Coder Social home page Coder Social logo

Comments (5)

NS-Sp4ce avatar NS-Sp4ce commented on June 20, 2024

hello,
I found a intersting thing: folder 'global' will be regenerate when vCenter Server restart (e.g. before restart, the path looks like that /path/to/vmware-vsphere-ui/server/work/deployer/s/global/41/0/h5ngc.war/resources/,but when vCenter Server had restart,the path is /path/to/vmware-vsphere-ui/server/work/deployer/s/global/RANDOM_NUMBER/0/h5ngc.war/resources/),so i will use ptsecurity's path to rewrite windows payload,for linux cause the permission reason, i find an another way to write webshell, give me a little time.

from cve-2021-21972.

NS-Sp4ce avatar NS-Sp4ce commented on June 20, 2024

after 6.7 U3g, path /path/to/vmware-vsphere-ui/server/work/deployer/ has been removed, I will try to find another way to upload jsp file

from cve-2021-21972.

gelim avatar gelim commented on June 20, 2024

Thanks for the confirmation, oh and I just see PT finally published their full research now https://swarm.ptsecurity.com/unauth-rce-vmware/
So okay for Linux no easy way to get JSP auto-deployment, but for serious actor, having vsphere-ui write priv on the server is enough for RCE, without this webshell auto-deployment things anyway, as there are several moving part using code witth vsphere-ui write allowed (like /usr/lib/vmware-vsphere-ui/server/bin/*)

from cve-2021-21972.

NS-Sp4ce avatar NS-Sp4ce commented on June 20, 2024

after about 8 hours test, i think we can rewrite /usr/lib/vmware-vsphere-ui/server/static/resources/ js files to steal administrator's cookie

from cve-2021-21972.

NS-Sp4ce avatar NS-Sp4ce commented on June 20, 2024

I found some interesting code in /usr/lib/vmware-vsphere-ui /server/bootstrap/server-launcher.jar. The function of this file is to start the vSphere-ui service, but after the startup is complete , The file calls com.vmware.vise.launcher.tomcat.TomcatLauncher method to delete the website deployment directory.

public final class TomcatLauncher
{
    private static final String VECS_KEYSTORE_TYPE = "VKS";
    private static final String MACHINE_SSL_CERT = "MACHINE_SSL_CERT";
    private static final String VECS_LOAD_STORE_PARAM_TYPE = "com.vmware.provider.VecsLoadStoreParameter";
    private static final String FILE_SEPARATOR;
    private static final String SYSPROP_COMPONENT_NAME = "ui.component.name";
    private static final String DEFAULT_COMPONENT_NAME = "vsphere-ui";
    private static final String CLIENT_APP_DATA_FOLDER;
    private static final String DEST_KEYSTORE_NAME = "keystore.jks";
    private static final String PASSWORD;
    private static final String TOMCAT_DIR = "catalina.base";
    private static final String CONFIG_DIR;
    
    public static void main(final String[] args) {
        loadKeystore();
        deleteWorkDirectory(); <- NOTE HERE!
        createJavaTempDir();
        Bootstrap.main(args);
    }
..................................
private static void deleteWorkDirectory() {
    final File workDir = new File(System.getProperty("catalina.base") + "/work");
    if (!workDir.exists()) {
        return;
    }
    try {
        deleteDirectoryRecur(workDir);
    }
    catch (IOException e) {
        throw new RuntimeException("Cannot clean work dir", e);
    }
}
......................................
private static void deleteDirectoryRecur(final File directory) throws IOException {
    final File[] contents = directory.listFiles();
    if (contents != null) {
        for (final File f : contents) {
            if (isSymlink(f)) {
                f.delete();
            }
            else {
                deleteDirectoryRecur(f);
            }
        }
    }
    directory.delete();
}

private static boolean isSymlink(final File file) throws IOException {
    if (file == null) {
        throw new NullPointerException("File must not be null");
    }
    File canon;
    if (file.getParent() == null) {
        canon = file;
    }
    else {
        final File canonDir = file.getParentFile().getCanonicalFile();
        canon = new File(canonDir, file.getName());
    }
    return !canon.getCanonicalFile().equals(canon.getAbsoluteFile());
}

from cve-2021-21972.

Related Issues (13)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.