Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-21972 PoC — VMware vSphere Client 路径遍历漏洞

Source
https://github.com/alt3kx/CVE-2021-21972
Associated Vulnerability
Title:VMware vSphere Client 路径遍历漏洞 (CVE-2021-21972)
Description:VMware vSphere Client是美国威睿(VMware)公司的一个应用软件。提供虚拟化管理。 VMware vSphere Client存在路径遍历漏洞,未授权的攻击者可以通过开放443端口的服务器向vCenter Server发送精心构造的请求,从而在目标系统上远程执行恶意代码。以下产品和版本受到影响:vSphere Client 6.5、vSphere Client 6.7、vSphere Client 7.0、VMware Cloud Foundation(vCenter Server)
Readme
# CVE-2021-21972 (checker)
VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability

This script looks the existence of CVE-2021-21972 based on the following PATH
"/ui/vropspluginui/rest/services/uploadova" trough a POST request and looking in 
response body (500) the words "uploadFile",that means the vCenter is avaiable 
to accept files via POST without any restrictions

Manual inspection: 
``` 
# curl -i -s -k -X $'GET' -H $'Host: <target>' -H $'User-Agent: alex666' $'https://<target>/ui/vropspluginui/rest/services/getstatus'
```

```
# curl -i -s -k -X $'GET' -H $'Host: <target>' -H $'User-Agent: alex666'$'https://<target>/ui/vropspluginui/rest/services/uploadova'
```

```
# curl -i -s -k -X $'POST' -H $'Host: <target>' -H $'User-Agent: alex666' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 0' $'https://<target>/ui/vropspluginui/rest/services/uploadova'

```
# References: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972  
https://www.vmware.com/security/advisories/VMSA-2021-0002.html

# Usage
```nmap -p443 --script CVE-2021-21972.nse <target>```

# Output
```
---
-- @usage
-- nmap -p443 --script CVE-2021-21972.nse <target>
-- @output
-- PORT    STATE SERVICE
-- 443/tcp open  https
-- | CVE-2021-21972: 
-- |   VULNERABLE:
-- |   vCenter 6.5-7.0 RCE
-- |     State: VULNERABLE (Exploitable)
-- |     IDs:  CVE:CVE-2021-21972
-- |       The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. 
-- |       A malicious actor with network access to port 443 may exploit this issue to execute commands with 
-- |       unrestricted privileges on the underlying operating system that hosts vCenter Server.
-- |     Disclosure date: 2021-02-23
-- |     References:
-- |_      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972
```

![Screen Recording](https://github.com/alt3kx/CVE-2021-21972/blob/main/CVE-2021-21972.gif)

# Author
Alex Hernandez aka <em><a href="https://twitter.com/_alt3kx_" rel="nofollow">(@\_alt3kx\_)</a></em>
File Snapshot

 [4.0K]  /data/pocs/a53b2173dfd62bbe120d6b94e89632e3f417b91c
├── [ 11M]  CVE-2021-21972.gif
├── [3.3K]  CVE-2021-21972.nse
├── [ 34K]  LICENSE
└── [2.0K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.