Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

auxiliary/gather/vmware_vcenter_vmdir_ldap exploit broken by internal LDAP changes #16498

Closed
jtylerorr opened this issue Apr 25, 2022 · 7 comments · Fixed by #16640
Closed

auxiliary/gather/vmware_vcenter_vmdir_ldap exploit broken by internal LDAP changes #16498

jtylerorr opened this issue Apr 25, 2022 · 7 comments · Fixed by #16640
Labels
bug

Comments

@jtylerorr
Copy link

Steps to reproduce

How'd you do it?

  1. Start msfconsole
  2. use auxiliary/gather/vmware_vcenter_vmdir_ldap
  3. set RHOSTS <target_ip>
  4. set RPORT <target_port>
  5. set SSL false
  6. run

The issue is observed by targeting an intentionally vulnerable VMware VCenter instance for which the exploit previously worked.

Were you following a specific guide/tutorial or reading documentation?

No.

Expected behavior

The exploit should dump credentials from the target.

Current behavior

The module currently displays an error message and fails to dump credentials, as shown below:

Collapse 
msf6 auxiliary(gather/vmware_vcenter_vmdir_ldap) > run
[*] Running module against XX.XX.XX.XX

[*] Discovering base DN automatically
[+] XX.XX.XX.XX:XXX Discovered base DN: dc=vsphere,dc=local
[*] Dumping LDAP data from vmdir service at XX.XX.XX.XX:XXX
[-] Auxiliary failed: Net::BER::BerError Unsupported object type: id=84
[-] Call stack:
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ber/ber_parser.rb:93:in `parse_ber_object'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ber/ber_parser.rb:180:in `read_ber'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/connection.rb:234:in `block in read'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/connection.rb:233:in `read'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/connection.rb:201:in `queued_read'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/connection.rb:441:in `block (2 levels) in search'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/connection.rb:399:in `loop'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/connection.rb:399:in `block in search'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/connection.rb:388:in `search'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:784:in `block (2 levels) in search'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:1305:in `use_connection'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:783:in `block in search'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:782:in `search'
[-]   /root/metasploit-framework/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb:87:in `block in run'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:644:in `block in open'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:716:in `block in open'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:711:in `open'
[-]   /var/lib/gems/2.7.0/gems/net-ldap-0.17.0/lib/net/ldap.rb:644:in `open'
[-]   /root/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:68:in `ldap_connect'
[-]   /root/metasploit-framework/modules/auxiliary/gather/vmware_vcenter_vmdir_ldap.rb:72:in `run'
[*] Auxiliary module execution completed

Metasploit version

The issue appears to be caused by changes introdcued in commit db8f4ffa6f and exists through the recent releases (6.1.38).

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse 
[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=auxiliary/gather/vmware_vcenter_vmdir_ldap

[gather/vmware_vcenter_vmdir_ldap]
SSL=false
WORKSPACE=
VERBOSE=false
RHOSTS=XX.XX.XX.XX
RPORT=XXX
BIND_DN=
BIND_PW=
LDAP::ConnectTimeout=10.0
BASE_DN=

Database Configuration

The database contains the following information:

