-
Notifications
You must be signed in to change notification settings - Fork 14.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
automatic module_metadata_base.json update
- Loading branch information
1 parent
f1aea83
commit 5a9eca7
Showing
1 changed file
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -74153,6 +74153,72 @@ | |
| "session_types": false, | ||
| "needs_cleanup": true | ||
| }, | ||
| "exploit_linux/http/vmware_vrli_rce": { | ||
| "name": "VMware vRealize Log Insight Unauthenticated RCE", | ||
| "fullname": "exploit/linux/http/vmware_vrli_rce", | ||
| "aliases": [ | ||
|
|
||
| ], | ||
| "rank": 600, | ||
| "disclosure_date": "2023-01-24", | ||
| "type": "exploit", | ||
| "author": [ | ||
| "Horizon3.ai Attack Team", | ||
| "Ege BALCI <[email protected]>" | ||
| ], | ||
| "description": "VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as\n directory traversal, broken access control, deserialization, and information disclosure.\n When chained together, these vulnerabilities allow a remote, unauthenticated attacker to\n execute arbitrary commands on the underlying operating system as the root user.\n\n This module achieves code execution via triggering a `RemotePakDownloadCommand` command\n via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`\n thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the\n specially crafted PAK archive, which then will place the JSP payload under a certain API\n endpoint (pre-authenticated) location upon extraction for gaining remote code execution.\n\n Successfully tested against version 8.0.2.", | ||
| "references": [ | ||
| "ZDI-23-116", | ||
| "ZDI-23-115", | ||
| "CVE-2022-31706", | ||
| "CVE-2022-31704", | ||
| "CVE-2022-31711", | ||
| "URL-https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive", | ||
| "URL-https://www.vmware.com/security/advisories/VMSA-2023-0001.html" | ||
| ], | ||
| "platform": "Linux,Unix", | ||
| "arch": "x86, x64", | ||
| "rport": 443, | ||
| "autofilter_ports": [ | ||
| 80, | ||
| 8080, | ||
| 443, | ||
| 8000, | ||
| 8888, | ||
| 8880, | ||
| 8008, | ||
| 3000, | ||
| 8443 | ||
| ], | ||
| "autofilter_services": [ | ||
| "http", | ||
| "https" | ||
| ], | ||
| "targets": [ | ||
| "VMware vRealize Log Insight < v8.10.2" | ||
| ], | ||
| "mod_time": "2023-09-08 16:55:42 +0000", | ||
| "path": "/modules/exploits/linux/http/vmware_vrli_rce.rb", | ||
| "is_install_path": true, | ||
| "ref_name": "linux/http/vmware_vrli_rce", | ||
| "check": true, | ||
| "post_auth": false, | ||
| "default_credential": false, | ||
| "notes": { | ||
| "Stability": [ | ||
| "crash-safe" | ||
| ], | ||
| "Reliability": [ | ||
| "repeatable-session" | ||
| ], | ||
| "SideEffects": [ | ||
| "ioc-in-logs", | ||
| "artifacts-on-disk" | ||
| ] | ||
| }, | ||
| "session_types": false, | ||
| "needs_cleanup": true | ||
| }, | ||
| "exploit_linux/http/vmware_vrni_rce_cve_2023_20887": { | ||
| "name": "VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE", | ||
| "fullname": "exploit/linux/http/vmware_vrni_rce_cve_2023_20887", | ||
|
|
||