SlideShare a Scribd company logo

How to hack VMware vCenter server in 60 seconds

Download as PPT, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 17
How to hack VMware vCenter server in 60 seconds Alexey Sintsov Alexander Minozhenko
Hijacking VMware @asintsov @al3xmin • Pen-testers at Digital Security • Researchers • DCG#7812 / Zeronights • FUN, FUN, FUN © 2002—2012, Digital
Hijacking VMware Our target © 2002—2012, Digital
Hijacking VMware VMware vCenter Server • VMware vCenter Server is solution to manage VMware vSphere • vSphere – virtualization operating system © 2002—2012, Digital
Hijacking VMware Pen-test… • Vmware vCenter version 4.1 update 1 Services: • Update Manager • vCenter Orchestrator • Chargeback • Other • Most of those services has web server © 2002—2012, Digital
Hijacking VMware VASTO and CVE-2009-1523 • Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../FILE • Discovered by Claudio Criscione • Fixed in VMware Update Manager 4.1 update 1 :( • Who want to pay me for 0day? • Pentester is not resercher? © 2002—2012, Digital
Hijacking VMware 8( © 2002—2012, Digital
Hijacking VMware CVE-2010-1870 • VMware vCenter Orchestrator use Struts2 version 2.11 discovered by Digital Defense, Inc • CVE-2010-1870 Struts2/XWork remote command execution discovered by Meder Kydyraliev Fixed in 4.2 © 2002—2012, Digital
Hijacking VMware Details •Struts2 does not properly escape “#” •Could be bypass with unicode “u0023” •2 variables need to be set for RCE •#_memberAccess['allowStaticMethodAccess'] •#context['xwork.MethodAccessor.denyMethodExecution'] © 2002—2012, Digital
Hijacking VMware But what about us? • Directory traversal in Jetty web server … AGAIN! http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%5C..%5C.. %5C..FILE.EXT •Metasploit module vmware_update_manager_traversal.rb by sinn3r • We can read any file! But what Claudio Criscione propose to read vpxd-profiler-* - /SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680- FB72656A1DCB'/Username=„FakeDomainFakeUser'/SoapSession/Id='A Sorry, patched in 4.1! D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1 Contains logs of SOAP requests with session ID !!! Discovered by Alexey Sintsov 8) © 2002—2012, Digital
Hijacking VMware Attack #1 • Read vpxd-profiler via traversal… • Get Admin’s IP addresses from it… • Read secret SSL key http://target:9084/vci/downloads/...............Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSLrui.key • ARP-SPOOF with SSL key - PROFIT © 2002—2012, Digital
Hijacking VMware VMware vCenter Orchestrator • Vmware vCO – software for automate configuration and management • Install by default with vCenter • Have interesting file C:Program filesVMwareInfrastructureOrchestratorconfigurationj ettyetcpasswd.properties © 2002—2012, Digital
Hijacking VMware VMware vCenter Orchestrator Password disclosure Read hash -> crack MD5 -> log on into Orch. -> get vCenter pass © 2002—2012, Digital
Hijacking VMware VMware vCenter Orchestrator – more stuff • vCO stored password at files: • C:Program FilesVMwareInfrastructureOrchestratorapp- <virtual-infrastructure-host serverservervmoconfpluginsVC.xml <enabled>true</enabled> • C:Program FilesVMwareInfrastructureOrchestratorapp- <url>https://new-virtual-center-host:443/sdk</url> <administrator-username>vmware</administrator-username> serverservervmoconfvmo.properties <administrator- password>010506275767b74786b383a4a60be767864740329d5fcf 324ec7fc98b1e0aaeef </administrator-password> <pattern>%u</pattern> </virtual-infrastructure-host> © 2002—2012, Digital
Hijacking VMware Hmmm…. 006766e7964766a151e213a242665123568256c4031702d4c78454e5b575 f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e2 4726079 vcenter • Red bytes look like length • Green bytes in ASCII range • Black bytes random Discovered by Alexey Sintsov and Alexander Minozhenko © 2002—2012, Digital
Hijacking VMware 0day still not patched 8) © 2002—2012, Digital
Hijacking VMware gg and bb a.sintsov@dsec.ru @asintsov a.minozhenko@dsec.ru @al3xmin © 2002—2012, Digital

