SlideShare a Scribd company logo

How to hack VMware vCenter server in 60 seconds

Download as PPT, PDF
Positive Hack Days
Positive Hack Days
Technology
1 of 17
How to hack VMware vCenter server in 60 seconds Alexey Sintsov Alexander Minozhenko
Hijacking VMware @asintsov @al3xmin • Pen-testers at Digital Security • Researchers • DCG#7812 / Zeronights • FUN, FUN, FUN © 2002—2012, Digital
Hijacking VMware Our target © 2002—2012, Digital
Hijacking VMware VMware vCenter Server • VMware vCenter Server is solution to manage VMware vSphere • vSphere – virtualization operating system © 2002—2012, Digital
Hijacking VMware Pen-test… • Vmware vCenter version 4.1 update 1 Services: • Update Manager • vCenter Orchestrator • Chargeback • Other • Most of those services has web server © 2002—2012, Digital
Hijacking VMware VASTO and CVE-2009-1523 • Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../FILE • Discovered by Claudio Criscione • Fixed in VMware Update Manager 4.1 update 1 :( • Who want to pay me for 0day? • Pentester is not resercher? © 2002—2012, Digital
Hijacking VMware 8( © 2002—2012, Digital
Hijacking VMware CVE-2010-1870 • VMware vCenter Orchestrator use Struts2 version 2.11 discovered by Digital Defense, Inc • CVE-2010-1870 Struts2/XWork remote command execution discovered by Meder Kydyraliev Fixed in 4.2 © 2002—2012, Digital
Hijacking VMware Details •Struts2 does not properly escape “#” •Could be bypass with unicode “u0023” •2 variables need to be set for RCE •#_memberAccess['allowStaticMethodAccess'] •#context['xwork.MethodAccessor.denyMethodExecution'] © 2002—2012, Digital
Hijacking VMware But what about us? • Directory traversal in Jetty web server … AGAIN! http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%5C..%5C.. %5C..FILE.EXT •Metasploit module vmware_update_manager_traversal.rb by sinn3r • We can read any file! But what Claudio Criscione propose to read vpxd-profiler-* - /SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680- FB72656A1DCB'/Username=„FakeDomainFakeUser'/SoapSession/Id='A Sorry, patched in 4.1! D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1 Contains logs of SOAP requests with session ID !!! Discovered by Alexey Sintsov 8) © 2002—2012, Digital
Hijacking VMware Attack #1 • Read vpxd-profiler via traversal… • Get Admin’s IP addresses from it… • Read secret SSL key http://target:9084/vci/downloads/...............Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSLrui.key • ARP-SPOOF with SSL key - PROFIT © 2002—2012, Digital
Hijacking VMware VMware vCenter Orchestrator • Vmware vCO – software for automate configuration and management • Install by default with vCenter • Have interesting file C:Program filesVMwareInfrastructureOrchestratorconfigurationj ettyetcpasswd.properties © 2002—2012, Digital
Hijacking VMware VMware vCenter Orchestrator Password disclosure Read hash -> crack MD5 -> log on into Orch. -> get vCenter pass © 2002—2012, Digital
Hijacking VMware VMware vCenter Orchestrator – more stuff • vCO stored password at files: • C:Program FilesVMwareInfrastructureOrchestratorapp- <virtual-infrastructure-host serverservervmoconfpluginsVC.xml <enabled>true</enabled> • C:Program FilesVMwareInfrastructureOrchestratorapp- <url>https://new-virtual-center-host:443/sdk</url> <administrator-username>vmware</administrator-username> serverservervmoconfvmo.properties <administrator- password>010506275767b74786b383a4a60be767864740329d5fcf 324ec7fc98b1e0aaeef </administrator-password> <pattern>%u</pattern> </virtual-infrastructure-host> © 2002—2012, Digital
Hijacking VMware Hmmm…. 006766e7964766a151e213a242665123568256c4031702d4c78454e5b575 f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e2 4726079 vcenter • Red bytes look like length • Green bytes in ASCII range • Black bytes random Discovered by Alexey Sintsov and Alexander Minozhenko © 2002—2012, Digital
Hijacking VMware 0day still not patched 8) © 2002—2012, Digital
Hijacking VMware gg and bb a.sintsov@dsec.ru @asintsov a.minozhenko@dsec.ru @al3xmin © 2002—2012, Digital

Recommended

Scaling Your Architecture for the Long Term
Scaling Your Architecture for the Long TermScaling Your Architecture for the Long Term
Scaling Your Architecture for the Long Term
Randy Shoup
 
Design Best Practices for High Availability in Load Balancing
Design Best Practices for High Availability in Load BalancingDesign Best Practices for High Availability in Load Balancing
Design Best Practices for High Availability in Load Balancing
Avi Networks
 
Improve the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov VadimImprove the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov Vadim
SoftServe
 
Observability driven development
Observability driven developmentObservability driven development
Observability driven development
Geert van der Cruijsen
 
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Amazon Web Services
 
I got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't oneI got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't one
Adrian Cole
 
