CVE-2023-34059 - File Descriptor Hijack Vulnerability in open-vm-tools `vmware-user-suid-wrapper`—Full Guide, Code, and Exploit Explained

In September 2023, a new vulnerability tracked as CVE-2023-34059 was disclosed in open-vm-tools, a suite of utilities for enhancing the performance and management of virtual machines running on VMware platforms. The issue lies in its vmware-user-suid-wrapper helper, which contains a file descriptor hijack vulnerability that may allow a non-root user to control /dev/uinput. By exploiting this, an attacker can simulate keyboard and mouse input on the system—a dangerous avenue for privilege escalation and lateral movement in shared systems.

This exclusive analysis unpacks CVE-2023-34059: how it works, how attackers can exploit it, what you can do, with simple language and real code examples.

What Is open-vm-tools and vmware-user-suid-wrapper?

open-vm-tools is an open-source virtualization optimization toolkit for VMware environments, commonly pre-installed on Linux guest OSes. One component, vmware-user-suid-wrapper, is a setuid (runs as root by default) program meant to handle certain privileged operations on behalf of regular users for VMware tools.

The Vulnerability—What Is a File Descriptor Hijack?

A file descriptor is a number that uniquely identifies an open file in a Unix/Linux process. If a privileged process interacts with a file descriptor it thinks is safe (like /dev/uinput), but the attacker can trick it into using a malicious one instead, this is called file descriptor hijacking.

If, for example, a process opens /dev/uinput and exposes it to less privileged code, attackers might inject fake input events (keyboard, mouse) into the system, potentially bypassing access controls or executing arbitrary actions.

Vulnerable Code Snippet (Simplified)

Below is a simplified version inspired by older versions of the actual vulnerable code in vmware-user-suid-wrapper. The vulnerability lies in not safely checking ownership or freshness of file descriptors.

// Vulnerable function: opens /dev/uinput as root, exposes fd
int uinput_fd = open("/dev/uinput", O_WRONLY | O_NONBLOCK);
if (uinput_fd < ) {
    perror("open");
    exit(1);
}

// If an attacker manages to hijack or replace FD /1/2 (stdin/stdout/stderr) before this, 
// or if the fd is inherited from a malicious child, it could be manipulated.
write(uinput_fd, &input_event, sizeof(input_event));
//...
close(uinput_fd);

The problem happens if an unprivileged user launches the setuid wrapper with manipulated file descriptors or symlink attacks before root code runs, so that when root code opens /dev/uinput, it's subverted.

How an Attack Looks—Real World Exploit Flow

1. Attacker prepares a malicious environment: Before the SUID binary launches, the attacker closes their own file descriptors or arranges for FD ,1,2 to point to /dev/uinput or something malicious.
2. Launches vmware-user-suid-wrapper: The SUID binary, running as root, opens /dev/uinput. If file descriptors are already tampered with, this can grant the attacker a handle to simulate trusted user input!
3. Simulate Input Events: The attacker can now send fake keyboard/mouse events, for example to unlock a screen, run commands, etc.

Minimal Proof-of-Concept (PoC) Exploit

Attackers can use something as simple as below, crafting their own FD redirection.

# Close stdin/out/err and reopen as /dev/uinput before running the SUID wrapper
exec </dev/null
exec 1>/dev/null
exec 2>/dev/uinput
/path/to/vmware-user-suid-wrapper
# After the wrapper runs, attacker tries writing simulated events into the now-root-opened /dev/uinput

With a bit more work, an attacker can write input event structures to /dev/uinput—essentially simulating any mouse or keyboard action as root.

Real Impact—Why Is This Dangerous?

- Bypass Screensaver: An attacker can simulate keystrokes to unlock a user session or stop a screensaver.

Execute Commands: Well-placed keystrokes can run terminal commands or open applications.

- Privilege Escalation: Get control over user input as root, possibly leading to executing root-only operations.

How to Fix

- Update open-vm-tools: The patched release checks and secures file descriptors properly.

Learn More

- Original CVE Record: NIST NVD CVE-2023-34059
- VMware Advisory: VMSA-2023-0022
- GitHub Patch Diff: github.com/vmware/open-vm-tools/commit

Conclusion

CVE-2023-34059 shows how a simple oversight in handling file descriptors in a setuid-root helper can allow input simulation attacks by regular users. In today's cloud and multi-user environments, such a bug can undermine the trust boundary between user and root—never underestimate the power and dangers of device files. Update your systems now—don't let your VMs be quietly controlled behind your back!


*This analysis is exclusive to you—if you have open-vm-tools installed, make sure to update right away!*

Timeline

Published on: 10/27/2023 05:15:39 UTC
Last modified on: 11/27/2023 12:15:07 UTC