Recommended

嵌入式IPMI遠端監控系統
嵌入式IPMI遠端監控系統 嵌入式IPMI遠端監控系統
嵌入式IPMI遠端監控系統
艾鍗科技
 
Mininet multiple controller
Mininet multiple controllerMininet multiple controller
Mininet multiple controller
Catur Mei Rahayu
 
(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用
(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用
(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用
裝機安 Angelo
 
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
裝機安 Angelo
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere
零壹科技股份有限公司
 
The consequences of sync_binlog != 1
The consequences of sync_binlog != 1The consequences of sync_binlog != 1
The consequences of sync_binlog != 1
Jean-François Gagné
 
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
CODE BLUE
 
Raspberry Pi 3 + UART/Bluetooth issues
Raspberry Pi 3 + UART/Bluetooth issuesRaspberry Pi 3 + UART/Bluetooth issues
Raspberry Pi 3 + UART/Bluetooth issues
yeokm1
 

Recommended

嵌入式IPMI遠端監控系統
嵌入式IPMI遠端監控系統 嵌入式IPMI遠端監控系統
嵌入式IPMI遠端監控系統
艾鍗科技
 
Mininet multiple controller
Mininet multiple controllerMininet multiple controller
Mininet multiple controller
Catur Mei Rahayu
 
(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用
(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用
(2020-01).HPE SimpliVity 如何分享腹內Datastore給現現有的ESXi使用
裝機安 Angelo
 
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
HPE SimpliVity install mgmt guide 201907-01 (Taiwan-Chinese) ;HPE SimpliVity ...
裝機安 Angelo
 
VMware vSphere
VMware vSphereVMware vSphere
VMware vSphere
零壹科技股份有限公司
 
The consequences of sync_binlog != 1
The consequences of sync_binlog != 1The consequences of sync_binlog != 1
The consequences of sync_binlog != 1
Jean-François Gagné
 
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
インサイドShell:.NETハッキング技術を応用したPowerShell可視性の向上 by 丹田 賢
CODE BLUE
 
Raspberry Pi 3 + UART/Bluetooth issues
Raspberry Pi 3 + UART/Bluetooth issuesRaspberry Pi 3 + UART/Bluetooth issues
Raspberry Pi 3 + UART/Bluetooth issues
yeokm1
 
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
Thomas Graf
 
Hyper-Converged Infrastructure: Concepts
Hyper-Converged Infrastructure: ConceptsHyper-Converged Infrastructure: Concepts
Hyper-Converged Infrastructure: Concepts
Nick Scuola
 
WKWebViewとUIWebView
WKWebViewとUIWebViewWKWebViewとUIWebView
WKWebViewとUIWebView
Yuki Hirai
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARM
National Cheng Kung University
 
Apache httpd ( 아파치 웹서버 ) 설치 가이드
Apache httpd ( 아파치 웹서버 ) 설치 가이드Apache httpd ( 아파치 웹서버 ) 설치 가이드
Apache httpd ( 아파치 웹서버 ) 설치 가이드
Opennaru, inc.
 
Azure databases for PostgreSQL, MySQL and MariaDB
Azure databases for PostgreSQL, MySQL and MariaDB Azure databases for PostgreSQL, MySQL and MariaDB
Azure databases for PostgreSQL, MySQL and MariaDB
rockplace
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
FastBit Embedded Brain Academy
 
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
Ji-Woong Choi
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototyping
Yan Vugenfirer
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Michelle Holley
 
HPE Data Protector Best Practice Guide
HPE Data Protector Best Practice GuideHPE Data Protector Best Practice Guide
HPE Data Protector Best Practice Guide
Andrey Karpov
 
CloudStack Architecture
CloudStack ArchitectureCloudStack Architecture
CloudStack Architecture
CloudStack - Open Source Cloud Computing Project
 
why we need ext4
why we need ext4why we need ext4
why we need ext4
Hao(Robin) Dong
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practices
Bill Buchan
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
libfetion
 
