module

VMware vRealize Log Insight Unauthenticated RCE

Try Surface Command
Back to search
Disclosed
Jan 24, 2023
Created
Sep 9, 2023

Description

VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as
directory traversal, broken access control, deserialization, and information disclosure.
When chained together, these vulnerabilities allow a remote, unauthenticated attacker to
execute arbitrary commands on the underlying operating system as the root user.

This module achieves code execution via triggering a `RemotePakDownloadCommand` command
via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`
thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the
specially crafted PAK archive, which then will place the JSP payload under a certain API
endpoint (pre-authenticated) location upon extraction for gaining remote code execution.

Successfully tested against version 8.0.2.

Authors

Horizon3.ai Attack Team
Ege BALCI egebalci@pm.me

Platform

Linux,Unix

Architectures

x86, x64

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/linux/http/vmware_vrli_rce
    msf exploit(vmware_vrli_rce) > show targets
        ...targets...
    msf exploit(vmware_vrli_rce) > set TARGET < target-id >
    msf exploit(vmware_vrli_rce) > show options
        ...show and set options...
    msf exploit(vmware_vrli_rce) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today