module

VMware vRealize Log Insight Unauthenticated RCE

Try Surface Command
Back to search
Disclosed
2023-01-24
Created
2023-09-09

Description

VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as
directory traversal, broken access control, deserialization, and information disclosure.
When chained together, these vulnerabilities allow a remote, unauthenticated attacker to
execute arbitrary commands on the underlying operating system as the root user.

This module achieves code execution via triggering a `RemotePakDownloadCommand` command
via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`
thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the
specially crafted PAK archive, which then will place the JSP payload under a certain API
endpoint (pre-authenticated) location upon extraction for gaining remote code execution.

Successfully tested against version 8.0.2.

Authors

Horizon3.ai Attack Team
Ege BALCI egebalci@pm.me

Platform

Linux,Unix

Architectures

x86, x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/http/vmware_vrli_rce
    msf exploit(vmware_vrli_rce) > show targets
        ...targets...
    msf exploit(vmware_vrli_rce) > set TARGET < target-id >
    msf exploit(vmware_vrli_rce) > show options
        ...show and set options...
    msf exploit(vmware_vrli_rce) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today