Exploit for VMware VDP with known ssh private key (CVE-2016-7456)

[phroxvs]

VMware vSphere Data Protection appliances 5.5.x through 6.1.x contain a known ssh private key for the local user admin. This exploit includes the private key and gets you a shell if the ssh port of the appliance is reachable.

Reference: https://www.vmware.com/security/advisories/VMSA-2016-0024.html

Verification

List the steps needed to make sure this thing works

• Start msfconsole
• use exploit/linux/ssh/vmware_vdp_known_privkey
• set rhost <ip>
• exploit
• Verify you get a shell

Screenshot

[wchen-r7]

Hi @phroxvs, is it just me? Are you getting a NameError uninitialized constant Net::SSH::CommandStream error?

[wchen-r7]

Module looks pretty flawless to me, but I am concerned about the uninitialized constant bug I hit, and this bug #7792.

@phroxvs Do you have OS X? If you do, could you please try the exploit on OS X? Thanks.

[phroxvs]

Hi @wchen-r7, thanks for your feedback. Currently I have no OS X with me, but I'll test it within the next days.

[wchen-r7]

Thanks. I'll try to set up Kali too.

[phroxvs]

On OS X, I have the "NameError uninitialized constant Net::SSH::CommandStream" error, too. To be honest I don't know Ruby and MSF very well... what would be the best option for a fix?

[wchen-r7]

Thanks for testing.

The uninitialized error can be fixed by adding this line at the top of your file:

require 'net/ssh/command_stream'

And then add this in the class scope:

include Msf::Auxiliary::CommandShell

And that should do it.

After that error is fixed, please let me know if your session causes msfconsole to freeze. Thanks.

[phroxvs]

Ok, I added the dependency and the class scope. Now the exploit works also on my OS X.

[wchen-r7]

Thanks. I'll try to find the appliance and test it.

[wchen-r7]

BTW @phroxvs, when you wrote this module, exactly what version of VMware vSphere Data Protection appliance did you test this on? Please let me know. Thanks!

[phroxvs]

I've tested the module against vSphere Data Protection version 6.1.2.

[wchen-r7]

Cool, thanks!

I'm in the process of obtaining the virtual appliance for testing.

[wchen-r7]

I just obtained the appliance. I will be testing this tomorrow.

[wchen-r7]

Hi @phroxvs, I am trying to test this PR, but I am having a hard time with it because I'm unable to set up the virtual appliance. For some reason, when I try to import the ova file, I get this:

I've tried both VMWare Fusion and Virtual Box. I was wondering if you ran into something similar? If you did, let me know? Thanks!

[phroxvs]

Hi @wchen-r7, yes I had the same problems. I got it working by unzipping the vmdk from the .ova file and manually creating a virtual machine. If you need to login on the appliance the default should be root:changeme

[h00die]

good thing to capture in the docs :)

[wchen-r7]

Thanks. Now I got this problem:

Is it possible to get some setup instructions?

[phroxvs]

Hm, for me (with VMware Workstation 12 Pro on Windows 10, 64-bit) also the vSphereDataProtection-6.1 worked just fine. I had only to manually configure the network interface. The appliance MD5 hash was 9cd6055b45428ecc9f9e279ca5756a35.

I successfully tested the exploit, too.

[busterb]

I poked at the private key without the appliance - seemed OK. Gonna call that good enough, since setting up the actual appliance is a pain. Thanks @phroxvs

[tdoan-r7]

Release Notes

An exploit that targets VMware vSphere Data Protection appliances (5.5.x-6.1.x) has been added to the framework. These appliances contain a known SSH private key for the local user admin, and this exploit includes the private key and gets a shell if the SSH port of the appliance is reachable.