How to hack VMware vCenter server in 60 seconds - ERPScan
How to hack VMware vCenter server in 60 seconds - ERPScan
How to hack VMware vCenter server in 60 seconds - ERPScan
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Invest <strong>in</strong> security<br />
<strong>to</strong> secure <strong>in</strong>vestments<br />
<strong>How</strong> <strong>to</strong> <strong>hack</strong> <strong>VMware</strong><br />
<strong>vCenter</strong> <strong>server</strong> <strong>in</strong> <strong>60</strong><br />
<strong>seconds</strong><br />
Alexander M<strong>in</strong>ozhenko
#whoami<br />
• Pen-tester at <strong>ERPScan</strong><br />
• Researcher<br />
• DCG#7812 / ZeroNights<br />
• CTF<br />
• Thanks for ideas and support <strong>to</strong> Alexey S<strong>in</strong>tsov<br />
2
Target<br />
3
<strong>VMware</strong> <strong>vCenter</strong> Server<br />
• <strong>VMware</strong> <strong>vCenter</strong> Server is a solution <strong>to</strong> manage<br />
<strong>VMware</strong> vSphere<br />
• vSphere – virtualization operat<strong>in</strong>g system<br />
4
Target<br />
• <strong>VMware</strong> <strong>vCenter</strong> version 4.1 update 1<br />
• Services:<br />
– Update Manager<br />
– <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />
– Chargeback<br />
– Other<br />
• Each service has a web <strong>server</strong><br />
5
CVE-2009-1523<br />
• Direc<strong>to</strong>ry traversal <strong>in</strong> Jetty web <strong>server</strong><br />
• http://target:9084/vci/download/health.xml/%3f/../../../../FILE<br />
• Discovered by Claudio Criscione<br />
• But fixed <strong>in</strong> <strong>VMware</strong> Update Manager 4.1 update 1 :(<br />
• Who wants <strong>to</strong> pay me for 0-days?<br />
• A pen-tester is not a researcher?<br />
6
Direc<strong>to</strong>ry traversal… aga<strong>in</strong>?<br />
• Direc<strong>to</strong>ry traversal <strong>in</strong> Jetty web <strong>server</strong><br />
• http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%<br />
5C..%5C..%5C..\FILE.EXT<br />
• Discovered by Alexey S<strong>in</strong>tsov<br />
• Metasploit module vmware_update_manager_traversal.rb by<br />
s<strong>in</strong>n3r<br />
7
Direc<strong>to</strong>ry traversal<br />
• We can read any file! But what file <strong>to</strong> read?<br />
• Claudio Criscione proposed <strong>to</strong> read vpxd-profiler-* -<br />
/SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680-<br />
FB72656A1DCB'/Username=„FakeDoma<strong>in</strong>\FakeUser'/SoapSession/Id='A<br />
D45B176-63F3-4421-BBF0-FE1<strong>60</strong>3E543F4'/Count/<strong>to</strong>tal 1<br />
• Conta<strong>in</strong>s logs of SOAP requests with session ID<br />
• VASTO http://vas<strong>to</strong>.nibblesec.org/<br />
Sorry, patched <strong>in</strong> 4.1!<br />
8
Fixed?<br />
• Fixed <strong>in</strong> version 4.1 update 1<br />
• Conta<strong>in</strong>s IP addresses<br />
9
Attack<br />
• Make an ARP poison<strong>in</strong>g attack<br />
• Spoof the SSL certificate<br />
10
Attack<br />
• Adm<strong>in</strong>istra<strong>to</strong>rs check the SSL cert<br />
11
Attack<br />
• Steal SSL key via direc<strong>to</strong>ry traversal<br />
http://target:9084/vci/downloads/.\..\..\..\..\..\..\..\Documents and Sett<strong>in</strong>gs\All<br />
Users\Application Data\<strong>VMware</strong>\<strong>VMware</strong> VirtualCenter\SSL\rui.key<br />
• Make ARP spoof<strong>in</strong>g<br />
• Decrypt traffic with the s<strong>to</strong>len SSL key<br />
• What if ARP spoof<strong>in</strong>g does not work?<br />
