vCenter Sudo LPE (CVE-2024-37081) #19402
Conversation
| if ['infraprofile', 'vpxd', 'sts', 'pod'].contains? user || | ||
| ['operator', 'admin'] & group |
There was a problem hiding this comment.
The second part of this will always evaluate to true because empty arrays are truthy in Ruby. I think what you want is something like this instead:
| if ['infraprofile', 'vpxd', 'sts', 'pod'].contains? user || | |
| ['operator', 'admin'] & group | |
| if ['infraprofile', 'vpxd', 'sts', 'pod'].contains?(user) || (['operator', 'admin'] & group).any? |
| user = cmd_exec('whoami').chomp | ||
| groups = cmd_exec('groups').split(' ').chomp |
There was a problem hiding this comment.
How about storing these as instance variable so the commands only need to be executed once? The values are highly unlikely to change during the course of exploitation.
| 'Matei "Mal" Badanoiu', # discovery | ||
| ], | ||
| 'Platform' => [ 'linux' ], | ||
| 'Arch' => [ ARCH_X86, ARCH_X64 ], |
There was a problem hiding this comment.
It looks like for a couple of targets at least that the host is expecting to import a Python module, so if this doesn't work because you're dropping an ELF binary and not a shared object then you may want to change these to ARCH_PYTHON.
|
haven't forgotten about this, my ESXi server which should be vulnerable has a failing drive, so I'm waiting for the replacements to come in before attempting any more than absolutely necessary disk writes. |
Draft module of CVE-2024-37081. Untested, pseudo coded based on PoC, just haven't had time to get back around to it yet.