module
VMware vRealize Log Insight Unauthenticated RCE
| Disclosed | Created |
|---|---|
| 01/24/2023 | 09/09/2023 |
Disclosed
01/24/2023
Created
09/09/2023
Description
VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as
directory traversal, broken access control, deserialization, and information disclosure.
When chained together, these vulnerabilities allow a remote, unauthenticated attacker to
execute arbitrary commands on the underlying operating system as the root user.
This module achieves code execution via triggering a `RemotePakDownloadCommand` command
via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`
thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the
specially crafted PAK archive, which then will place the JSP payload under a certain API
endpoint (pre-authenticated) location upon extraction for gaining remote code execution.
Successfully tested against version 8.0.2.
directory traversal, broken access control, deserialization, and information disclosure.
When chained together, these vulnerabilities allow a remote, unauthenticated attacker to
execute arbitrary commands on the underlying operating system as the root user.
This module achieves code execution via triggering a `RemotePakDownloadCommand` command
via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`
thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the
specially crafted PAK archive, which then will place the JSP payload under a certain API
endpoint (pre-authenticated) location upon extraction for gaining remote code execution.
Successfully tested against version 8.0.2.
Authors
Horizon3.ai Attack TeamEge BALCI
Platform
Linux,Unix
Architectures
x86, x64
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/vmware_vrli_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.