module
VMware vRealize Operations (vROps) Manager SSRF RCE
| Disclosed | Created |
|---|---|
| 03/30/2021 | 04/27/2021 |
Disclosed
03/30/2021
Created
04/27/2021
Description
This module exploits a pre-auth SSRF (CVE-2021-21975) and post-auth
file write (CVE-2021-21983) in VMware vRealize Operations Manager to
leak admin creds and write/execute a JSP payload.
CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and
CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate
endpoint. Code execution occurs as the "admin" Unix user.
The following vRealize Operations Manager versions are vulnerable:
* 7.0.0
* 7.5.0
* 8.0.0, 8.0.1
* 8.1.0, 8.1.1
* 8.2.0
* 8.3.0
Version 8.3.0 is not exploitable for creds and is therefore not
supported by this module. Tested successfully against 8.0.1, 8.1.0,
8.1.1, and 8.2.0.
file write (CVE-2021-21983) in VMware vRealize Operations Manager to
leak admin creds and write/execute a JSP payload.
CVE-2021-21975 affects the /casa/nodes/thumbprints endpoint, and
CVE-2021-21983 affects the /casa/private/config/slice/ha/certificate
endpoint. Code execution occurs as the "admin" Unix user.
The following vRealize Operations Manager versions are vulnerable:
* 7.0.0
* 7.5.0
* 8.0.0, 8.0.1
* 8.1.0, 8.1.1
* 8.2.0
* 8.3.0
Version 8.3.0 is not exploitable for creds and is therefore not
supported by this module. Tested successfully against 8.0.1, 8.1.0,
8.1.1, and 8.2.0.
Authors
Egor Dimitrenkowvu
Platform
Linux
Architectures
java
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
msf > use exploit/linux/http/vmware_vrops_mgr_ssrf_rce
msf /(e) > show actions
...actions...
msf /(e) > set ACTION < action-name >
msf /(e) > show options
...show and set options...
msf /(e) > run
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.