what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

vCenter Java JMX/RMI Remote Code Execution

vCenter Java JMX/RMI Remote Code Execution
Posted Oct 2, 2015
Authored by David Stubley | Site 7elements.co.uk

VMware vCenter Server provides a centralized platform for managing your VMware vSphere environments so you can automate and deliver a virtual infrastructure. VMware vCenter was found to bind an unauthenticated JMX/RMI service to the network stack. An attacker with access can abuse the configuration to achieve remote code execution, providing SYSTEM level access to the server.

tags | advisory, remote, code execution
advisories | CVE-2015-2342
SHA-256 | 10390f727e34027dc5042e78df6a093644dcc4e778d7b8da10844696d32650b1

vCenter Java JMX/RMI Remote Code Execution

Change Mirror Download

Link to advisory:
https://www.7elements.co.uk/resources/technical-advisories/cve-2015-2342-vmw
are-vcenter-remote-code-execution/

Advisory Information
Title: vCenter Java JMX/RMI Remote Code Execution
Date Published: 01/10/2015
CVE: CVE-2015-2342
Advisory Summary
VMware vCenter Server provides a centralised platform for managing your
VMware vSphere environments so you can automate and deliver a virtual
infrastructure. VMware vCenter was found to bind an unauthenticated JMX/RMI
service to the network stack. An attacker with access can abuse the
configuration to achieve remote code execution, providing SYSTEM level
access to the server.
Vendor
VMware
Affected Software
VMware ProductVersionPlatform
VMware vCenter Server6.0Any
VMware vCenter Server5.5Any
VMware vCenter Server5.1Any
VMware vCenter Server5.0Any
Description of Issue
VMware¹s vCenter application makes use of Java Virtual Machine (JVM)
technology and supports the use of Java Management extensions (JMX), for
application and network management and monitoring of the JVM. A JMX agent is
setup to allow remote management of the JVM. The JMX agent utilises managed
beans ŒMBeans¹ to expose configured interfaces to manage predefined
configurations. Any objects that are implemented as an MBean and registered
with the agent can be managed from outside the agent¹s Java virtual machine.
The JMX service was found to be configured insecurely as it does not require
authentication, allowing a user to connect and interact with the service.
The JMX service allows users to call the ³javax.management.loading.MLet²
function, which permits the loading of an MBean from a remote URL. An
attacker can set up their remote Web Service to host an MLet (text file)
that points to a malicious JAR file. When the JMX service registers the MLet
file, the agent will initiate the URL to the remote JAR and execute the
methods leading to code execution.
Ref ­
http://docs.oracle.com/javase/1.5.0/docs/api/javax/management/loading/MLet.h
tml
<http://docs.oracle.com/javase/1.5.0/docs/api/javax/management/loading/MLet.
html>
Additional Information
Wider exploit development has already been undertaken against other vendors
utilising JMX/RMI deployments and therefore, publicly available exploit code
already exists that can be used in combination with Metasploit to gain a
remote Meterpreter shell as SYSTEM.
Ref ­ https://github.com/mogwaisec/mjet <https://github.com/mogwaisec/mjet>
Ref ­ http://www.accuvant.com/blog/exploiting-jmx-rmi
<http://www.accuvant.com/blog/exploiting-jmx-rmi>
Ref ­ https://www.exploit-db.com/exploits/36101/
<https://www.exploit-db.com/exploits/36101/>
PoC
For a proof of concept and further discussion, please see our blog
<http://www.7elements.co.uk/resources/blog/cve-2015-2342-remote-code-executi
on-within-vmware-vcenter/> on this issue.
Timeline
Reported ­ 27th February 2015
Accepted ­ 21st April 2015
First Fix ­ 10th September 2015
Retrospective Fix ­ 1st October 2015
Advisory Published ­ 1st October 2015




Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close