CVE-2020-3952 PoC — VMware vCenter Server 访问控制错误漏洞

Source

https://github.com/gelim/CVE-2020-3952

Associated Vulnerability

Title:VMware vCenter Server 访问控制错误漏洞 (CVE-2020-3952)
Description:VMware vCenter Server是美国威睿（VMware）公司的一套服务器和虚拟化管理软件。该软件提供了一个用于管理VMware vSphere环境的集中式平台，可自动实施和交付虚拟基础架构。 VMware vCenter Server 6.7版本中的vmdir存在访问控制错误漏洞，该漏洞源于程序没有正确实现访问控制。攻击者可利用该漏洞提取敏感信息。

Description

VMWare vmdir missing access control exploit checker

Readme

Script to check for vulnerable status of CVE-2020-3952

It is inspired from [guardicore
exploit](https://github.com/guardicore/vmware_vcenter_cve_2020_3952)
but with a slight difference: it does NOT create an admin user.

It will assess the vulnerable status by validating that the builtin
Administrators group can be tainted by creating or appending the
harmless 'description' attribute.

## Check

Usage:
```
$ python exploit_check.py vserver_ip
```


## Detect attempts

suricata signature rule `vmware.rules` is a naive approach catching
the LDAP modify operation on the Administrators group. It needs to be
customized with a proper signature id `sid` and you can tune the src
and dst subnets that are set by default to `any` here.

It could be improved by looking specifically at members addition.

File Snapshot


 [4.0K]  /data/pocs/f3cd44c03f99f6947016714c376623c5db34410e
├── [3.1K]  exploit_check.py
├── [ 802]  README.md
└── [ 303]  vmware.rules

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!