Pentera’s research team ‘Pentera Labs’ discovered a vulnerability in VMware’s vCenter Server program. The affected VMware software is installed in over 500,000 organizations worldwide and is responsible for managing their most critical systems. The findings were proactively reported to VMware and later released under CVE-2021-22015.
On Sep. 21, 2021, VMware published a security patch regarding a Local Privilege Escalation (LPE) vulnerability impacting all appliances running default vCenter Server 6.5 to 7.0 deployments. The patch and additional info are available on VMware’s Advisory site.
The Pentera Labs team have created a scanner to enable validation of the patching efforts of this vulnerability to be found in our GitHub repository
VMware vCenter Server is an advanced server management software that provides IT administrators with a centralized way to manage virtualized hosts in enterprise environments. The platform is installed in hundreds of thousands of organizations worldwide and is used by organizations to manage some of their most critical assets and core systems.
Vulnerability Discovery Walkthrough
How we gained Local Privilege Escalation on VMware vCenter
vCenter has recently come under scrutiny following the discovery of several vulnerabilities affecting the platform, which can lead to shell access and vSphere takeover. One of these vulnerabilities was our starting point – “VMware vCenter Unauthenticated OVA Upload RCE” (CVE-2021-21972). Using this vulnerability, we gained shell access as a low-privileged user named “vpshere-ui”, and from there we started examining a fresh instance of a VMware vCenter Server.
While examining the processes that run on the vCenter machine with root privileges, we noticed a few from the same folder that appear to be working with Java.
Further examination of the folder revealed that there is another file for each process, which turned out to be pointing to the same file for all of the processes. They all had a link pointing to the same file under the path – “/usr/lib/vmware-vmon/java-wrapper-vmon”.
The backdoor of java-wrapper-vmon and cis group
This file is part of vCenter installation, it’s a .bash file involved in the execution of those processes. And since the processes listed above are running with root context – so is this file.
In the process of examining this file, we noticed that the “cis” group has read/write/exec privileges for it.
Our next step was to explore the origins of the “cis” group. Members of the “cis” group include not only the user “vsphere-ui” (which we exploited using CVE-2021-21972 at the beginning of our journey), but also a whole host of other users. See the screenshot below for the full list:
*This screenshot is taken from a 6.7 version and there may be changes in different versions
In other words, any one of those users can edit the file java-wrapper-vmon!
In technical terms we can describe the vulnerability in the following stages:
- Gain shell access to any of the users that are part of the “cis” group
- Add malicious code to the java-wrapper-vmon file
- Restart one of the processes served by the java-wrapper-vmon file, or the vCenter host itself
- Result: our malicious code runs as root!
- Outcome example: ransomware installation or Denial Of Service attack
A sample implementation is detailed below.
Privilege escalation vulnerabilities like this can be used by an attacker to abuse the host in countless ways, for example: by installing ransomware, mining bitcoin or causing a local denial of service, to name a few. But these are relatively minor attacks. An advanced attacker could use such privilege escalation to take over an organization completely by utilizing a combination of vulnerabilities and exploits to launch an attack vector which would be drastically more dangerous.
To remediate CVE-2021-22015, apply the updates listed in the VMware’s Advisory site. There is no known workaround.
Similarly to advanced threat actors, well-performed malware campaigns, Pentera uses the above technique for Privilege Escalation (PE).
I wanted to say thanks to everyone at VMware involved with the patch for this vulnerability. They were kind, prompt in their responses, and very easy to work with.
Experience has taught us never to trust a theoretical vulnerability until we’ve seen it exploited, and vScalation (CVE-2021-22015) is no exception.
Clearly, there are endless routes to take when validating that vScalation (CVE-2021-22015) can be used to gain Local Privilege Escalation in a VMware vCenter. The following implementation demonstrates the ability to gain root privileges by exploiting vScalation (CVE-2021-22015) to extract the /etc/shadow file from the host.
The /etc/shadow file contains the hashed passwords for all the users on the host and is only accessible with root.
Let’s add this code block to the java-wrapper-vmon file:
After restarting the vCenter host or one of the services, the script will run as root, copy the /etc/shadow file to the specified location, and give it read permissions.
Bingo! This is just a taste of the power you can obtain by getting root privileges on a vCenter machine.
WebLogic is a popular enterprise middleware tool that orchestrates the interaction between backend systems and frontend clients. This makes it a valuable tool for attackers, who can exploit it to access and influence a wide range of organizational applications. In this blog post, we explore how to install a persistent backdoor on WebLogic Server. We...
Today’s security leaders must manage a constantly evolving attack surface and a dynamic threat environment due to interconnected devices, cloud services, IoT technologies, and hybrid work environments. Adversaries are constantly introducing new attack techniques, and not all companies have internal Red Teams or unlimited security resources to stay on top of the latest threats. On...
We all know the culprits. Cloud adoption, remote and hybrid work arrangements and a long list of must-have technologies have led to an ever-expanding attack surface, compelling organizations to become more agile and responsive in their cyber defense. Taming this unwieldy beast seems to be on everyone’s mind as global spending on security and risk...