add cve-2022-22954 detector #245

hh-hunter · 2022-05-06T07:01:52Z

Hey,

this PR for the Vuln Detector Plugin for CVE-2022-22954 (see Issue #239 )

Please note that I will provide a vulnerable ova image for this vulnerability, please boot up and configure the hostname to work.

https://mega.nz/file/2scHxBrI#9a8aikJvW3_yJDbOj8dbES9EENiK2Na6pAulbyrAszY

hh-hunter · 2022-06-03T23:50:34Z

@magl0 @maoning hi,Can you review my other plugins?
#245
#246
#83
#233
#89
#198

maoning · 2023-03-03T03:50:54Z

This review is paused due to the fact that we have not yet find a way to deploy the vmware image you attached into GCP to do vuln verification. We had made multiple attempts in the past, but nothing worked so far. We may be able to find some physical machines to run the image on, but it will take time for us to figure out the process.

hh-hunter · 2023-03-03T05:51:23Z

Do you want me to write you a simple deployment process article?

hh-hunter · 2024-01-09T03:24:26Z

@tooryx Look at this?

tooryx · 2024-01-09T09:42:27Z

Hi @hh-hunter,

Apologies for this taking so long, but we can only process a limited number of issues in parallel. We are getting there, please bear with us.

~tooryx

lokiuox · 2024-11-28T18:53:09Z

Hi @hh-hunter, could you submit a PR to the security-testbed repo please? If you can't provide a proper testbed due to the proprietary software, please just add instructions on how to make one.

lokiuox

Hi @hh-hunter, thank you for your contribution! I've left a few comments on things that can be improved.

About the testbed, after some trial and error I was able to deploy the OVA image, but it definitely requires some instruction steps. Can you send a PR to the security-testbeds repo? If not, just let me know and I'll send one, I have everything already set up so it would be easy for me to grab screenshots, etc.

Moreover, be aware that there is an issue that I found during testing, which is that the web page from the VMWare instance only works if you send the correct FQDN in the Host header. So if you send the GET request with the payload directly to the IP, it won't work and it will show an error saying Unable to resolve tenant with host value 192.168.x.x.

In my opinion you should try to run the vulnerability check as you are doing now and, if it fails, check if the response contains that message; if it does, then try to fetch the real FQDN of the machine in some way and repeat the process but setting the Host header to the discovered FQDN.

Here are some ideas on how to find the FQDN:

Reverse DNS lookup (may give an incorrect result)
Analyze the TLS certificate of the website and extract the CN field from it - I guess this could be inaccurate too if the cert is misconfigured or the machine is being reverse-proxied
Try to get the FQDN from the some API endpoint - about this, I can tell you that I already found some endpoint that exposes the real hostname and it's a GET request to /SAAS/jersey/manager/api/branding. This endpoint contains links to images used in the front page and some of the links have the full URL with the hostname.

I actually already implemented the third option for testing purposes, so if you want you can just copy-paste this function:

  static final String BRANDING_PATH = "SAAS/jersey/manager/api/branding";

  private String tryFindFqdn(NetworkService networkService) {
    String url = NetworkServiceUtils.buildWebApplicationRootUrl(networkService) + BRANDING_PATH;
    HttpResponse response;
    try{
      response = httpClient.send(get(url).withEmptyHeaders().build(), networkService);
    } catch (IOException e) {
      logger.atWarning().withCause(e).log("Failed to send request to %s", url);
      return null;
    }
    if (response.status().code() != 200 || response.bodyJson().isEmpty()) {
      return null;
    }

    try{
      JsonObject jsonBody = response.bodyJson().get().getAsJsonObject();
      // Iterate through children and check the "_links" array from each one of them
      for (var entry: jsonBody.entrySet()) {
        if (!entry.getValue().isJsonObject()) {
          continue;
        }
        var entryObj = entry.getValue().getAsJsonObject();

        // There should be a "_links" object here
        if (!entryObj.has("_links") || !entryObj.get("_links").isJsonObject()) {
          continue;
        }

        for (var linkEntry: entryObj.get("_links").getAsJsonObject().entrySet()) {
          // Get the link string value
          if (!linkEntry.getValue().isJsonPrimitive() || !linkEntry.getValue().getAsJsonPrimitive().isString()) {
            continue;
          }

          String link = linkEntry.getValue().getAsString();
          // Check that it's an absolute link
          if (!link.startsWith("http://") && !link.startsWith("https://")) {
            continue;
          }

          // Extract host from URL
          return new URL(link).getHost();
        }
      }
    } catch (NoSuchElementException | IllegalStateException | ClassCastException | MalformedURLException | NullPointerException e) {
      // We check each sub-key before trying to get it from the JSON Object, but let's catch just in case
      return null;
    }

    return null;
  }

community/detectors/vmware_cve_2022_22954/build.gradle

lokiuox · 2024-11-30T01:09:04Z

community/detectors/vmware_cve_2022_22954/gradle/wrapper/gradle-wrapper.properties

@@ -0,0 +1,5 @@
+distributionBase=GRADLE_USER_HOME
+distributionPath=wrapper/dists
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.5-bin.zip


Please update to Gradle 7.0

.../google/tsunami/plugins/detectors/cves/cve202222954/Cve202222954DetectorBootstrapModule.java