关联漏洞
标题:
VMware Tools和VMware Aria Operations 安全漏洞
(CVE-2025-41244)
描述:VMware Tools和VMware Aria Operations都是美国威睿(VMware)公司的产品。VMware Tools是一款VMWare虚拟机自带的增强工具,它是VMware提供的用于增强虚拟显卡和硬盘性能、以及同步虚拟机与主机时钟的驱动程序。VMware Aria Operations是一个统一的、人工智能驱动的自动驾驶 IT 运营管理平台,适用于私有云、混合云和多云环境。 VMware Tools和VMware Aria Operations存在安全漏洞,该漏洞源于本地非特权攻击者可利
描述
VMware Aria Operations < 4.18.5 & VMware Tools - Local Privilege Escalation
介绍
# CVE-2025-41244 PoC
VMware Aria Operations < 4.18.5 & VMware Tools - Local Privilege Escalation
## Background
*Please read the article listed in references to get a more comprehensive and verbose explanation of the vulnerability.*
TL;DR
A shell script within VMware Tools named `get-versions.sh` uses a broad-matching regex pattern (\S) to identify running processes with listening sockets. On matching processes, it executes the process with the respective version flag (-v, --version, etc.) to retrieve the running version of the service.
Excerpt from get-versions.sh (lines 18-26):
```bash
get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}
```
Excerpt from get-versions.sh (lines 119-124):
```bash
get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v
```
## Theory
The top line `/\S+/httpd($|\s)` is designed to match on the proper installation path, such as `/usr/bin/httpd`. However, if an unprivileged user creates a script in `/tmp/httpd`, a globally writable directory, and runs the process, as long as it has a listening socket (on any interface - even localhost), it will get executed in an elevated context by the VMware Tools script - achieving local privilege escalation. This could enable a malicious user to execute a reverse shell, create a root user, or ultimately any elevated action they choose.
# Proof of Concept
A golang script is executed to create a listening socket. When the `get-versions.sh` script matches the regex expression of `/tmp/[SERVICE]`, it will run the script in an elevated context. When the script is ran in an elevated context, instead of creating a listening socket, it will execute an arbitrary command (e.g., `/bin/bash -i`), obtaining privilege escalation.
# References
https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/
文件快照
[4.0K] /data/pocs/e5bc4e5701b06f47eaaad056ae27416a9a3d2029
├── [4.9K] CVE-2025-41244.go
├── [3.0K] CVE-2025-41244-original.go
├── [3.0K] CVE-2025-41244-w-comments.go
└── [2.2K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。