CVE-2013-1662
published 2013-08-24CVE-2013-1662: vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS…
PriorityP433medium6.9CVSS 2.0
AVLACMAuNCCICAC
EXPLOIT
EPSS
4.64%
90.6th percentile
vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS privileges via a crafted lsb_release binary in a directory in the PATH, related to use of the popen library function.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| vmware | esxi | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | player | — | — |
| vmware | vmware_workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
| vmware | workstation | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VMware
VMware Workstation host privilege escalation vulnerability
vendor_vmware·2013-08-22·CVSS 4.3
CVE-2013-1661 [MEDIUM] VMware Workstation host privilege escalation vulnerability
VMSA-2013-0010: VMware Workstation host privilege escalation vulnerability
a. VMware mount privilege escalation VMware Workstation and Player contain a vulnerability in the handling of the vmware-mount command. A local malicious user may exploit this vulnerability to escalate their privileges to root on the host OS. The issue is present when Workstation or Player are installed on a Debian-based version of Linux. The vulnerability does not allow for privilege escalation from the Guest Operating System to the host or vice-versa. This means that host memory can not be manipulated from the Guest Operating System.
CVEs: CVE-2013-1661, CVE-2013-1662
Affected products: ESXi, VMware Workstation
GHSA
GHSA-xx33-73cr-ffp7: vmware-mount in VMware Workstation 8
ghsa_unreviewed·2022-05-17
CVE-2013-1662 [MEDIUM] GHSA-xx33-73cr-ffp7: vmware-mount in VMware Workstation 8
vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS privileges via a crafted lsb_release binary in a directory in the PATH, related to use of the popen library function.
No detection rules found.
Exploit-DB
VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)
exploitdb·2013-08-29
CVE-2013-1662 VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)
VMware - Setuid VMware-mount Unsafe popen(3) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
class Metasploit4 'VMWare Setuid vmware-mount Unsafe popen(3)',
'Description' => %q{
VMWare Workstation (up to and including 9.0.2 build-1031769)
and Player have a setuid executable called vmware-mount that
invokes lsb_release in the PATH with popen(3). Since PATH is
user-controlled, and the default system shell on
Debian-derived distributions does not drop privs, we can put
an arbitrary payload in an
Exploit-DB
VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation
exploitdb·2013-08-22
CVE-2013-1662 VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation
VMware - Setuid VMware-mount Popen lsb_release Privilege Escalation
---
// Source: http://blog.cmpxchg8b.com/2013/08/security-debianisms.html
On most modern Linux systems, /bin/sh is provided by bash, which detects that it's being invoked as sh, and attempts to mimic traditional sh. As everyone who works in security quickly learns, bash will drop privileges very early if uid != euid.
488
489 if (running_setuid && privileged_mode == 0)
490 disable_priv_mode ();
491
Where disable_priv_mode is defined as:
1202 void
1203 disable_priv_mode ()
1204 {
1205 setuid (current_user.uid);
1206 setgid (current_user.gid);
1207 current_user.euid = current_user.uid;
1208 current_user.egid = current_user.gid;
1209 }
Non-Linux systems tend to use pdksh as /bin/sh, which also supports privmode since ve
Metasploit
VMWare Setuid vmware-mount Unsafe popen(3)
metasploit
VMWare Setuid vmware-mount Unsafe popen(3)
VMWare Setuid vmware-mount Unsafe popen(3)
VMWare Workstation (up to and including 9.0.2 build-1031769) and Player have a setuid executable called vmware-mount that invokes lsb_release in the PATH with popen(3). Since PATH is user-controlled, and the default system shell on Debian-derived distributions does not drop privs, we can put an arbitrary payload in an executable called lsb_release and have vmware-mount happily execute it as root for us.
No writeups or analysis indexed.
2013-08-24
Published