VMware Fusion (13.x before 13.6) priv esc (CVE-2024-38811)

[h00die]

Summary

VMware Fusion (13.x before 13.6) contains a code-execution vulnerability due to the usage of an insecure environment variable. A malicious actor with standard user privileges may exploit this vulnerability to execute code in the context of the Fusion application.

Basic example

No PoCs have crossed my radar yet, but i didn't look hard: https://nvd.nist.gov/vuln/detail/CVE-2024-38811

Motivation

Not a lot of current exploits for OSX/macos, so one as easy as a env variable should be a quick win

[kernelsmith]

hmmmm, me likey the sound of this. See what I can find; no promises tho

[kernelsmith]

has anyone seen a POC or know what env variable is affected? I did some preliminary probing for the env var names, but didn't get far, tho I was using only simple methods like strings etc. I was too lazy at the time to actually disassemble the bin

[kernelsmith]

@h00die, have you seen any details yet? I've looked, but not extensively, but haven't found anything yet. Diffing 13.6 and 13.6.1 might be telling, but also is probably full of unrelated changes.

[h00die]

I haven't seen anything pop up on my news feeds. Also looks like https://github.com/nomi-sec/PoC-in-GitHub hasn't picked up on anything at this point.

[kernelsmith]

I haven't seen anything pop up on my news feeds. Also looks like https://github.com/nomi-sec/PoC-in-GitHub hasn't picked up on anything at this point.

ok, I'll bust out some real tools, see what I can find