Trustwave's SpiderLabs Security Advisory TWSL2010-002 Web Service Hijacking in VMWare WebAccess https://www.trustwave.com/spiderlabs/advisories/TWSL2010-002.txt Published: 2010-03-30 Version: 1.0 Vendor: VMware, Inc (http://www.vmware.com) Product: VMWare VirtualCenter, VMWare ESX Versions affected: VirtualCenter 2.5, 2.0.x, ESX 3.5, ESX 3.0.x Product description: VMWare Infrastructure is a virtualized environment that allows multiple virtual machines (VMs) to run on a single physical server. Management can be performed via a Struts-based web application, or via a thick client. Both the web interface and the thick client effect all changes through SOAP calls to an XML web service. Credit: David Byrne & Tom Leavey of Trustwave's SpiderLabs CVE: CVE-2009-2277 Finding: The Struts-based web application uses the server-side session attribute "context_vmdirect" to store various settings, including the URL to the XML web service backend. By default, the URL is http://localhost/sdk, but the web service URL can be manually set from a client browser in several locations. One location is /ui/vmDirect.do, by passing a base64-encoded value to in the "view" parameter as shown below: /ui/vmDirect.do?view=d3NVcmw9aHR0cDovL2xvY2FsaG9zdC9zZGsmdm1JZD1WaXJ0dWFsTWFjaGluZXwxMjgmdWk9OQ==_ Decoded, the view value is: wsUrl=http://localhost/sdk&vmId=VirtualMachine|128&ui=9 If wsUrl is changed to point at an external server, all SOAP calls for that session are sent to the specified server. This includes plaintext authentication credentials. An attacker could exploit this by tricking a user into following a link to /ui/vmDirect.do, with an attacker-controlled server passed in the "view" parameter. Because the "context_vmdirect" session attribute can be set pre-authentication, and because a logged-out session can be reused with different credentials, an attacker could leave a shared browser with a session pointing at a malicious web service. Because the authentication credentials used by the management tools are based on the underlying Linux user accounts, this attack could lead to a full compromise of the host server. Vendor Response: The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 4.0 Windows not affected VirtualCenter 2.5 Windows Virtual Center 2.5 Update 6 VirtualCenter 2.0.2 Windows not being fixed at this time * hosted ** any any not affected ESXi any ESXi not affected ESX 4.0 ESX not affected ESX 3.5 ESX ESX350-201003403-SG ESX 3.0.3 ESX not being fixed at this time * ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 not affected * Use the workaround of disabling WebAccess to remediate the issue. ** Hosted products are VMware Workstation, Player, ACE, Server, Fusion. Vendor Communication Timeline: 2009-07-01: Initial contact 2009-07-01: Confirmation of the vulnerabilities 2010-03-29: Fix issued to customers 2010-03-30: Advisory public release References 1. http://lists.vmware.com/pipermail/security-announce/2010/000086.html Revision History: 1.0 Initial publication About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com About Trustwave's SpiderLabs: SpiderLabs is the advance security team at Trustwave responsible for incident response and forensics, penetration testing, application security and security research for Trustwave's clients. SpiderLabs has responded to hundreds of security incidents, performed thousands of ethical hacking exercises and tested the security of hundreds of business applications for Fortune 500 organizations. For more information visit https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.