12
<strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />
• <strong>VMware</strong> vCO – software for au<strong>to</strong>matic<br />
configuration and management<br />
• Installed by default with <strong>vCenter</strong><br />
• Has an <strong>in</strong>terest<strong>in</strong>g file:<br />
C:\Program files\<strong>VMware</strong>\Infrastructure\Orchestra<strong>to</strong>r<br />
\configuration\jetty\etc\passwd.properties<br />
13
<strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />
• Which conta<strong>in</strong>s md5 passwords without salt<br />
• Can easily bruteforce us<strong>in</strong>g ra<strong>in</strong>bow tables<br />
14
We get <strong>in</strong><br />
15
Pla<strong>in</strong> text passwords<br />
16
<strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />
• vCO s<strong>to</strong>red password <strong>in</strong> the follow<strong>in</strong>g files:<br />
• C:\Program<br />
Files\<strong>VMware</strong>\Infrastructure\Orchestra<strong>to</strong>r\app<strong>server</strong>\<strong>server</strong>\vmo\conf\plug<strong>in</strong>s\VC.xml<br />
• C:\Program<br />
Files\<strong>VMware</strong>\Infrastructure\Orchestra<strong>to</strong>r\app<strong>server</strong>\<strong>server</strong>\vmo\conf\vmo.properties<br />
17
VC.xml<br />
<br />
<br />
Password encod<strong>in</strong>g<br />
006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f<strong>60</strong>654b<br />
vmware<br />
00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e2472<strong>60</strong>79<br />
vcenter<br />
• Red bytes look like length<br />
• Green bytes are <strong>in</strong> ASCII range<br />
• Black bytes look random<br />
19
The algorithm of password encod<strong>in</strong>g<br />
20
Password decoder<br />
21
VMSA-2011-0005<br />
• <strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r uses Struts2<br />
version 2.11 discovered by Digital Defense, Inc<br />
• CVE-2010-1870 Struts2/XWork remote<br />
command execution discovered by Meder<br />
Kydyraliev<br />
• Fixed <strong>in</strong> 4.2<br />
22
Example exploit<br />
23
Tool<br />
• Paleolib – a <strong>to</strong>ol which looks for old and<br />
vulnerable third party components<br />
• Get library name, vendor name, version from<br />
manifest file or resource section<br />
• Search <strong>in</strong> CVE database<br />
• http://www.github.com<br />
24
Attack vec<strong>to</strong>rs<br />
• Direc<strong>to</strong>ry traversal + ARP poison<strong>in</strong>g<br />
• Direc<strong>to</strong>ry traversal + password<br />
decod<strong>in</strong>g/bruteforc<strong>in</strong>g<br />
• Remote code execution us<strong>in</strong>g the Struts2 bug<br />
• Other bugs <strong>in</strong> <strong>VMware</strong> <strong>vCenter</strong> <strong>in</strong>frastructure<br />
products: Operation Management Suite,<br />
CapaciteIQ, Configuration Management etc.<br />
25
Harden<strong>in</strong>g<br />
• Update <strong>to</strong> latest version 4.2 update 4 or 5<br />
• Filter adm<strong>in</strong>istration services<br />
• <strong>VMware</strong> KB 2021259<br />
• <strong>VMware</strong> vSphere Security Harden<strong>in</strong>g Guide<br />
26
Conclusion<br />
• Fixed bugs are not always fixed properly<br />
• A pen-tester will get more profit if he tries <strong>to</strong><br />
research someth<strong>in</strong>g<br />
• A few simple bugs and we can own all the<br />
<strong>in</strong>frastructure<br />
27
Thank you!<br />
a.m<strong>in</strong>ozhenko@dsec.ru<br />
@al3xm<strong>in</strong><br />
28