{"id":12374,"date":"2019-12-18T01:02:08","date_gmt":"2019-12-18T00:02:08","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=12374"},"modified":"2021-07-18T22:45:39","modified_gmt":"2021-07-18T20:45:39","slug":"privilege-escalation-bug-in-vmware","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2019\/12\/18\/privilege-escalation-bug-in-vmware\/","title":{"rendered":"Privilege-Escalation-Bug in VMWare"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/2019\/12\/17\/privilege-escalation-bug-in-vmware\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Is VMware virtualization software with VMware Tools installed on Windows systems? Then there is probably a Privilege Escalation vulnerability that can be used by attackers to increase their privileges. <strong>Addendum:<\/strong> The tweets announcing the bug were deleted now and the blog post was set to private invite only &#8211; but I had enough time to roughly sketch the vulnerability.<\/p>\n<p><!--more--><\/p>\n<p>This has uncovered Sandboxescaper, which has been responsible for exposing various 0-day vulnerabilities in the past. However, I had expected this channel to stop because Microsoft hired Sandboxescaper (see my tweet of December 2, 2019).<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"de\">So, no more 0-day exploits from\u00a0 <a href=\"https:\/\/twitter.com\/hashtag\/SandboxEscaper?src=hash&amp;ref_src=twsrc%5Etfw\">#SandboxEscaper<\/a> \u2013 who has been hired by Microsoft. <a href=\"https:\/\/t.co\/QShyBugdd7\">https:\/\/t.co\/QShyBugdd7<\/a><\/p>\n<p>\u2014 G\u00fcnter Born (@etguenni) <a href=\"https:\/\/twitter.com\/etguenni\/status\/1201597602309058560?ref_src=twsrc%5Etfw\">December 2, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>At the moment Sandboxescaper seems to be in a transition phase where no non disclosure agreements have yet been signed. And so she just dropped off the following tweet:<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\"><a href=\"https:\/\/t.co\/46rbaSDmOt\">https:\/\/t.co\/46rbaSDmOt<\/a> Here is part one. Pretty sure the attack surface described has many more bugs (not just the vmware tools installer.. I doubt this bug is exploitable in the first place, just wanted something to demo that is unpatched, easier for folks to learn!)<\/p>\n<p>\u2014 SandboxEscaper (@SandboxBear) <a href=\"https:\/\/twitter.com\/SandboxBear\/status\/1206649213133697025?ref_src=twsrc%5Etfw\">December 16, 2019<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>According to the <a href=\"https:\/\/web.archive.org\/web\/20200920150000\/http:\/\/sandboxescaper.blogspot.com\/2019\/12\/chasing-polar-bears-part-one.html\" target=\"_blank\" rel=\"noopener noreferrer\">blog post<\/a>, she encountered a new security issue under Windows. There is a hidden folder called <em>Installer<\/em>, and a .msi installer file has been discovered in this folder that can run with elevated privileges without prompting the User Account Control. Means that installer files in this folder can be run without asking User Account Control to increase privileges.<\/p>\n<p>Sandboxescaper has now discovered a 0-day vulnerability in VMware. What is needed is a Windows 10 virtual machine in which the VMware tools are installed. Via a command:<\/p>\n<p>c:\\Windows\\installer \/fa 368c0.msi<\/p>\n<p>where the name of the .msi file varies) can trigger a repair to the VMware Tools installation. This will manipulate a number of files in the <em>ProgramData<\/em> folder. Sandboxescapter now writes that in some cases this folder can be written to by users with standard permissions. For example, a user can create files in the VMware Script folder, but cannot change existing files.<\/p>\n<p>Within <a href=\"https:\/\/web.archive.org\/web\/20200920150000\/http:\/\/sandboxescaper.blogspot.com\/2019\/12\/chasing-polar-bears-part-one.html\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a>, she describes a tricky attack with a Proof of Concept, in which a junction in the <em>ProgramData<\/em> folder can be used to redirect write operations to a separate folder. This creates a wormhole that can be used to manipulate and extend permissions. I haven't looked into all the details, but if you are interested in the topic, you can find details in the <a href=\"https:\/\/web.archive.org\/web\/20200920150000\/http:\/\/sandboxescaper.blogspot.com\/2019\/12\/chasing-polar-bears-part-one.html\" target=\"_blank\" rel=\"noopener noreferrer\">blog post<\/a> and discussions about <a href=\"https:\/\/twitter.com\/SandboxBear\/status\/1206649213133697025\" target=\"_blank\" rel=\"noopener noreferrer\">this tweet<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Is VMware virtualization software with VMware Tools installed on Windows systems? Then there is probably a Privilege Escalation vulnerability that can be used by attackers to increase their privileges. Addendum: The tweets announcing the bug were deleted now and the &hellip; <a href=\"https:\/\/borncity.com\/win\/2019\/12\/18\/privilege-escalation-bug-in-vmware\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1218],"tags":[69,1710],"class_list":["post-12374","post","type-post","status-publish","format-standard","hentry","category-security","category-virtualization","tag-security","tag-vmware"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12374","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=12374"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/12374\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=12374"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=12374"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=12374"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}