0x00 Vmware vcenter information
vSphereIt is VMwareintroduced virtualization platform kit that includes ESXi, vCenter Servera series of software. Among them vCenter Serveris ESXithe control center, which can uniformly manage all vSpherehosts and virtual machines in the data center from a single control point , enabling ITadministrators to improve control capabilities, simplify entry tasks, and reduce ITenvironmental management complexity and costs.
vSphere Client(HTML5)vCenter ServerThere is a remote code execution vulnerability in the plug-in. An unauthorized attacker can send a carefully constructed request to the server through the open 443port vCenter Server, thereby writing on the server, webshelland ultimately causing remote arbitrary code execution.
fofa query
grammar:
title="+ ID_VC_Welcome +"
app=”vmware-ESX”||app=”vmware-VirtualCenter”||app=”vmware-vCenter”
0x01 Affected version
- Version 7.0 before 7.0 U1c
- 6.7 Version 6.7 before U3l
- 6.5 Version 6.5 before U3n
0x02 code analysis
vCenter ServerThe vROPSplug-in has APInot been authenticated, and there are some sensitive interfaces. The uploadova interface has a function to upload OVA files:
@RequestMapping(
value = {"/uploadova"},
method = {RequestMethod.POST}
)
public void uploadOvaFile(@RequestParam(value = "uploadFile",required = true) CommonsMultipartFile uploadFile, HttpServletResponse response) throws Exception {
logger.info("Entering uploadOvaFile api");
int code = uploadFile.isEmpty() ? 400 : 200;
PrintWriter wr = null;
try {
if (code != 200) {
response.sendError(code, "Arguments Missing");
return;
}
wr = response.getWriter();
} catch (IOException var14) {
var14.printStackTrace();
logger.info("upload Ova Controller Ended With Error");
}
response.setStatus(code);
String returnStatus = "SUCCESS";
if (!uploadFile.isEmpty()) {
try {
logger.info("Downloading OVA file has been started");
logger.info("Size of the file received : " + uploadFile.getSize());
InputStream inputStream = uploadFile.getInputStream();
File dir = new File("/tmp/unicorn_ova_dir");
if (!dir.exists()) {
dir.mkdirs();
} else {
String[] entries = dir.list();
String[] var9 = entries;
int var10 = entries.length;
for(int var11 = 0; var11 < var10; ++var11) {
String entry = var9[var11];
File currentFile = new File(dir.getPath(), entry);
currentFile.delete();
}
logger.info("Successfully cleaned : /tmp/unicorn_ova_dir");
}
TarArchiveInputStream in = new TarArchiveInputStream(inputStream);
TarArchiveEntry entry = in.getNextTarEntry();
ArrayList result = new ArrayList();
while(entry != null) {
if (entry.isDirectory()) {
entry = in.getNextTarEntry();
} else {
File curfile = new File("/tmp/unicorn_ova_dir", entry.getName());
File parent = curfile.getParentFile();
if (!parent.exists()) {
parent.mkdirs();
}
OutputStream out = new FileOutputStream(curfile);
IOUtils.copy(in, out);
out.close();
result.add(entry.getName());
entry = in.getNextTarEntry();
}
}
in.close();
logger.info("Successfully deployed File at Location :/tmp/unicorn_ova_dir");
} catch (Exception var15) {
logger.error("Unable to upload OVA file :" + var15);
returnStatus = "FAILED";
}
}
wr.write(returnStatus);
wr.flush();
wr.close();
}The code logic is to TARunzip the file and upload it to the /tmp/unicorn_ova_dir directory. Note the following code:
while(entry != null) {
if (entry.isDirectory()) {
entry = in.getNextTarEntry();
} else {
File curfile = new File("/tmp/unicorn_ova_dir", entry.getName());
File parent = curfile.getParentFile();
if (!parent.exists()) {
parent.mkdirs();Concatenate TARthe file name directly /tmp/unicorn_ova_dir and write it into the file. ../ Directory traversal can be achieved if the file name exists .
0x03 Vulnerability recurrence
Use code (Sp4ce) : https://github.com/NS-Sp4ce/CVE-2021-21972
0x04 repair suggestion
- Upgrade from vCenter Server7.0 version to 7.0.U1c
- Upgrade from vCenter Server 6.7 version to 6.7.U3l
- Upgrade from vCenter Server6.5 to 6.5 U3n
Please indicate: Adminxe's Blog » [Vulnerability Reproduction] Vmware vcenter does not authorize any file RCE