Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
C111000: Race Against The Virtual Machine or how a SUID binary in VMware Fusion was raced to gain root privileges on macOS
therealcoiffeurPosted 1 Month Ago- VMware Fusion is a widely deployed virtualization solution for macOS. The CLI utility
vmware-rawdiskCreatorhandles the creation of Virtual Machine Disks (VMDK) descriptors and is a setuid binary to root. They decided to review this binary for privilege escalation bugs. - First, they identified this target using create command takes a raw disk device, a partion number, a type and an output path. It creates a
<USER_DEFINED>-pt.vmdkand<USER_DEFINED>.vmdkfile. These are created within a temporary directory underneath theTMPDIRenvironment variable. When writing to this directory, it checks the ownership before writing. - There are 7 operations that occur on the file system. The final destinations had
O_NOFOLLOWbut the temporary ones did not. The files are created withrootpermissions, which is a powerful primitive. The goal is to create a symlimk to/etc/ssh/sshd_config.dwith a user controlled file that ends inpt.vmdk. - The time of check time of use issue occurs because of the difference in validation vs. usage. The binary performs the directory creation and file creation as separate operations. If an attacker can substitute the directory as a symlink, they can control the file that the
open()will use later. To make the race window bigger, they had to pad the path to include large amounts of folders and symlinks. They also added CPU pressure and theSIGSTOPto hit particular race window points. - What's the target for this? They tried the sudo configuration files but this didn't work because of file name filtering. Luckily for them,
sshd_config.ddidn't do this same filtering. In the SSH config, they configured SSH to log in as the root user and to execute an attacker's bash script. - Overall, a great article on the exploitation of a race condition and the discovery of the initial vulnerability. It's worth noting that they were invited to the private bug bounty program but declined to join due to the associated NDA.
