Exploit mitigation patch for Hashicorp vagrant-vmware-fusion 4.0.24

4 Aug 2017 12:15 | macOS | security

During recent months I have published two CVEs documenting root privilege escalation vulnerabilities in the Hashicorp vagrant-vmware-fusion plugin.

Version 4.0.24 is now released which addresses those bugs, but it still depends on an suid root binary being present in order for vagrant to communicate with VMWare.

The first time vagrant is invoked it will invoke osascript which opens a dialog prompting the user for their password in order to elevate itself to admin privileges. It then uses the elevated privilege to chmod +s a sudo wrapper script at a path similar to:

~/.vagrant.d/gems/2.3.4/gems/vagrant-vmware-fusion-4.0.24/bin/vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64

This binary then remains suid root and is used whenever vagrant needs to elevate privileges in order to communicate with VMWare.

I decided to investigate whether I could mitigate any potential other privilege escalation vectors by patching out the requirement for this suid binary to always be present on the system.

It turns out this is possible and today I am releasing a mitigation patch which adds an intermediate binary in the execution chain between vagrant and the sudo wrapper binary.

When vagrant is invoked it will chmod +s and then invoke this new binary rather than the actual sudo wrapper, which is renamed to:

vagrant_vmware_desktop_sudo_helper_wrapper_darwin_amd64.bin

When this binary is executed it detects whether it’s running with elevated privileges (ie is suid root). If it is then it calls chmod -s on itself and then passes the parameters on to the real sudo wrapper binary. If it’s called without root privileges then it invokes osascript to chmod +s itself, which is authenticated by the user with another password dialog. Once this is done it then re-invokes itself in order to elevate to root, then since it is now running with elevated privileges it calls chmod -s on itself and passes the arguments on to the real sudo wrapper.

The net result of this is that whenever vagrant needs elevated privileges the user will get a password prompt to confirm it. After each privileged execution the suid bit is removed from the intermediate wrapper binary so as not to leave the suid binary on the system. This is a slightly less great user experience as a simple “vagrant up” will result in two password prompts but I prefer this tradeoff rather than having the suid wrapper lying around suid root on the system.

The patch is available here:

https://github.com/m4rkw/vagrant-vmware-fusion-4024-patch

Use at your own risk!

all posts

[year]
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
2015

[tag]
AWS
agile
apple
apple watch
aws
bash
cryptocurrency
development
email
exploits
iOS
iphone
linux
macOS
mining
mysql
php
ruby
scrum
security
synology
tailscale
touchID
vim
work

Mark Wadham

Exploit mitigation patch for Hashicorp vagrant-vmware-fusion 4.0.24

4 Aug 2017 12:15 | macOS | security