Collapse 
Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse 
10     set loglevel 3
11     search aux gath vce lda
12     use 0
13     set RHOSTS XX.XX.XX.XX
14     set RPORT XXX
15     set SSL false
16     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse 
[04/25/2022 14:29:28] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=84
[04/25/2022 14:29:30] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=122
[04/25/2022 14:29:30] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=114
[04/25/2022 14:29:31] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=45
[04/25/2022 14:29:38] [e(0)] core: Auxiliary failed - OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS write client hello
[04/25/2022 19:31:17] [e(0)] core: Failed to connect to the database: No database YAML file
[04/25/2022 19:31:21] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[04/25/2022 19:31:21] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[04/25/2022 19:31:22] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[04/25/2022 19:31:23] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse 
msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse 
[04/22/2022 16:47:47] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[04/22/2022 16:47:48] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[04/22/2022 16:47:49] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[04/25/2022 13:34:22] [e(0)] core: Failed to connect to the database: No database YAML file
[04/25/2022 13:35:00] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[04/25/2022 13:35:00] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[04/25/2022 13:35:01] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[04/25/2022 13:35:02] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[04/25/2022 13:35:10] [e(0)] core: Failed to connect to the database: No database YAML file
[04/25/2022 13:35:44] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[04/25/2022 13:35:44] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[04/25/2022 13:35:46] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[04/25/2022 13:35:46] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[04/25/2022 13:38:27] [e(0)] core: Failed to connect to the database: No database YAML file
[04/25/2022 13:38:27] [d(0)] core: HistoryManager.push_context name: :msfconsole
[04/25/2022 13:38:32] [d(0)] core: HistoryManager.push_context name: :msfconsole
[04/25/2022 13:45:30] [d(0)] core: monitor_rsock: EOF in rsock
[04/25/2022 13:45:30] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[04/25/2022 13:45:30] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[04/25/2022 13:45:30] [d(0)] core: monitor_rsock: EOF in rsock
[04/25/2022 13:45:30] [d(0)] core: HistoryManager.push_context name: :msfconsole
[04/25/2022 13:45:30] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=81
[04/25/2022 13:45:36] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[04/25/2022 13:45:36] [d(0)] core: monitor_rsock: EOF in rsock
[04/25/2022 14:27:07] [e(0)] core: Failed to connect to the database: No database YAML file
[04/25/2022 14:27:09] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[04/25/2022 14:27:10] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[04/25/2022 14:27:11] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[04/25/2022 14:27:12] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[04/25/2022 14:27:12] [d(0)] core: HistoryManager.push_context name: :msfconsole
[04/25/2022 14:28:24] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=84
[04/25/2022 14:29:23] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=44
[04/25/2022 14:29:24] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=84
[04/25/2022 14:29:25] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=84
[04/25/2022 14:29:26] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=122
[04/25/2022 14:29:27] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=114
[04/25/2022 14:29:28] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=84
[04/25/2022 14:29:28] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=84
[04/25/2022 14:29:30] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=122
[04/25/2022 14:29:30] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=114
[04/25/2022 14:29:31] [e(0)] core: Auxiliary failed - Net::BER::BerError Unsupported object type: id=45
[04/25/2022 14:29:38] [e(0)] core: Auxiliary failed - OpenSSL::SSL::SSLError SSL_connect SYSCALL returned=5 errno=0 state=SSLv3/TLS write client hello
[04/25/2022 14:31:08] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[04/25/2022 19:31:17] [e(0)] core: Failed to connect to the database: No database YAML file
[04/25/2022 19:31:21] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[04/25/2022 19:31:21] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[04/25/2022 19:31:22] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[04/25/2022 19:31:23] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[04/25/2022 19:31:24] [d(0)] core: HistoryManager.push_context name: :msfconsole
[04/25/2022 19:31:59] [i(2)] core: Reloading auxiliary module gather/vmware_vcenter_vmdir_ldap. Ambiguous module warnings are safe to ignore

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse 
msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse 
Framework: 6.1.38-dev-
Ruby: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]
Install Root: /opt/metasploit-framework/embedded/framework
Session Type: postgresql selected, no connection
Install Method: Omnibus Installer
@jtylerorr jtylerorr added the bug label Apr 25, 2022
@h00die
Copy link
Contributor

h00die commented Apr 25, 2022

What version is that vcenter?

@jtylerorr
Copy link
Author

The error was observed against VCenter 6.7.0 (build 8217866) for which the exploit worked prior to the noted commit. I have not tested against other versions of VCenter.

@h00die
Copy link
Contributor

h00die commented Apr 25, 2022

6.5 is supposed to be vuln out the gate, 6.7 only if updated from 6.0+

6.5 is downable here: https://customerconnect.vmware.com/downloads/get-download?downloadGroup=VC650

this is for my own notes

@github-actions
Copy link

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label May 26, 2022
@zeroSteiner
Copy link
Contributor

Possibly related to the same issue @gwillcox-r7 noticed where that commit switched to using Rex::Socket and the #read method may return less data than was requested. That seems to have been causing some issues with the Net::LDAP library which assumes it'll either get all of the data it requested or an EOF.

@github-actions github-actions bot removed the Stale Marks an issue as stale, to be closed if no action is taken label May 27, 2022
@zeroSteiner
Copy link
Contributor

@jtylerorr would you be able to test it again using the patch from my fix/ldap-reads branch? Specifically this commit here, you can optionally apply it as a patch.

@gwillcox-r7
Copy link
Contributor

@zeroSteiner Confirmed your patch appears to fix the issue I was facing a few days back.

@zeroSteiner zeroSteiner mentioned this issue Jun 1, 2022
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Patch LDAP for synchronous reads zeroSteiner/metasploit-framework
4 participants
@h00die @jtylerorr @zeroSteiner @gwillcox-r7