module
VMware vCenter Server Unauthenticated OVA File Upload RCE
| Disclosed | Created |
|---|---|
| 2021-02-23 | 2021-03-08 |
Disclosed
2021-02-23
Created
2021-03-08
Description
This module exploits an unauthenticated OVA file upload and path
traversal in VMware vCenter Server to write a JSP payload to a
web-accessible directory.
Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.
Note that later vulnerable versions of the Linux appliance aren't
exploitable via the webshell technique. Furthermore, writing an SSH
public key to /home/vsphere-ui/.ssh/authorized_keys works, but the
user's non-existent password expires 90 days after install, rendering
the technique nearly useless against production environments.
You'll have the best luck targeting older versions of the Linux
appliance. The Windows target should work ubiquitously.
traversal in VMware vCenter Server to write a JSP payload to a
web-accessible directory.
Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.
Note that later vulnerable versions of the Linux appliance aren't
exploitable via the webshell technique. Furthermore, writing an SSH
public key to /home/vsphere-ui/.ssh/authorized_keys works, but the
user's non-existent password expires 90 days after install, rendering
the technique nearly useless against production environments.
You'll have the best luck targeting older versions of the Linux
appliance. The Windows target should work ubiquitously.
Authors
Mikhail Klyuchnikov
wvu wvu@metasploit.com
mr_me
Viss
wvu wvu@metasploit.com
mr_me
Viss
Platform
Linux,Windows
Architectures
java
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.