Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSP base directory probably not generic #2

Closed
gelim opened this issue Feb 24, 2021 · 5 comments
Closed

JSP base directory probably not generic #2

gelim opened this issue Feb 24, 2021 · 5 comments

Comments

@gelim
Copy link

gelim commented Feb 24, 2021

Hello,
Thanks for the PoC, I aws looking at Linux.tar file that contains the directory where the webshell should be written.
By testing on 6.7 unpatched servers, it's not getting JSP compilation/execution that easily (and strace/find does not give up that easily a proper webapps path).

Cheers
@NS-Sp4ce
Copy link
Owner

hello,
I found a intersting thing: folder 'global' will be regenerate when vCenter Server restart (e.g. before restart, the path looks like that /path/to/vmware-vsphere-ui/server/work/deployer/s/global/41/0/h5ngc.war/resources/,but when vCenter Server had restart,the path is /path/to/vmware-vsphere-ui/server/work/deployer/s/global/RANDOM_NUMBER/0/h5ngc.war/resources/),so i will use ptsecurity's path to rewrite windows payload,for linux cause the permission reason, i find an another way to write webshell, give me a little time.

NS-Sp4ce added a commit that referenced this issue Feb 25, 2021
@NS-Sp4ce
Use ptsecurity's path to fix #3 , #2
58efbb9 
folder 'global' will be regenerate when vCenter Server restart,so use ptsecurity's path to rewrite payloads.
@NS-Sp4ce
Copy link
Owner

after 6.7 U3g, path /path/to/vmware-vsphere-ui/server/work/deployer/ has been removed, I will try to find another way to upload jsp file

@gelim
Copy link
Author

gelim commented Feb 25, 2021
edited
Loading

Thanks for the confirmation, oh and I just see PT finally published their full research now https://swarm.ptsecurity.com/unauth-rce-vmware/
So okay for Linux no easy way to get JSP auto-deployment, but for serious actor, having vsphere-ui write priv on the server is enough for RCE, without this webshell auto-deployment things anyway, as there are several moving part using code witth vsphere-ui write allowed (like /usr/lib/vmware-vsphere-ui/server/bin/*)

@NS-Sp4ce
Copy link
Owner

after about 8 hours test, i think we can rewrite /usr/lib/vmware-vsphere-ui/server/static/resources/ js files to steal administrator's cookie

@NS-Sp4ce
Copy link
Owner

I found some interesting code in /usr/lib/vmware-vsphere-ui /server/bootstrap/server-launcher.jar. The function of this file is to start the vSphere-ui service, but after the startup is complete , The file calls com.vmware.vise.launcher.tomcat.TomcatLauncher method to delete the website deployment directory.

public final class TomcatLauncher
{
    private static final String VECS_KEYSTORE_TYPE = "VKS";
    private static final String MACHINE_SSL_CERT = "MACHINE_SSL_CERT";
    private static final String VECS_LOAD_STORE_PARAM_TYPE = "com.vmware.provider.VecsLoadStoreParameter";
    private static final String FILE_SEPARATOR;
    private static final String SYSPROP_COMPONENT_NAME = "ui.component.name";
    private static final String DEFAULT_COMPONENT_NAME = "vsphere-ui";
    private static final String CLIENT_APP_DATA_FOLDER;
    private static final String DEST_KEYSTORE_NAME = "keystore.jks";
    private static final String PASSWORD;
    private static final String TOMCAT_DIR = "catalina.base";
    private static final String CONFIG_DIR;
    
    public static void main(final String[] args) {
        loadKeystore();
        deleteWorkDirectory(); <- NOTE HERE!
        createJavaTempDir();
        Bootstrap.main(args);
    }
..................................
private static void deleteWorkDirectory() {
    final File workDir = new File(System.getProperty("catalina.base") + "/work");
    if (!workDir.exists()) {
        return;
    }
    try {
        deleteDirectoryRecur(workDir);
    }
    catch (IOException e) {
        throw new RuntimeException("Cannot clean work dir", e);
    }
}
......................................
private static void deleteDirectoryRecur(final File directory) throws IOException {
    final File[] contents = directory.listFiles();
    if (contents != null) {
        for (final File f : contents) {
            if (isSymlink(f)) {
                f.delete();
            }
            else {
                deleteDirectoryRecur(f);
            }
        }
    }
    directory.delete();
}

private static boolean isSymlink(final File file) throws IOException {
    if (file == null) {
        throw new NullPointerException("File must not be null");
    }
    File canon;
    if (file.getParent() == null) {
        canon = file;
    }
    else {
        final File canonDir = file.getParentFile().getCanonicalFile();
        canon = new File(canonDir, file.getName());
    }
    return !canon.getCanonicalFile().equals(canon.getAbsoluteFile());
}

@NS-Sp4ce NS-Sp4ce closed this as completed Mar 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gelim @NS-Sp4ce