CVE-2013-1662

VMware Workstation 8.x-9.x and Player 4.x-5.x - Privilege Escalation via PATH lsb_release Hijacking

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2013-1662. PoCs published by Metasploit, Tavis Ormandy, Tavis Ormandy, egypt, including Metasploit module exploits/linux/local/vmware_mount.

AI-analyzed exploit summary This Metasploit module exploits a privilege escalation vulnerability in VMWare Workstation/Player (up to 9.0.2) by leveraging a setuid binary (vmware-mount) that executes lsb_release via popen(3) without sanitizing the PATH. The exploit writes a malicious lsb_release executable to the current directory and manipulates PATH to achieve root execution.

Description

vmware-mount in VMware Workstation 8.x and 9.x and VMware Player 4.x and 5.x, on systems based on Debian GNU/Linux, allows host OS users to gain host OS privileges via a crafted lsb_release binary in a directory in the PATH, related to use of the popen library function.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubylocallinux
https://www.exploit-db.com/exploits/27938

This Metasploit module exploits a privilege escalation vulnerability in VMWare Workstation/Player (up to 9.0.2) by leveraging a setuid binary (vmware-mount) that executes lsb_release via popen(3) without sanitizing the PATH. The exploit writes a malicious lsb_release executable to the current directory and manipulates PATH to achieve root execution.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: VMWare Workstation/Player (up to 9.0.2 build-1031769)
No auth needed
Prerequisites: VMWare Workstation/Player installed · vmware-mount binary must be setuid root · User must have write access to a directory in PATH
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Tavis Ormandy · textlocallinux
https://www.exploit-db.com/exploits/40169

The writeup discusses a privilege escalation vulnerability (CVE-2013-1662) in Debian/Ubuntu systems due to the lack of privilege-dropping behavior in dash (used as /bin/sh) compared to bash. It highlights how this can be exploited in setuid programs like VMware utilities to gain root access.

Classification
Writeup 90%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: Debian/Ubuntu systems with VMware utilities
No auth needed
Prerequisites: Debian/Ubuntu system with VMware utilities installed · vmware-mount setuid binary present
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Tavis Ormandy, egypt · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/vmware_mount.rb

This Metasploit module exploits a privilege escalation vulnerability in VMWare Workstation/Player by leveraging a setuid binary (vmware-mount) that executes lsb_release from the user-controlled PATH, allowing arbitrary code execution as root.

Classification
Working Poc 100%
Attack Type
Lpe
Complexity
Trivial
Reliability
Reliable
Target: VMWare Workstation (up to 9.0.2 build-1031769) and Player
No auth needed
Prerequisites: vmware-mount must be setuid root · write access to a directory in PATH
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References

Scores

EPSS 0.0464
EPSS Percentile 90.5%

Details

CWE
CWE-264
Status published
Products (23)
vmware/player 4.0
vmware/player 4.0.0.18997
vmware/player 4.0.1
vmware/player 4.0.2
vmware/player 4.0.3
vmware/player 4.0.4
vmware/player 4.0.5
vmware/player 4.0.6
vmware/player 5.0
vmware/player 5.0.1
... and 13 more
Published Aug 24, 2013
Tracked Since Feb 18, 2026