I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜
Ryousei Takano
 
Veeam Sure Backup - Presentación Técnica
Veeam Sure Backup - Presentación TécnicaVeeam Sure Backup - Presentación Técnica
Veeam Sure Backup - Presentación Técnica
Suministros Obras y Sistemas
 
5 post , bios , cmos
5 post , bios , cmos5 post , bios , cmos
5 post , bios , cmos
hafizhanif86
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Anne Nicolas
 
vCenter and ESXi network port communications
vCenter and ESXi network port communicationsvCenter and ESXi network port communications
vCenter and ESXi network port communications
Animesh Dixit
 
Ceph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer SpotlightCeph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer Spotlight
Red_Hat_Storage
 

More Related Content

What's hot

Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Priyanka Aash
 
Apache httpd ( 아파치 웹서버 ) 설치 가이드
Apache httpd ( 아파치 웹서버 ) 설치 가이드Apache httpd ( 아파치 웹서버 ) 설치 가이드
Apache httpd ( 아파치 웹서버 ) 설치 가이드
Opennaru, inc.
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
FastBit Embedded Brain Academy
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Michelle Holley
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practices
Bill Buchan
 

What's hot (20)

Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
Breaking Parser Logic: Take Your Path Normalization Off and Pop 0days Out!
 
Linux Networking Explained
Linux Networking ExplainedLinux Networking Explained
Linux Networking Explained
 
Hyper-Converged Infrastructure: Concepts
Hyper-Converged Infrastructure: ConceptsHyper-Converged Infrastructure: Concepts
Hyper-Converged Infrastructure: Concepts
 
WKWebViewとUIWebView
WKWebViewとUIWebViewWKWebViewとUIWebView
WKWebViewとUIWebView
 
Embedded Hypervisor for ARM
Embedded Hypervisor for ARMEmbedded Hypervisor for ARM
Embedded Hypervisor for ARM
 
Apache httpd ( 아파치 웹서버 ) 설치 가이드
Apache httpd ( 아파치 웹서버 ) 설치 가이드Apache httpd ( 아파치 웹서버 ) 설치 가이드
Apache httpd ( 아파치 웹서버 ) 설치 가이드
 
Azure databases for PostgreSQL, MySQL and MariaDB
Azure databases for PostgreSQL, MySQL and MariaDB Azure databases for PostgreSQL, MySQL and MariaDB
Azure databases for PostgreSQL, MySQL and MariaDB
 
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with DebuggingPART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
PART-2 : Mastering RTOS FreeRTOS and STM32Fx with Debugging
 
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
[오픈소스컨설팅] Red Hat ReaR (relax and-recover) Quick Guide
 
Qemu device prototyping
Qemu device prototypingQemu device prototyping
Qemu device prototyping
 
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
Intel® QuickAssist Technology Introduction, Applications, and Lab, Including ...
 
HPE Data Protector Best Practice Guide
HPE Data Protector Best Practice GuideHPE Data Protector Best Practice Guide
HPE Data Protector Best Practice Guide
 
CloudStack Architecture
CloudStack ArchitectureCloudStack Architecture
CloudStack Architecture
 
why we need ext4
why we need ext4why we need ext4
why we need ext4
 
The View - Lotusscript coding best practices
The View - Lotusscript coding best practicesThe View - Lotusscript coding best practices
The View - Lotusscript coding best practices
 
Linux kernel debugging
Linux kernel debuggingLinux kernel debugging
Linux kernel debugging
 
I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜I/O仮想化最前線〜ネットワークI/Oを中心に〜
I/O仮想化最前線〜ネットワークI/Oを中心に〜
 
Veeam Sure Backup - Presentación Técnica
Veeam Sure Backup - Presentación TécnicaVeeam Sure Backup - Presentación Técnica
Veeam Sure Backup - Presentación Técnica
 
5 post , bios , cmos
5 post , bios , cmos5 post , bios , cmos
5 post , bios , cmos
 
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPIKernel Recipes 2015: Representing device-tree peripherals in ACPI
Kernel Recipes 2015: Representing device-tree peripherals in ACPI
 

Viewers also liked

vCenter and ESXi network port communications
vCenter and ESXi network port communicationsvCenter and ESXi network port communications
vCenter and ESXi network port communications
Animesh Dixit
 
Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5
Bravo Tecnologia
 
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
Softchoice Corporation
 
SQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni ÖzelliklerSQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni Özellikler
turgaysahtiyan
 

Viewers also liked (20)

vCenter and ESXi network port communications
vCenter and ESXi network port communicationsvCenter and ESXi network port communications
vCenter and ESXi network port communications
 
Ceph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer SpotlightCeph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer Spotlight
 
vSphere 6.5 Upgrade Order
vSphere 6.5 Upgrade OrdervSphere 6.5 Upgrade Order
vSphere 6.5 Upgrade Order
 
20 Common Ports and their purposes
20 Common Ports and their purposes 20 Common Ports and their purposes
20 Common Ports and their purposes
 
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and ProfitHacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
 
Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5
 
Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5
 
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerNordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
 
Limewood Event - VMware
Limewood Event - VMware Limewood Event - VMware
Limewood Event - VMware
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
 
System Center 2012 - January Licensing Update
System Center 2012 - January Licensing UpdateSystem Center 2012 - January Licensing Update
System Center 2012 - January Licensing Update
 
Softchoice Webinar Series: VMware vSphere 5.1 Changes
Softchoice Webinar Series: VMware vSphere 5.1 ChangesSoftchoice Webinar Series: VMware vSphere 5.1 Changes
Softchoice Webinar Series: VMware vSphere 5.1 Changes
 
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
 
SQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni ÖzelliklerSQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni Özellikler
 
Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...
Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...
Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...
 
VMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOL
VMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOLVMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOL
VMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOL
 
Site Recovery Manager - Una visione architetturale
Site Recovery Manager - Una visione architetturaleSite Recovery Manager - Una visione architetturale
Site Recovery Manager - Una visione architetturale
 
SQL Server Performans İpuçları
SQL Server Performans İpuçlarıSQL Server Performans İpuçları
SQL Server Performans İpuçları
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
 
Virtual Space Race: How IT with The Right Stuff Creates a Competitive Advantage
Virtual Space Race: How IT with The Right Stuff Creates a Competitive AdvantageVirtual Space Race: How IT with The Right Stuff Creates a Competitive Advantage
Virtual Space Race: How IT with The Right Stuff Creates a Competitive Advantage
 

Similar to How to hack VMware vCenter server in 60 seconds

Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_
VCAP5_wordpress
 
ZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdfZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdf
testslebew
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
OSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js TutorialOSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js Tutorial
Tom Croucher
 
VMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and FlexibilityVMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and Flexibility
Paulo Freitas
 

Similar to How to hack VMware vCenter server in 60 seconds (20)

[OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!!
[OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!![OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!!
[OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!!
 
vCenter Server 5.5 Single Sign-On VMDir deep dive
vCenter Server 5.5 Single Sign-On VMDir deep divevCenter Server 5.5 Single Sign-On VMDir deep dive
vCenter Server 5.5 Single Sign-On VMDir deep dive
 
VMware
VMwareVMware
VMware
 
Configuring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop SitesConfiguring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop Sites
 
EUC State of the Union 2021
EUC State of the Union 2021EUC State of the Union 2021
EUC State of the Union 2021
 
Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
VDI-in-a-Box installation guide for Lab PCs
VDI-in-a-Box installation guide for Lab PCs VDI-in-a-Box installation guide for Lab PCs
VDI-in-a-Box installation guide for Lab PCs
 
ZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdfZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdf
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and Troubleshooting
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
VSICM8_M02.pptx
VSICM8_M02.pptxVSICM8_M02.pptx
VSICM8_M02.pptx
 
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
 
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Automating That "Other" OS
Automating That "Other" OSAutomating That "Other" OS
Automating That "Other" OS
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual Infrastructure
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
OSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js TutorialOSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js Tutorial
 
VMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and FlexibilityVMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and Flexibility
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Delhi Call girls
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

