table of Contents
1. Vulnerability introduction
vSphere is a virtualization platform suite launched by VMware, including a series of software such as ESXi and vCenter Server. Among them, vCenter Server is the control center of ESXi, which can uniformly manage all vSphere hosts and virtual machines in the data center from a single control point.
On February 24, 2021, some platforms detected that VMware officially released a vCenter Server security update, which fixes a remote code execution vulnerability (CVE-2021-21972) in the vCenter Server plug-in vRealizeOperations (vROps) of vSphereClient (HTML5). The vSphere Client (HTML5) has a remote code execution vulnerability in the vCenter Server plug-in. Unauthorized attackers can send carefully constructed requests to vCenter Server through the server that opens port 443, write to the webshell, and control the server.
2. Scope of influence
- vmware:vcenter_server 7.0 version before 7.0 U1c
- vmware:vcenter_server 6.7 version before U3l
- vmware:vcenter_server 6.5 version before U3n
3. Vulnerability recurrence
1. Vulnerability environment construction
Since the environment is very complicated, there is no one here, you can refer to: https://www.o2oxy.cn/3127.html (Although it is written in detail, there will still be many problems during installation)
The environment after startup is similar to the following
2. Vulnerability Exploitation
The address of the vulnerability is:
https://ip/ui/vropspluginui/rest/services/updateova
Access, if it returns 405, it means there is a loophole
fofa:title="+ ID_VC_Welcome +"
4. Bug fixes
Upgrade to a safe version
- Upgrade from vCenter Server 7.0 version to 7.0.U1c
- Upgrade from vCenter Server 6.7 version to 6.7.U3l
- Upgrade from vCenter Server 6.5 to 6.5 U3n
V. Vulnerability POC
import requests
from requests.packages import urllib3
urllib3.disable_warnings()
import argparse
import os
def url():
parser = argparse.ArgumentParser(description='vCenter 6.5-7.0 RCE 漏洞复现(CVE-2021-21972)POC')
parser.add_argument('target_url',type=str,help='The target address,example: https://192.168.140.153:4445')
args = parser.parse_args()
global url
url = args.target_url
if url.startswith('http://') or url.startswith('https://'):
pass
else:
print('[-]Please include http:// or https:// in the URL!!')
os._exit(0)
if url.endswith('/'):
url = url[:-1]
print('[+]author:chenchen')
print("[-]目标地址:",url)
print("[-]正在执行漏洞检测...")
return url
def poc():
headers={
'User-Agent':'Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.75 Mobile Safari/537.36',
"Content-Type":"application/x-www-form-urlencoded"
}
url_v = url + '/ui/vropspluginui/rest/services/updateova'
try:
code = requests.get(url=url_v,headers=headers,timeout=4,verify=False).status_code
print('status_code:',code)
if code == 405:
print('[+]漏洞存在')
else:
print('[-]漏洞不存在')
except:
print('[-]发生错误')
if __name__ == '__main__':
url()
poc()
——Heart, if there is no place to live, it will be wandering everywhere