VMware Tools service discovery LPE (CWE-426) via regex-based binary discovery (CVE-2025-41244)

Reading time: 8 minutes

Teknika hii inatumia pipelines za regex-driven service discovery ambazo huchambua mistari ya amri ya michakato inayokimbia ili kubaini matoleo ya huduma, kisha kutekeleza binary inayowezekana na bendera ya "version". Wakati patterns zenye kuruhusu zinakubali njia zisizotegemewa na zinazosimamiwa na mshambuliaji (mfano, /tmp/httpd), collector mwenye ruhusa hutoa utekelezaji wa binary yoyote kutoka eneo lisilo la kuaminika, na kusababisha local privilege escalation. NVISO ilidocument hii katika VMware Tools/Aria Operations Service Discovery kama CVE-2025-41244.

• Athari: Kuongezeka kwa mamlaka ya ndani hadi root (au hadi akaunti ya ugunduzi yenye ruhusa)
• Chanzo cha msingi: Untrusted Search Path (CWE-426) + permissive regex matching of process command lines
• Waliathiriwa: open-vm-tools/VMware Tools on Linux (credential-less discovery), VMware Aria Operations SDMP (credential-based discovery via Tools/proxy)

Jinsi VMware service discovery inavyofanya kazi (kwa ujumla)

• Credential-based (legacy): Aria executes discovery scripts inside the guest via VMware Tools using configured privileged credentials.
• Credential-less (modern): Discovery logic runs within VMware Tools, already privileged in the guest.

Njia zote mbili hatimaye zinaendesha mantiki ya shell inayosaka michakato yenye listening sockets, hutoka njia ya amri inayolingana kupitia regex, na kutekeleza tokeni ya kwanza ya argv kwa bendera ya "version".

Chanzo cha msingi na muundo ulio hatarini (open-vm-tools)

Katika open-vm-tools, script ya plugin serviceDiscovery get-versions.sh inafananisha candidate binaries kwa kutumia broad regular expressions na inatekeleza tokeni ya kwanza bila ukaguzi wowote wa trusted-path:

get_version() {
PATTERN=$1
VERSION_OPTION=$2
for p in $space_separated_pids
do
COMMAND=$(get_command_line $p | grep -Eo "$PATTERN")
[ ! -z "$COMMAND" ] && echo VERSIONSTART "$p" "$("${COMMAND%%[[:space:]]*}" $VERSION_OPTION 2>&1)" VERSIONEND
done
}

Inaitishwa kwa miundo ya kuruhusu inayojumuisha \S (si tabia ya nafasi) ambazo zitalingana kwa urahisi na njia zisizo za mfumo katika maeneo yanayoweza kuandikwa na mtumiaji:

get_version "/\S+/(httpd-prefork|httpd|httpd2-prefork)($|\s)" -v
get_version "/usr/(bin|sbin)/apache\S*" -v
get_version "/\S+/mysqld($|\s)" -V
get_version "\.?/\S*nginx($|\s)" -v
get_version "/\S+/srm/bin/vmware-dr($|\s)" --version
get_version "/\S+/dataserver($|\s)" -v

• Uchimbaji hutumia grep -Eo na huchukua token ya kwanza: ${COMMAND%%[[:space:]]*}
• Hakuna whitelist/allowlist ya trusted system paths; msikilizaji yeyote aliyegunduliwa mwenye jina linalolingana hufanywa kwa kutumia -v/--version

Hii inaunda primitive ya untrusted search path execution: binaries yoyote iliyowekwa katika directories zinazoweza kuandikwa na wote (kwa mfano, /tmp/httpd) inatekelezwa na component yenye ruhusa.

Exploitation (both credential-less and credential-based modes)

Preconditions

• Unaweza kuendesha mchakato usio na ruhusa ambao unafungua listening socket kwenye guest.
• Discovery job imewezeshwa na huendesha mara kwa mara (kibaagini ~dakika 5).

Steps

1. Weka binary katika path inayolingana na moja ya permissive regexes, kwa mfano /tmp/httpd au ./nginx
2. Endesha kama mtumiaji mwenye ruhusa ndogo na hakikisha inafungua listening socket yoyote
3. Subiri mzunguko wa discovery; collector mwenye ruhusa atatekeleza moja kwa moja: /tmp/httpd -v (au sawa), akiendesha programu yako kama root

Minimal demo (using NVISO’s approach)

# Build any small helper that:
#  - default mode: opens a dummy TCP listener
#  - when called with -v/--version: performs the privileged action (e.g., connect to an abstract UNIX socket and spawn /bin/sh -i)
# Example staging and trigger
cp your_helper /tmp/httpd
chmod +x /tmp/httpd
/tmp/httpd          # run as low-priv user and wait for the cycle
# After the next cycle, expect a root shell or your privileged action

Mfuatano wa kawaida wa mchakato

• Credential-based: /usr/bin/vmtoolsd -> /bin/sh /tmp/VMware-SDMP-Scripts-.../script_...sh -> /tmp/httpd -v -> /bin/sh -i
• Credential-less: /bin/sh .../get-versions.sh -> /tmp/httpd -v -> /bin/sh -i

