VMWare vCenter takeover via vCloud Director (CVE-2020–3956).

Investigadores da Citadelo revelaram uma vulnerabilidade de injeção baseada em EL (Expression Language) que permitia a um ator autenticado enviar um payload especialmente criado via API ou web requests, e que permitia:

  • privilege escalation — “Organization Administrator” (tenant account) to “System Administrator” (hypervisor)
  • cross tenancy lateral movement
  • sensitive infrastructure information disclosure
  • password and credentials to further privilege escalation

el-injection

 

Tomas Melicher, and Lukas Vaclavik from Citadelo identified this vulnerability in VMware Cloud Director during a penetration test and reported it to the vendor. Once alert to the situation, VMware created a security advisory for this vulnerability and released new versions of the product with an implemented fix for this vulnerability. No standalone patch for older versions is currently available. VMware has released a workaround for customers that can’t perform an update at this time.

Com base na divulgação dos investigadores da Citadelo, a VMWare emitiu uma correção e posteriormente lançou um patch como forma de mitigar o problema.

 

Detalhes da exploração (em Inglês)

De acordo com os investigadores, esta vulnerabilidade poderia ser explorada da seguinte forma:

  1. Signup for a vCloud Director trial account
  2. Initiate API interaction with SMTP server of vCloud director and intercept response via Burp/ZAP Proxy
  3. In a request sequence, the substituted${7*7} as hostname for SMTP server and observed the response to ascertain feedback
    String value has invalid format, value: [49].
    This clearly indicates that the expression is being evaluated.
  4. They further validated the ability to execute arbitrary java commands as indicated in the blog here.
  5. After several attempts by the team, the final exploitive payload successfully enabled EL based remote command injection
${''.getClass().forName('java.io.BufferedReader').getDeclaredConstructors()[1].newInstance(''.getClass().forName('java.io.InputStreamReader').getDeclaredConstructors()[3].newInstance(''.getClass().forName('java.lang.ProcessBuilder').getDeclaredConstructors()[0].newInstance(['bash','-c','id']).start().getInputStream())).readLine()}

 

6. Armed with the ability to execute remote commands, the researchers pivoted to extract sensitive information from *.properties file (by directory listing) . Thereon, they further pivot to understand Encryption/Decryption scheme [base64(sha512(password+salt))] applied to credentials persisted in the backing vCloud database

7. Upon gaining access to the backing database, they initiated a password change operation on the System Administrator account thereby escalating privilege from tenancy rights to system rights.

8. With this, they established full control across all tenants (customers) hosted upon the hypervisor

cloud-access

 

Timeline

  • 1st April 2020 – Initial report sent to VMware.
  • 3rd April 2020 – VMware successfully reproduced the vulnerability
  • 30th April 2020 – Released vCloud Director 9.7.0.5 and 10.0.0.2 with fixed vulnerability
  • 13th May 2020 – Assigned CVE-2020-3956
  • 19th May 2020 – Released vCloud Director 9.1.0.4 and 9.5.0.6 with fixed vulnerability
  • 19th May 2020 – Published Security Advisory VMSA-2020-0010
  • 2nd June 2020 – Publication of this article on our blog