VMWare Tools provides a rich set of drivers and services that enhance manageability of virtual machines and enable guest-host communication. While the host-to-guest RPC mechanisms have long been attractive targets for vulnerability research due to their potential for VM escapes, the other components – especially guest-only services – are often overlooked. One such component is the VMware Guest Authentication Service, also known as the VMware Alias Manager and Ticket Service, or simply VGAuth. It ships with the default VMware Tools installation and is present on most guest VMs (both Windows and *nix) in ESXi-managed environments. This article details a set of vulnerabilities we discovered in the Windows implementation of this service, as found in VMware Tools 12.5.0 (build 24276846).
Continue readingTag: LPE
Daemon Ex Plist: LPE via MacOS Daemons
Introduction
Today, we will try to figure out one mechanism for which there is not much information available on the internet and attempt to use the defect of this mechanism to exploit an LPE vulnerability.
The mechanism we are going to look into is Mac-specific startup process for specialized services, which also known as Agents and Daemons. We will figure out loading mechanism of such services, their work and other subtleties.
Continue reading