[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D2330097.4716C%david.stubley@7elements.co.uk>
Date: Thu, 01 Oct 2015 15:24:20 +0100
From: David Stubley <david.stubley@...ements.co.uk>
To: <fulldisclosure@...lists.org>
Subject: [FD] CVE-2015-2342 VMware vCenter Remote Code Execution
Link to advisory:
https://www.7elements.co.uk/resources/technical-advisories/cve-2015-2342-vmw
are-vcenter-remote-code-execution/
Advisory Information
Title: vCenter Java JMX/RMI Remote Code Execution
Date Published: 01/10/2015
CVE: CVE-2015-2342
Advisory Summary
VMware vCenter Server provides a centralised platform for managing your
VMware vSphere environments so you can automate and deliver a virtual
infrastructure. VMware vCenter was found to bind an unauthenticated JMX/RMI
service to the network stack. An attacker with access can abuse the
configuration to achieve remote code execution, providing SYSTEM level
access to the server.
Vendor
VMware
Affected Software
VMware ProductVersionPlatform
VMware vCenter Server6.0Any
VMware vCenter Server5.5Any
VMware vCenter Server5.1Any
VMware vCenter Server5.0Any
Description of Issue
VMware¹s vCenter application makes use of Java Virtual Machine (JVM)
technology and supports the use of Java Management extensions (JMX), for
application and network management and monitoring of the JVM. A JMX agent is
setup to allow remote management of the JVM. The JMX agent utilises managed
beans MBeans¹ to expose configured interfaces to manage predefined
configurations. Any objects that are implemented as an MBean and registered
with the agent can be managed from outside the agent¹s Java virtual machine.
The JMX service was found to be configured insecurely as it does not require
authentication, allowing a user to connect and interact with the service.
The JMX service allows users to call the ³javax.management.loading.MLet²
function, which permits the loading of an MBean from a remote URL. An
attacker can set up their remote Web Service to host an MLet (text file)
that points to a malicious JAR file. When the JMX service registers the MLet
file, the agent will initiate the URL to the remote JAR and execute the
methods leading to code execution.
Ref
http://docs.oracle.com/javase/1.5.0/docs/api/javax/management/loading/MLet.h
tml
<http://docs.oracle.com/javase/1.5.0/docs/api/javax/management/loading/MLet.
html>
Additional Information
Wider exploit development has already been undertaken against other vendors
utilising JMX/RMI deployments and therefore, publicly available exploit code
already exists that can be used in combination with Metasploit to gain a
remote Meterpreter shell as SYSTEM.
Ref https://github.com/mogwaisec/mjet <https://github.com/mogwaisec/mjet>
Ref http://www.accuvant.com/blog/exploiting-jmx-rmi
<http://www.accuvant.com/blog/exploiting-jmx-rmi>
Ref https://www.exploit-db.com/exploits/36101/
<https://www.exploit-db.com/exploits/36101/>
PoC
For a proof of concept and further discussion, please see our blog
<http://www.7elements.co.uk/resources/blog/cve-2015-2342-remote-code-executi
on-within-vmware-vcenter/> on this issue.
Timeline
Reported 27th February 2015
Accepted 21st April 2015
First Fix 10th September 2015
Retrospective Fix 1st October 2015
Advisory Published 1st October 2015
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists