下文中被执行,就会导致 CWE-426 Untrusted Search Path 执行。
|
||||
|
||||
Abuse recipe
|
||||
- 将你的二进制命名为正则很可能匹配的常见 daemon:httpd、nginx、mysqld、dataserver
|
||||
- 将其放置在可写目录:/tmp/httpd、./nginx
|
||||
- 确保它能匹配正则并打开任意端口以供枚举
|
||||
- 等待计划的采集器;你会获得自动的特权调用 <path> -v
|
||||
|
||||
Masquerading note: 这与 MITRE ATT&CK T1036.005 (Match Legitimate Name or Location) 一致,用以提高匹配概率并增加隐蔽性。
|
||||
|
||||
Reusable privileged I/O relay trick
|
||||
- 构建你的 helper,使得在特权调用(-v/--version)时,它连接到一个已知的 rendezvous(例如 Linux 抽象 UNIX socket 如 @cve)并将 stdio 桥接到 /bin/sh -i。这样避免了磁盘上的痕迹,并在许多环境中有效,其中同一个二进制会被带标志再次调用。
|
||||
|
||||
## Detection and DFIR guidance
|
||||
|
||||
Hunting queries
|
||||
- vmtoolsd 或 get-versions.sh 的非常见子进程,例如 /tmp/httpd、./nginx、/tmp/mysqld
|
||||
- 任何由发现脚本执行的非系统绝对路径(查看 ${COMMAND%%...} 展开中是否有空格)
|
||||
- 使用 ps -ef --forest 可视化血统树:vmtoolsd -> get-versions.sh -> <non-system path>
|
||||
|
||||
On Aria SDMP (credential-based)
|
||||
- 检查 /tmp/VMware-SDMP-Scripts-{UUID}/ 中的临时脚本和 stdout/stderr 产物,查找显示执行攻击者路径的痕迹
|
||||
|
||||
Policy/telemetry
|
||||
- 当特权采集器从非系统前缀执行时发出告警:^/(tmp|home|var/tmp|dev/shm)/
|
||||
- 对 get-versions.sh 和 VMware Tools 插件做文件完整性监控
|
||||
|
||||
## Mitigations
|
||||
|
||||
- Patch:为 CVE-2025-41244(Tools 和 Aria Operations SDMP)应用 Broadcom/VMware 更新
|
||||
- 在可行时禁用或限制 credential-less discovery
|
||||
- 验证受信任路径:将执行限制在允许列表目录 (/usr/sbin、/usr/bin、/sbin、/bin) 且仅限精确已知的二进制
|
||||
- 避免使用包含 \S 的宽松正则;优先使用锚定的、明确的绝对路径和精确命令名
|
||||
- 在可能时为发现 helper 降低权限;使用沙箱(seccomp/AppArmor)以减少影响
|
||||
- 监控并对 vmtoolsd/get-versions.sh 执行非系统路径发出告警
|
||||
|
||||
## Notes for defenders and implementers
|
||||
|
||||
Safer matching and execution pattern
|
||||
```bash
|
||||
# Bad: permissive regex and blind exec
|
||||
COMMAND=$(get_command_line "$pid" | grep -Eo "/\\S+/nginx(\$|\\s)")
|
||||
[ -n "$COMMAND" ] && "${COMMAND%%[[:space:]]*}" -v
|
||||
|
||||
# Good: strict allowlist + path checks
|
||||
candidate=$(get_command_line "$pid" | awk '{print $1}')
|
||||
case "$candidate" in
|
||||
/usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2)
|
||||
"$candidate" -v 2>&1 ;;
|
||||
*)
|
||||
: # ignore non-allowlisted paths
|
||||
;;
|
||||
esac
|
||||
```
|
||||
## 参考资料
|
||||
|
||||
- [NVISO – 你说什么,VMware 就提升它 (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
|
||||
- [Broadcom 针对 CVE-2025-41244 的安全通告](https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36149)
|
||||
- [open-vm-tools – serviceDiscovery/get-versions.sh (stable-13.0.0)](https://github.com/vmware/open-vm-tools/blob/stable-13.0.0/open-vm-tools/services/plugins/serviceDiscovery/get-versions.sh)
|
||||
- [MITRE ATT&CK T1036.005 – Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005/)
|
||||
- [CWE-426: Untrusted Search Path](https://cwe.mitre.org/data/definitions/426.html)
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
@ -1,13 +1,26 @@
|
||||
# VMware ESX / vCenter Pentesting
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
# 枚举
|
||||
|
||||
## Enumeration
|
||||
```bash
|
||||
nmap -sV --script "http-vmware-path-vuln or vmware-version" -p <PORT> <IP>
|
||||
msf> use auxiliary/scanner/vmware/esx_fingerprint
|
||||
msf> use auxiliary/scanner/http/ms15_034_http_sys_memory_dump
|
||||
```
|
||||
# 暴力破解
|
||||
## Bruteforce
|
||||
```bash
|
||||
msf> auxiliary/scanner/vmware/vmware_http_login
|
||||
```
|
||||
如果您找到有效的凭据,可以使用更多的metasploit扫描模块来获取信息。
|
||||
如果找到有效的凭据,可以使用更多 metasploit 扫描模块来获取信息。
|
||||
|
||||
### 另请参阅
|
||||
|
||||
Linux LPE 通过 VMware Tools 服务发现 (CWE-426 / CVE-2025-41244):
|
||||
|
||||
{{#ref}}
|
||||
../../linux-hardening/privilege-escalation/vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
|
||||
{{#endref}}
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user