关联漏洞
标题:
VMware vCenter Server 访问控制错误漏洞
(CVE-2020-3952)
描述:VMware vCenter Server是美国威睿(VMware)公司的一套服务器和虚拟化管理软件。该软件提供了一个用于管理VMware vSphere环境的集中式平台,可自动实施和交付虚拟基础架构。 VMware vCenter Server 6.7版本中的vmdir存在访问控制错误漏洞,该漏洞源于程序没有正确实现访问控制。攻击者可利用该漏洞提取敏感信息。
描述
Exploit for CVE-2020-3952 in vCenter 6.7
介绍
# [Proof of concept for CVE-2020-3952](https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/)
This is a short piece of code that exploits of CVE-2020-3952, which is described in detail at the Guardicore Labs post over [here](https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/).
This vulnerability was [published](https://www.vmware.com/security/advisories/VMSA-2020-0006.html) by VMware in April 2020 with a maximum CVSS score of 10.0. It allows an attacker with a network connection to take control of the vCenter Directory (and thus to the vSphere deployment).
VMware released a fix for this bug in vCenter Server 6.7 Update 3f. Any unpatched vCenter 6.7 that has been upgraded from a previous version is vulnerable to this attack. (Clean installs of vCenter 6.7 are not affected.)
We recommend reading the post to understand how this exploit works, but in short, it does three things:
1) Attempts an ldap bind request to the vmdird process. This should fail with invalid credentials.
2) Adds a new user with the requested username and password under the domain 'cn=NEW_USERNAME,cn=Users,dc=vsphere,dc=local'.
3) Adds the new user to the 'cn=Administrators,cn=Builtin,dc=vsphere,dc=local' group.
## Requirements
```sh
pip3 install python-ldap
```
## Usage
```sh
python3 exploit.py <VCENTER_IP> <NEW_USERNAME> <NEW_PASSWORD>
```
文件快照
[4.0K] /data/pocs/0004803ec8210b4fae574349d33eca11cdf9bef5
├── [2.0K] exploit.py
├── [1.5K] LICENSE
└── [1.3K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。