diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index c9eb1f2c4eb7..e7e5b909d712 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -74153,6 +74153,72 @@ "session_types": false, "needs_cleanup": true }, + "exploit_linux/http/vmware_vrli_rce": { + "name": "VMware vRealize Log Insight Unauthenticated RCE", + "fullname": "exploit/linux/http/vmware_vrli_rce", + "aliases": [ + + ], + "rank": 600, + "disclosure_date": "2023-01-24", + "type": "exploit", + "author": [ + "Horizon3.ai Attack Team", + "Ege BALCI " + ], + "description": "VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as\n directory traversal, broken access control, deserialization, and information disclosure.\n When chained together, these vulnerabilities allow a remote, unauthenticated attacker to\n execute arbitrary commands on the underlying operating system as the root user.\n\n This module achieves code execution via triggering a `RemotePakDownloadCommand` command\n via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`\n thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the\n specially crafted PAK archive, which then will place the JSP payload under a certain API\n endpoint (pre-authenticated) location upon extraction for gaining remote code execution.\n\n Successfully tested against version 8.0.2.", + "references": [ + "ZDI-23-116", + "ZDI-23-115", + "CVE-2022-31706", + "CVE-2022-31704", + "CVE-2022-31711", + "URL-https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive", + "URL-https://www.vmware.com/security/advisories/VMSA-2023-0001.html" + ], + "platform": "Linux,Unix", + "arch": "x86, x64", + "rport": 443, + "autofilter_ports": [ + 80, + 8080, + 443, + 8000, + 8888, + 8880, + 8008, + 3000, + 8443 + ], + "autofilter_services": [ + "http", + "https" + ], + "targets": [ + "VMware vRealize Log Insight < v8.10.2" + ], + "mod_time": "2023-09-08 16:55:42 +0000", + "path": "/modules/exploits/linux/http/vmware_vrli_rce.rb", + "is_install_path": true, + "ref_name": "linux/http/vmware_vrli_rce", + "check": true, + "post_auth": false, + "default_credential": false, + "notes": { + "Stability": [ + "crash-safe" + ], + "Reliability": [ + "repeatable-session" + ], + "SideEffects": [ + "ioc-in-logs", + "artifacts-on-disk" + ] + }, + "session_types": false, + "needs_cleanup": true + }, "exploit_linux/http/vmware_vrni_rce_cve_2023_20887": { "name": "VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE", "fullname": "exploit/linux/http/vmware_vrni_rce_cve_2023_20887",