module
VMware vCenter Server Unauthenticated OVA File Upload RCE
| Disclosed |
|---|
| Feb 23, 2021 |
Disclosed
Feb 23, 2021
Description
This module exploits an unauthenticated OVA file upload and path
traversal in VMware vCenter Server to write a JSP payload to a
web-accessible directory.
Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.
Note that later vulnerable versions of the Linux appliance aren't
exploitable via the webshell technique. Furthermore, writing an SSH
public key to /home/vsphere-ui/.ssh/authorized_keys works, but the
user's non-existent password expires 90 days after install, rendering
the technique nearly useless against production environments.
You'll have the best luck targeting older versions of the Linux
appliance. The Windows target should work ubiquitously.
traversal in VMware vCenter Server to write a JSP payload to a
web-accessible directory.
Fixed versions are 6.5 Update 3n, 6.7 Update 3l, and 7.0 Update 1c.
Note that later vulnerable versions of the Linux appliance aren't
exploitable via the webshell technique. Furthermore, writing an SSH
public key to /home/vsphere-ui/.ssh/authorized_keys works, but the
user's non-existent password expires 90 days after install, rendering
the technique nearly useless against production environments.
You'll have the best luck targeting older versions of the Linux
appliance. The Windows target should work ubiquitously.
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.