[German]Is VMware virtualization software with VMware Tools installed on Windows systems? Then there is probably a Privilege Escalation vulnerability that can be used by attackers to increase their privileges. Addendum: The tweets announcing the bug were deleted now and the blog post was set to private invite only – but I had enough time to roughly sketch the vulnerability.
This has uncovered Sandboxescaper, which has been responsible for exposing various 0-day vulnerabilities in the past. However, I had expected this channel to stop because Microsoft hired Sandboxescaper (see my tweet of December 2, 2019).
— Günter Born (@etguenni) December 2, 2019
At the moment Sandboxescaper seems to be in a transition phase where no non disclosure agreements have yet been signed. And so she just dropped off the following tweet:
https://t.co/46rbaSDmOt Here is part one. Pretty sure the attack surface described has many more bugs (not just the vmware tools installer.. I doubt this bug is exploitable in the first place, just wanted something to demo that is unpatched, easier for folks to learn!)
— SandboxEscaper (@SandboxBear) December 16, 2019
According to the blog post, she encountered a new security issue under Windows. There is a hidden folder called Installer, and a .msi installer file has been discovered in this folder that can run with elevated privileges without prompting the User Account Control. Means that installer files in this folder can be run without asking User Account Control to increase privileges.
Sandboxescaper has now discovered a 0-day vulnerability in VMware. What is needed is a Windows 10 virtual machine in which the VMware tools are installed. Via a command:
c:\Windows\installer /fa 368c0.msi
where the name of the .msi file varies) can trigger a repair to the VMware Tools installation. This will manipulate a number of files in the ProgramData folder. Sandboxescapter now writes that in some cases this folder can be written to by users with standard permissions. For example, a user can create files in the VMware Script folder, but cannot change existing files.
Within this blog post, she describes a tricky attack with a Proof of Concept, in which a junction in the ProgramData folder can be used to redirect write operations to a separate folder. This creates a wormhole that can be used to manipulate and extend permissions. I haven’t looked into all the details, but if you are interested in the topic, you can find details in the blog post and discussions about this tweet.