Description
If the vmwgfx driver fails to copy the 'fence_rep' object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn't be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a free'd 'file' object.
We use this bug to overwrite a SUID binary with our payload and gain root. Linux kernel 4.14 - 5.16.x are vulnerable.
Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.
Module options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/linux/local/vmwgfx_fd_priv_escmsf undefined(vmwgfx_fd_priv_esc) > show actions ...actions...msf undefined(vmwgfx_fd_priv_esc) > set ACTION < action-name >msf undefined(vmwgfx_fd_priv_esc) > show options ...show and set options...msf undefined(vmwgfx_fd_priv_esc) > runPrioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub