-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2021-21972.nse
104 lines (80 loc) · 3.31 KB
/
CVE-2021-21972.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
description = [[
VMware vCenter Server CVE-2021-21972 Remote Code Execution Vulnerability
This script looks the existence of CVE-2021-21972 based on the following PATH
"/ui/vropspluginui/rest/services/uploadova" trough a POST request and looking in
response body (500) the words "uploadFile",that means the vCenter is avaiable
to accept files via POST without any restrictions
Manual inspection:
# curl -i -s -k -X $'GET'
-H $'Host: <target>'
-H $'User-Agent: alex666'
$'https://<target>/ui/vropspluginui/rest/services/getstatus'
# curl -i -s -k -X $'GET'
-H $'Host: <target>'
-H $'User-Agent: alex666'$'https://<target>/ui/vropspluginui/rest/services/uploadova'
# curl -i -s -k -X $'POST'
-H $'Host: <target>'
-H $'User-Agent: alex666'
-H $'Content-Type: application/x-www-form-urlencoded'
-H $'Content-Length: 0' $'https://<target>/ui/vropspluginui/rest/services/uploadova'
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972'
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
]]
---
-- @usage
-- nmap -p443 --script CVE-2021-21972.nse <target>
-- @output
-- PORT STATE SERVICE
-- 443/tcp open https
-- | CVE-2021-21972:
-- | VULNERABLE:
-- | vCenter 6.5-7.0 RCE
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2021-21972
-- | The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.
-- | A malicious actor with network access to port 443 may exploit this issue to execute commands with
-- | unrestricted privileges on the underlying operating system that hosts vCenter Server.
-- | Disclosure date: 2021-02-23
-- | References:
-- |_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972
author = "Alex Hernandez aka alt3kx <[email protected]>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit"}
local shortport = require "shortport"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "vCenter 6.5-7.0 RCE",
state = vulns.STATE.NOT_VULN,
IDS = { CVE = 'CVE-2021-21972' },
description = [[
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.
A malicious actor with network access to port 443 may exploit this issue to execute commands with
unrestricted privileges on the underlying operating system that hosts vCenter Server.]],
references = {
'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21972'
},
dates = {
disclosure = {year = '2021', month = '02', day = '23'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local uri = "/ui/vropspluginui/rest/services/uploadova"
local options = {header={}}
options['header']['User-Agent'] = "Mozilla/5.0 (compatible; vCenter)"
local response = http.post(host, port, uri)
if ( response.status == 500 ) then
local title = string.match(response.body, "uploadFile")
if (title == "uploadFile") then
vuln.state = vulns.STATE.EXPLOIT
else
vuln.state = vulns.STATE.NOT_VULN
end
end
return report:make_output (vuln)
end