metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

VMware Fusion (13.x before 13.6) priv esc (CVE-2024-38811)

Open h00die opened this issue 1 year ago • 2 comments

Summary

VMware Fusion (13.x before 13.6) contains a code-execution vulnerability due to the usage of an insecure environment variable. A malicious actor with standard user privileges may exploit this vulnerability to execute code in the context of the Fusion application.

Basic example

No PoCs have crossed my radar yet, but i didn't look hard: https://nvd.nist.gov/vuln/detail/CVE-2024-38811

Motivation

Not a lot of current exploits for OSX/macos, so one as easy as a env variable should be a quick win

h00die avatar Sep 04 '24 20:09 h00die

hmmmm, me likey the sound of this. See what I can find; no promises tho

kernelsmith avatar Sep 16 '24 17:09 kernelsmith

has anyone seen a POC or know what env variable is affected? I did some preliminary probing for the env var names, but didn't get far, tho I was using only simple methods like strings etc. I was too lazy at the time to actually disassemble the bin

kernelsmith avatar Oct 04 '24 16:10 kernelsmith

@h00die, have you seen any details yet? I've looked, but not extensively, but haven't found anything yet. Diffing 13.6 and 13.6.1 might be telling, but also is probably full of unrelated changes.

kernelsmith avatar Oct 29 '24 15:10 kernelsmith

I haven't seen anything pop up on my news feeds. Also looks like https://github.com/nomi-sec/PoC-in-GitHub hasn't picked up on anything at this point.

h00die avatar Oct 29 '24 15:10 h00die

I haven't seen anything pop up on my news feeds. Also looks like https://github.com/nomi-sec/PoC-in-GitHub hasn't picked up on anything at this point.

ok, I'll bust out some real tools, see what I can find

kernelsmith avatar Oct 29 '24 16:10 kernelsmith