Privilege-Escalation-Bug in VMWare

[German]Is VMware virtualization software with VMware Tools installed on Windows systems? Then there is probably a Privilege Escalation vulnerability that can be used by attackers to increase their privileges. Addendum: The tweets announcing the bug were deleted now and the blog post was set to private invite only – but I had enough time to roughly sketch the vulnerability.


This has uncovered Sandboxescaper, which has been responsible for exposing various 0-day vulnerabilities in the past. However, I had expected this channel to stop because Microsoft hired Sandboxescaper (see my tweet of December 2, 2019).

At the moment Sandboxescaper seems to be in a transition phase where no non disclosure agreements have yet been signed. And so she just dropped off the following tweet:

According to the blog post, she encountered a new security issue under Windows. There is a hidden folder called Installer, and a .msi installer file has been discovered in this folder that can run with elevated privileges without prompting the User Account Control. Means that installer files in this folder can be run without asking User Account Control to increase privileges.


Sandboxescaper has now discovered a 0-day vulnerability in VMware. What is needed is a Windows 10 virtual machine in which the VMware tools are installed. Via a command:

c:\Windows\installer /fa 368c0.msi

where the name of the .msi file varies) can trigger a repair to the VMware Tools installation. This will manipulate a number of files in the ProgramData folder. Sandboxescapter now writes that in some cases this folder can be written to by users with standard permissions. For example, a user can create files in the VMware Script folder, but cannot change existing files.

Within this blog post, she describes a tricky attack with a Proof of Concept, in which a junction in the ProgramData folder can be used to redirect write operations to a separate folder. This creates a wormhole that can be used to manipulate and extend permissions. I haven’t looked into all the details, but if you are interested in the topic, you can find details in the blog post and discussions about this tweet.


This entry was posted in Security, Virtualization and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *