| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 01 Oct 2015 15:24:20 +0100 From: David Stubley <david.stubley@...ements.co.uk> To: <fulldisclosure@...lists.org> Subject: [FD] CVE-2015-2342 VMware vCenter Remote Code Execution Link to advisory: https://www.7elements.co.uk/resources/technical-advisories/cve-2015-2342-vmw are-vcenter-remote-code-execution/ Advisory Information Title: vCenter Java JMX/RMI Remote Code Execution Date Published: 01/10/2015 CVE: CVE-2015-2342 Advisory Summary VMware vCenter Server provides a centralised platform for managing your VMware vSphere environments so you can automate and deliver a virtual infrastructure. VMware vCenter was found to bind an unauthenticated JMX/RMI service to the network stack. An attacker with access can abuse the configuration to achieve remote code execution, providing SYSTEM level access to the server. Vendor VMware Affected Software VMware ProductVersionPlatform VMware vCenter Server6.0Any VMware vCenter Server5.5Any VMware vCenter Server5.1Any VMware vCenter Server5.0Any Description of Issue VMware¹s vCenter application makes use of Java Virtual Machine (JVM) technology and supports the use of Java Management extensions (JMX), for application and network management and monitoring of the JVM. A JMX agent is setup to allow remote management of the JVM. The JMX agent utilises managed beans MBeans¹ to expose configured interfaces to manage predefined configurations. Any objects that are implemented as an MBean and registered with the agent can be managed from outside the agent¹s Java virtual machine. The JMX service was found to be configured insecurely as it does not require authentication, allowing a user to connect and interact with the service. The JMX service allows users to call the ³javax.management.loading.MLet² function, which permits the loading of an MBean from a remote URL. An attacker can set up their remote Web Service to host an MLet (text file) that points to a malicious JAR file. When the JMX service registers the MLet file, the agent will initiate the URL to the remote JAR and execute the methods leading to code execution. Ref http://docs.oracle.com/javase/1.5.0/docs/api/javax/management/loading/MLet.h tml <http://docs.oracle.com/javase/1.5.0/docs/api/javax/management/loading/MLet. html> Additional Information Wider exploit development has already been undertaken against other vendors utilising JMX/RMI deployments and therefore, publicly available exploit code already exists that can be used in combination with Metasploit to gain a remote Meterpreter shell as SYSTEM. Ref https://github.com/mogwaisec/mjet <https://github.com/mogwaisec/mjet> Ref http://www.accuvant.com/blog/exploiting-jmx-rmi <http://www.accuvant.com/blog/exploiting-jmx-rmi> Ref https://www.exploit-db.com/exploits/36101/ <https://www.exploit-db.com/exploits/36101/> PoC For a proof of concept and further discussion, please see our blog <http://www.7elements.co.uk/resources/blog/cve-2015-2342-remote-code-executi on-within-vmware-vcenter/> on this issue. Timeline Reported 27th February 2015 Accepted 21st April 2015 First Fix 10th September 2015 Retrospective Fix 1st October 2015 Advisory Published 1st October 2015 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists