what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Web Service Hijacking In VMWare WebAccess

Web Service Hijacking In VMWare WebAccess
Posted Apr 1, 2010
Authored by Trustwave | Site trustwave.com

The Struts-based web application uses the server-side session sattribute "context_vmdirect" to store various settings, including the URL to the XML web service backend. By default, the URL is http://localhost/sdk, but the web service URL can be manually set from a client browser in several locations. If wsUrl is changed to point at an external server, all SOAP calls for that session are sent to the specified server. This includes plaintext authentication credentials. An attacker could exploit this by tricking a user into following a link to /ui/vmDirect.do, with an attacker-controlled server passed in the "view" parameter.

tags | advisory, web
advisories | CVE-2009-2277
SHA-256 | fd01d4172df55b8994b34803311ab871ff8630ad51141bd4511fe4f4065759a2

Web Service Hijacking In VMWare WebAccess

Change Mirror Download
Trustwave's SpiderLabs Security Advisory TWSL2010-002
Web Service Hijacking in VMWare WebAccess

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-002.txt

Published: 2010-03-30 Version: 1.0

Vendor: VMware, Inc (http://www.vmware.com)
Product: VMWare VirtualCenter, VMWare ESX
Versions affected: VirtualCenter 2.5, 2.0.x, ESX 3.5, ESX 3.0.x

Product description:
VMWare Infrastructure is a virtualized environment that
allows multiple virtual machines (VMs) to run on a single
physical server. Management can be performed via a
Struts-based web application, or via a thick client. Both
the web interface and the thick client effect all changes
through SOAP calls to an XML web service.

Credit: David Byrne & Tom Leavey of Trustwave's SpiderLabs

CVE: CVE-2009-2277

Finding:
The Struts-based web application uses the server-side session
attribute "context_vmdirect" to store various settings,
including the URL to the XML web service backend. By default,
the URL is http://localhost/sdk, but the web service URL can be
manually set from a client browser in several locations. One
location is /ui/vmDirect.do, by passing a base64-encoded value
to in the "view" parameter as shown below:

/ui/vmDirect.do?view=d3NVcmw9aHR0cDovL2xvY2FsaG9zdC9zZGsmdm1JZD1WaXJ0dWFsTWFjaGluZXwxMjgmdWk9OQ==_

Decoded, the view value is:

wsUrl=http://localhost/sdk&vmId=VirtualMachine|128&ui=9

If wsUrl is changed to point at an external server, all SOAP
calls for that session are sent to the specified server. This
includes plaintext authentication credentials.

An attacker could exploit this by tricking a user into following
a link to /ui/vmDirect.do, with an attacker-controlled server
passed in the "view" parameter. Because the "context_vmdirect"
session attribute can be set pre-authentication, and because a
logged-out session can be reused with different credentials, an
attacker could leave a shared browser with a session pointing at
a malicious web service.

Because the authentication credentials used by the management
tools are based on the underlying Linux user accounts, this
attack could lead to a full compromise of the host server.

Vendor Response: The following table lists what action remediates
the vulnerability (column 4) if a solution is available.

VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
vCenter 4.0 Windows not affected
VirtualCenter 2.5 Windows Virtual Center 2.5 Update 6
VirtualCenter 2.0.2 Windows not being fixed at this time *

hosted ** any any not affected

ESXi any ESXi not affected

ESX 4.0 ESX not affected
ESX 3.5 ESX ESX350-201003403-SG
ESX 3.0.3 ESX not being fixed at this time *
ESX 2.5.5 ESX not affected

vMA 4.0 RHEL5 not affected

* Use the workaround of disabling WebAccess to remediate the issue.

** Hosted products are VMware Workstation, Player, ACE, Server, Fusion.

Vendor Communication Timeline:
2009-07-01: Initial contact
2009-07-01: Confirmation of the vulnerabilities
2010-03-29: Fix issued to customers
2010-03-30: Advisory public release

References
1. http://lists.vmware.com/pipermail/security-announce/2010/000086.html

Revision History:
1.0 Initial publication

About Trustwave:
Trustwave is the leading provider of on-demand and
subscription-based information security and payment card
industry compliance management solutions to businesses and
government entities throughout the world. For organizations
faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with
comprehensive solutions that include its flagship
TrustKeeper compliance management software and other
proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500
businesses and large financial institutions to small and
medium-sized retailers--manage compliance and secure their
network infrastructure, data communications and critical
information assets. Trustwave is headquartered in Chicago
with offices throughout North America, South America,
Europe, Africa, Asia and Australia. For more information,
visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs is the advance security team at Trustwave
responsible for incident response and forensics, penetration
testing, application security and security research for
Trustwave's clients. SpiderLabs has responded to hundreds of
security incidents, performed thousands of ethical hacking
exercises and tested the security of hundreds of business
applications for Fortune 500 organizations. For more
information visit https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as
is" without warranty of any kind. Trustwave disclaims all
warranties, either express or implied, including the
warranties of merchantability and fitness for a particular
purpose. In no event shall Trustwave or its suppliers be
liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business
profits or special damages, even if Trustwave or its
suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or
limitation of liability for consequential or incidental
damages so the foregoing limitation may not apply.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close