module
VMware vRealize Log Insight Unauthenticated RCE
| Disclosed |
|---|
| 2023-01-24 |
Disclosed
2023-01-24
Description
VMware vRealize Log Insights versions v8.x contains multiple vulnerabilities, such as
directory traversal, broken access control, deserialization, and information disclosure.
When chained together, these vulnerabilities allow a remote, unauthenticated attacker to
execute arbitrary commands on the underlying operating system as the root user.
This module achieves code execution via triggering a `RemotePakDownloadCommand` command
via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`
thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the
specially crafted PAK archive, which then will place the JSP payload under a certain API
endpoint (pre-authenticated) location upon extraction for gaining remote code execution.
Successfully tested against version 8.0.2.
directory traversal, broken access control, deserialization, and information disclosure.
When chained together, these vulnerabilities allow a remote, unauthenticated attacker to
execute arbitrary commands on the underlying operating system as the root user.
This module achieves code execution via triggering a `RemotePakDownloadCommand` command
via the exposed thrift service after obtaining the node token by calling a `GetConfigRequest`
thrift command. After the download, it will trigger a `PakUpgradeCommand` for processing the
specially crafted PAK archive, which then will place the JSP payload under a certain API
endpoint (pre-authenticated) location upon extraction for gaining remote code execution.
Successfully tested against version 8.0.2.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.