Viashiria (credential-based) SDMP wrapper scripts zilizopatikana chini ya /tmp/VMware-SDMP-Scripts-{UUID}/ zinaweza kuonyesha utekelezaji wa moja kwa moja wa rogue path:

/tmp/httpd -v >"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stdout" 2>"/tmp/VMware-SDMP-Scripts-{UUID}/script_-{ID}_0.stderr"

Kupanua mbinu: regex-driven discovery abuse (portable pattern)

Wakala wengi na suites za monitoring huteekeleza discovery ya version/service kwa:

• Kuorodhesha processes zilizo na listening sockets
• Grepping argv/command lines with permissive regexes (e.g., patterns containing \S)
• Kuendesha njia iliyopatikana na bendera isiyo hatari kama -v, --version, -V, -h

Ikiwa regex inakubali njia zisizotegemewa na njia hiyo inaendeshwa kutoka muktadha wenye vibali, unapata CWE-426 Untrusted Search Path execution.

Mapishi ya matumizi mabaya

• Ipe binary yako jina la daemons za kawaida ambazo regex ina uwezekano wa kuoanisha: httpd, nginx, mysqld, dataserver
• Iweke katika directory inayoweza kuandikwa: /tmp/httpd, ./nginx
• Hakikisha inalingana na regex na inafungua bandari yoyote ili ikorodheshwe
• Subiri collector iliyopangwa; utapata uanzishaji wa kibinafsi wa moja kwa moja wa -v

Kumbuka kuhusu uigaji: Hii inaendana na MITRE ATT&CK T1036.005 (Match Legitimate Name or Location) ili kuongeza uwezekano wa kuoanisha na utundu.

Njia ya I/O relay yenye vibali inayoweza kutumiwa tena

• Tengeneza msaidizi wako ili wakati wa uanzishaji wenye vibali (-v/--version) uunganishe kwenye sehemu ya kukutana inayojulikana (kwa mfano, Linux abstract UNIX socket kama @cve) na kuunganisha stdio na /bin/sh -i. Hii inaepuka artefakti za diski na inafanya kazi katika mazingira mengi ambamo binary ile ile inaendeshwa tena na bendera.

Detection and DFIR guidance

Maswali ya kuwinda

• Watoto wasio wa kawaida wa vmtoolsd au get-versions.sh kama /tmp/httpd, ./nginx, /tmp/mysqld
• Utekelezaji wowote wa non-system absolute paths na discovery scripts (angalia nafasi katika ${COMMAND%%...} expansions)
• ps -ef --forest ili kuona miti ya urithi: vmtoolsd -> get-versions.sh ->

Kwenye Aria SDMP (credential-based)

• Kagua /tmp/VMware-SDMP-Scripts-{UUID}/ kwa scripts za muda na artefakti za stdout/stderr zinaonyesha utekelezaji wa njia za mshambuliaji

Sera/telemetry

• Toa onyo wakati privileged collectors zinaendesha kutoka non-system prefixes: ^/(tmp|home|var/tmp|dev/shm)/
• File integrity monitoring on get-versions.sh and VMware Tools plugins

Mitigations

• Sahihisha: Tumia masasisho ya Broadcom/VMware kwa CVE-2025-41244 (Tools and Aria Operations SDMP)
• Zima au punguza discovery isiyo na credentials pale inavyowezekana
• Thibitisha trusted paths: punguza utekelezaji kwa directories zilizoorodheshwa (/usr/sbin, /usr/bin, /sbin, /bin) na tu binaries zilizoeleweka kwa usahihi
• Epuka regex zinazoruhusu \S; tumia absolute paths zilizoambatishwa na majina kamili ya amri
• Punguza vibali kwa discovery helpers pale inapowezekana; sandbox (seccomp/AppArmor) kupunguza athari
• Kagua na toa onyo juu ya vmtoolsd/get-versions.sh ikitenda njia zisizo za-system

Notes for defenders and implementers

Muundo salama wa kuoanisha na utekelezaji

# Bad: permissive regex and blind exec
COMMAND=$(get_command_line "$pid" | grep -Eo "/\\S+/nginx(\$|\\s)")
[ -n "$COMMAND" ] && "${COMMAND%%[[:space:]]*}" -v

# Good: strict allowlist + path checks
candidate=$(get_command_line "$pid" | awk '{print $1}')
case "$candidate" in
/usr/sbin/nginx|/usr/sbin/httpd|/usr/sbin/apache2)
"$candidate" -v 2>&1 ;;
*)
: # ignore non-allowlisted paths
;;
esac

References

• NVISO – Uitaje, VMware huinua (CVE-2025-41244)
• Broadcom – Taarifa kuhusu CVE-2025-41244
• open-vm-tools – serviceDiscovery/get-versions.sh (stable-13.0.0)
• MITRE ATT&CK T1036.005 – Match Legitimate Name or Location
• CWE-426: Untrusted Search Path