How to hack VMware vCenter server in 60 seconds

  • 1. How to hack VMware vCenter server in 60 seconds Alexey Sintsov Alexander Minozhenko
  • 2. Hijacking VMware @asintsov @al3xmin • Pen-testers at Digital Security • Researchers • DCG#7812 / Zeronights • FUN, FUN, FUN © 2002—2012, Digital
  • 3. Hijacking VMware Our target © 2002—2012, Digital
  • 4. Hijacking VMware VMware vCenter Server • VMware vCenter Server is solution to manage VMware vSphere • vSphere – virtualization operating system © 2002—2012, Digital
  • 5. Hijacking VMware Pen-test… • Vmware vCenter version 4.1 update 1 Services: • Update Manager • vCenter Orchestrator • Chargeback • Other • Most of those services has web server © 2002—2012, Digital
  • 6. Hijacking VMware VASTO and CVE-2009-1523 • Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../FILE • Discovered by Claudio Criscione • Fixed in VMware Update Manager 4.1 update 1 :( • Who want to pay me for 0day? • Pentester is not resercher? © 2002—2012, Digital
  • 8. Hijacking VMware CVE-2010-1870 • VMware vCenter Orchestrator use Struts2 version 2.11 discovered by Digital Defense, Inc • CVE-2010-1870 Struts2/XWork remote command execution discovered by Meder Kydyraliev Fixed in 4.2 © 2002—2012, Digital
  • 9. Hijacking VMware Details •Struts2 does not properly escape “#” •Could be bypass with unicode “u0023” •2 variables need to be set for RCE •#_memberAccess['allowStaticMethodAccess'] •#context['xwork.MethodAccessor.denyMethodExecution'] © 2002—2012, Digital
  • 10. Hijacking VMware But what about us? • Directory traversal in Jetty web server … AGAIN! http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%5C..%5C.. %5C..FILE.EXT •Metasploit module vmware_update_manager_traversal.rb by sinn3r • We can read any file! But what Claudio Criscione propose to read vpxd-profiler-* - /SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680- FB72656A1DCB'/Username=„FakeDomainFakeUser'/SoapSession/Id='A Sorry, patched in 4.1! D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1 Contains logs of SOAP requests with session ID !!! Discovered by Alexey Sintsov 8) © 2002—2012, Digital
  • 11. Hijacking VMware Attack #1 • Read vpxd-profiler via traversal… • Get Admin’s IP addresses from it… • Read secret SSL key http://target:9084/vci/downloads/...............Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSLrui.key • ARP-SPOOF with SSL key - PROFIT © 2002—2012, Digital
  • 12. Hijacking VMware VMware vCenter Orchestrator • Vmware vCO – software for automate configuration and management • Install by default with vCenter • Have interesting file C:Program filesVMwareInfrastructureOrchestratorconfigurationj ettyetcpasswd.properties © 2002—2012, Digital
  • 13. Hijacking VMware VMware vCenter Orchestrator Password disclosure Read hash -> crack MD5 -> log on into Orch. -> get vCenter pass © 2002—2012, Digital
  • 14. Hijacking VMware VMware vCenter Orchestrator – more stuff • vCO stored password at files: • C:Program FilesVMwareInfrastructureOrchestratorapp- <virtual-infrastructure-host serverservervmoconfpluginsVC.xml <enabled>true</enabled> • C:Program FilesVMwareInfrastructureOrchestratorapp- <url>https://new-virtual-center-host:443/sdk</url> <administrator-username>vmware</administrator-username> serverservervmoconfvmo.properties <administrator- password>010506275767b74786b383a4a60be767864740329d5fcf 324ec7fc98b1e0aaeef </administrator-password> <pattern>%u</pattern> </virtual-infrastructure-host> © 2002—2012, Digital
  • 15. Hijacking VMware Hmmm…. 006766e7964766a151e213a242665123568256c4031702d4c78454e5b575 f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e2 4726079 vcenter • Red bytes look like length • Green bytes in ASCII range • Black bytes random Discovered by Alexey Sintsov and Alexander Minozhenko © 2002—2012, Digital
  • 16. Hijacking VMware 0day still not patched 8) © 2002—2012, Digital
  • 17. Hijacking VMware gg and bb a.sintsov@dsec.ru @asintsov a.minozhenko@dsec.ru @al3xmin © 2002—2012, Digital