7.2
CVSSv2

CVE-2017-4915

Published: 22/05/2017 Updated: 13/08/2017
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 766
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files. Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine.

Vulnerability Trend

Affected Products

Vendor Product Versions
VmwareWorkstation Player12.0.0
VmwareWorkstation Pro12.0.0

Vendor Advisories

VMware Workstation Pro/Player contains an insecure library loading vulnerability via ALSA sound driver configuration files Successful exploitation of this issue may allow unprivileged host users to escalate their privileges to root in a Linux host machine       VMware would like to thank Jann Horn of Google Project Zero for reporting this iss ...

Exploits

/* Source: bugschromiumorg/p/project-zero/issues/detail?id=1142 This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one a ...
#!/bin/bash ################################################################################ # VMware Workstation Local Privilege Escalation exploit (CVE-2017-4915) # # - wwwvmwarecom/security/advisories/VMSA-2017-0009html # # - wwwexploit-dbcom/exploits/42045/ # # ...

Mailing Lists

This vulnerability permits an unprivileged user on a Linux machine on which VMWare Workstation is installed to gain root privileges The issue is that, for VMs with audio, the privileged VM host process loads libasound, which parses ALSA configuration files, including one at ~/asoundrc libasound is not designed to run in a setuid context and deli ...

Metasploit Modules

VMware Workstation ALSA Config File Local Privilege Escalation

This module exploits a vulnerability in VMware Workstation Pro and Player on Linux which allows users to escalate their privileges by using an ALSA configuration file to load and execute a shared object as root when launching a virtual machine with an attached sound card. This module has been tested successfully on VMware Player version 12.5.0 on Debian Linux 8 Jessie.

msf > use exploit/linux/local/vmware_alsa_config
      msf exploit(vmware_alsa_config) > show targets
            ...targets...
      msf exploit(vmware_alsa_config) > set TARGET <target-id>
      msf exploit(vmware_alsa_config) > show options
            ...show and set options...
      msf exploit(vmware_alsa_config) > exploit

Github Repositories

Local Exploits Various local exploits CVE-2019-12181 Local root exploit for Serv-U FTP Server versions prior to 1517 Bash variant of Guy Levin's Serv-U FTP Server exploit (2019-06-13) for CVE-2019-12181 A privilege escalation vulnerability exists in SolarWinds Serv-U before 1517 for Linux CVE-2017-5899 S-nail local root exploit Wrapper for @wapiflapi's s-nail

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

CVE-Study CVE id CVSS Type CVE-2017-12762 100 BOF CVE-2017-0561 100 - CVE-2017-11176 100 UAF CVE-2017-8890 100 CVE-2017-7895 100 CVE-2017-3106 93 CVE-2017-3064 93 CVE-2017-0430 93 CVE-2017-0429 93 CVE-2017-0428 93 CVE-2017-0427 93 CVE-2017-0528 93 CVE-2017-0510 93 CVE-2017-0508 93 CVE-2017-0507 93 CVE-2017-0455 93

Recent Articles

VMware Patches Multiple Security Issues in Workstation
Threatpost • Chris Brook • 19 May 2017

VMware fixed two bugs in its VMware Workstation late Thursday night, including an insecure library loading vulnerability and a NULL pointer dereference vulnerability.
The virtualization software company warned of the issues Thursday night in a security advisory VMSA-2017-0009.
Jann Horn, a security researcher for Google Project Zero who’s previously uncovered bugs in Xen’s hypervisor and the Linux kernel, found the library loading vulnerability in VMware’s Workstation Pro/Playe...