Greetings everyone! Today, we're going to discuss a critical security vulnerability found in open-vm-tools version 2009.03.18-154848, which was assigned CVE-2009-1142. This vulnerability allows local users to gain root privileges on the system by exploiting a symlink attack on /tmp files, in cases where the "vmware-user-suid-wrapper" binary has the setuid root property and the ChmodChownDirectory function is enabled. This post will provide a detailed analysis of the vulnerability and also provide links to original references and code snippets to better understand the issue.

Background

Open-vm-tools is an open-source implementation of VMware Tools, a set of utilities designed to enhance the performance and manageability of virtual machines running on VMware platforms. The vulnerability in question (CVE-2009-1142) was discovered soon after the release of the 2009.03.18-154848 version of open-vm-tools. This specific version had a critical security flaw that could be exploited by a local user with a symlink attack on the /tmp directory to gain unauthorized privileges on the system.

Vulnerability Details

CVE-2009-1142 involves a potential privilege escalation due to an insecure use of /tmp files when the "vmware-user-suid-wrapper" is set as setuid root and the ChmodChownDirectory function is enabled. In this situation, a local attacker can create a symlink to a target file before making a call to vmware-user-suid-wrapper, then cause a race condition between the ChmodChownDirectory call and unlink calls.

Code Snippet

The ChmodChownDirectory function in question can be found in the following code snippet, extracted from the vulnerable version of open-vm-tools:

gboolean
ChmodChownDirectory(const gchar *dataDir)
{
   if (!dataDir) {
      return FALSE;
   }

   if (Posix_Shell("%s /bin/chmod 1777 \"%s\" && /bin/chown %d:%d \"%s\"",
                   g_strdup_printf("'%s'", BASH_PATH),
                   g_strdup_printf("'%s'", dataDir),
                   getuid(), getgid(), g_strdup_printf("'%s'", dataDir)) ==
       NULL) {
      return FALSE;
   }

   return TRUE;
}

This piece of code takes a string input as the path of the directory, which should be the /tmp directory in our case. It checks if the input is not null and then proceeds to change the permissions and ownership of this directory to allow any user to perform read, write and execute operations.

Then, the following command pipeline is executed

/bin/chmod 1777 %s && /bin/chown $getuid():$getgid() %s"

This command first sets the /tmp directory with the 1777 permissions, and then changes the ownership of the directory to the current user and group.

To exploit this vulnerability, an attacker can perform the following steps

1. Identify a target file (e.g., /etc/shadow) to which unauthorized write access is desirable.
2. Create a symlink to the target file using the ln -s command (e.g., ln -s /etc/shadow /tmp/target).
3. Now, invoke the vulnerable vmware-user-suid-wrapper binary in such a way that the ChmodChownDirectory call changes the permissions and ownership of the symlinked target file (e.g., /etc/shadow), resulting in unauthorized write access.

Original References

- CVE-2009-1142 Information
- VMware Security Advisory (VMSA-2009-0005)

Conclusion

In conclusion, the CVE-2009-1142 vulnerability highlights the potential dangers of using insecure /tmp files and race conditions in the setuid-root applications. The issue was fixed in the next release of open-vm-tools, and users are urged to ensure that they are running an updated and secure version of the software. Additionally, security best practices include always running software with the least necessary privileges and diligently monitoring for security advisories and patches to mitigate any potential vulnerabilities in the software.

Timeline

Published on: 11/23/2022 18:15:00 UTC
Last modified on: 11/28/2022 18:33:00 UTC