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Zabbix
 
BWE in Janus
BWE in JanusBWE in Janus
BWE in Janus
Lorenzo Miniero
 

Recommended

Scaling Your Architecture for the Long Term
Scaling Your Architecture for the Long TermScaling Your Architecture for the Long Term
Scaling Your Architecture for the Long Term
Randy Shoup
 
Design Best Practices for High Availability in Load Balancing
Design Best Practices for High Availability in Load BalancingDesign Best Practices for High Availability in Load Balancing
Design Best Practices for High Availability in Load Balancing
Avi Networks
 
Improve the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov VadimImprove the Development Process with DevOps Practices by Fedorov Vadim
Improve the Development Process with DevOps Practices by Fedorov Vadim
SoftServe
 
Observability driven development
Observability driven developmentObservability driven development
Observability driven development
Geert van der Cruijsen
 
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Four Strategies to Create a DevOps Culture & System that Favors Innovation & ...
Amazon Web Services
 
I got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't oneI got 99 problems, but ReST ain't one
I got 99 problems, but ReST ain't one
Adrian Cole
 
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Jean-Baptiste Favre - How to Monitor Bilions of Miles Shared by 20 Million Us...
Zabbix
 
BWE in Janus
BWE in JanusBWE in Janus
BWE in Janus
Lorenzo Miniero
 
CI/CD 101
CI/CD 101CI/CD 101
CI/CD 101
djdule
 
DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge
Abhijit Joshi
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in go
Andrii Soldatenko
 
Intro to docker
Intro to dockerIntro to docker
Intro to docker
Abderrahmane Mechri
 
ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl
 
Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018
Anton Babenko
 
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) PipelineAnatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
Robert McDermott
 
Hive Does ACID
Hive Does ACIDHive Does ACID
Hive Does ACID
DataWorks Summit
 
Infrastructure as Code for Network
Infrastructure as Code for NetworkInfrastructure as Code for Network
Infrastructure as Code for Network
Damien Garros
 
Top 10 reasons to migrate to Gradle
Top 10 reasons to migrate to GradleTop 10 reasons to migrate to Gradle
Top 10 reasons to migrate to Gradle
Strannik_2013
 
DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?
Marc Hornbeek
 
Immutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and TerraformImmutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and Terraform
Michael Peacock
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
DevOps : mission [im]possible ?
DevOps : mission [im]possible ?DevOps : mission [im]possible ?
DevOps : mission [im]possible ?
rfelden
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
APIsecure_ Official
 
Coding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR GuidelinesCoding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR Guidelines
Perforce
 
Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...
Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...
Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...
CA Technologies
 
Alphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm.com Formation KVM
Alphorm.com Formation KVM
Alphorm
 
OpenShift, Docker, Kubernetes: The next generation of PaaS
OpenShift, Docker, Kubernetes: The next generation of PaaSOpenShift, Docker, Kubernetes: The next generation of PaaS
OpenShift, Docker, Kubernetes: The next generation of PaaS
Graham Dumpleton
 
Real-time Analytics with Presto and Apache Pinot
Real-time Analytics with Presto and Apache PinotReal-time Analytics with Presto and Apache Pinot
Real-time Analytics with Presto and Apache Pinot
Xiang Fu
 
vCenter and ESXi network port communications
vCenter and ESXi network port communicationsvCenter and ESXi network port communications
vCenter and ESXi network port communications
Animesh Dixit
 
Ceph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer SpotlightCeph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer Spotlight
Red_Hat_Storage
 

More Related Content

What's hot

ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...
Nico Meisenzahl
 
Alphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm.com Formation KVM
Alphorm.com Formation KVM
Alphorm
 
OpenShift, Docker, Kubernetes: The next generation of PaaS
OpenShift, Docker, Kubernetes: The next generation of PaaSOpenShift, Docker, Kubernetes: The next generation of PaaS
OpenShift, Docker, Kubernetes: The next generation of PaaS
Graham Dumpleton
 
Real-time Analytics with Presto and Apache Pinot
Real-time Analytics with Presto and Apache PinotReal-time Analytics with Presto and Apache Pinot
Real-time Analytics with Presto and Apache Pinot
Xiang Fu
 

What's hot (20)

CI/CD 101
CI/CD 101CI/CD 101
CI/CD 101
 
DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge DevOps Offerings at WhiteHedge
DevOps Offerings at WhiteHedge
 
Building robust and friendly command line applications in go
Building robust and friendly command line applications in goBuilding robust and friendly command line applications in go
Building robust and friendly command line applications in go
 
Intro to docker
Intro to dockerIntro to docker
Intro to docker
 
ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...ContainerConf 2022: Kubernetes is awesome - but...
ContainerConf 2022: Kubernetes is awesome - but...
 
Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018Terraform modules and best-practices - September 2018
Terraform modules and best-practices - September 2018
 
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) PipelineAnatomy of a Continuous Integration and Delivery (CICD) Pipeline
Anatomy of a Continuous Integration and Delivery (CICD) Pipeline
 
Hive Does ACID
Hive Does ACIDHive Does ACID
Hive Does ACID
 
Infrastructure as Code for Network
Infrastructure as Code for NetworkInfrastructure as Code for Network
Infrastructure as Code for Network
 
Top 10 reasons to migrate to Gradle
Top 10 reasons to migrate to GradleTop 10 reasons to migrate to Gradle
Top 10 reasons to migrate to Gradle
 
DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?DevOps Evolution - The Next Generation ?
DevOps Evolution - The Next Generation ?
 
Immutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and TerraformImmutable Infrastructure with Packer Ansible and Terraform
Immutable Infrastructure with Packer Ansible and Terraform
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
DevOps : mission [im]possible ?
DevOps : mission [im]possible ?DevOps : mission [im]possible ?
DevOps : mission [im]possible ?
 
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
2022 APIsecure_Learn from the Past, Secure the Present, Plan for the Future: ...
 
Coding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR GuidelinesCoding Safe Modern C++ With AUTOSAR Guidelines
Coding Safe Modern C++ With AUTOSAR Guidelines
 
Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...
Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...
Test Data Management 101—Featuring a Tour of CA Test Data Manager (Formerly G...
 
Alphorm.com Formation KVM
Alphorm.com Formation KVMAlphorm.com Formation KVM
Alphorm.com Formation KVM
 
OpenShift, Docker, Kubernetes: The next generation of PaaS
OpenShift, Docker, Kubernetes: The next generation of PaaSOpenShift, Docker, Kubernetes: The next generation of PaaS
OpenShift, Docker, Kubernetes: The next generation of PaaS
 
Real-time Analytics with Presto and Apache Pinot
Real-time Analytics with Presto and Apache PinotReal-time Analytics with Presto and Apache Pinot
Real-time Analytics with Presto and Apache Pinot
 

Viewers also liked

vCenter and ESXi network port communications
vCenter and ESXi network port communicationsvCenter and ESXi network port communications
vCenter and ESXi network port communications
Animesh Dixit
 
Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5
Bravo Tecnologia
 
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
Softchoice Corporation
 
SQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni ÖzelliklerSQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni Özellikler
turgaysahtiyan
 

Viewers also liked (20)

vCenter and ESXi network port communications
vCenter and ESXi network port communicationsvCenter and ESXi network port communications
vCenter and ESXi network port communications
 
Ceph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer SpotlightCeph Deployment at Target: Customer Spotlight
Ceph Deployment at Target: Customer Spotlight
 
vSphere 6.5 Upgrade Order
vSphere 6.5 Upgrade OrdervSphere 6.5 Upgrade Order
vSphere 6.5 Upgrade Order
 
20 Common Ports and their purposes
20 Common Ports and their purposes 20 Common Ports and their purposes
20 Common Ports and their purposes
 
Hacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and ProfitHacking Microsoft Remote Desktop Services for Fun and Profit
Hacking Microsoft Remote Desktop Services for Fun and Profit
 
Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5Presentazione Corso VMware vSphere 6.5
Presentazione Corso VMware vSphere 6.5
 
Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5Lançamento do novo vSphere VMware 6.5
Lançamento do novo vSphere VMware 6.5
 
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter ServerNordic VMUG User Conference 2014 - Design VMware vCenter Server
Nordic VMUG User Conference 2014 - Design VMware vCenter Server
 
Limewood Event - VMware
Limewood Event - VMware Limewood Event - VMware
Limewood Event - VMware
 
Cassandra Introduction & Features
Cassandra Introduction & FeaturesCassandra Introduction & Features
Cassandra Introduction & Features
 
System Center 2012 - January Licensing Update
System Center 2012 - January Licensing UpdateSystem Center 2012 - January Licensing Update
System Center 2012 - January Licensing Update
 
Softchoice Webinar Series: VMware vSphere 5.1 Changes
Softchoice Webinar Series: VMware vSphere 5.1 ChangesSoftchoice Webinar Series: VMware vSphere 5.1 Changes
Softchoice Webinar Series: VMware vSphere 5.1 Changes
 
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
You voiced your concerns. VMware listened: Major Adjustments to vSphere 5 lic...
 
SQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni ÖzelliklerSQL Server 2012 ile Gelen Yeni Özellikler
SQL Server 2012 ile Gelen Yeni Özellikler
 
Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...
Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...
Findability Day 2015 Mattias Ellison - Findwise - Enterprise Search and fin...
 
VMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOL
VMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOLVMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOL
VMUGIT Meeting Pisa 2015 - SDS secondo VMware: VSAN e VVOL
 
Site Recovery Manager - Una visione architetturale
Site Recovery Manager - Una visione architetturaleSite Recovery Manager - Una visione architetturale
Site Recovery Manager - Una visione architetturale
 
SQL Server Performans İpuçları
SQL Server Performans İpuçlarıSQL Server Performans İpuçları
SQL Server Performans İpuçları
 
Docker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken CochraneDocker at Djangocon 2013 | Talk by Ken Cochrane
Docker at Djangocon 2013 | Talk by Ken Cochrane
 
Virtual Space Race: How IT with The Right Stuff Creates a Competitive Advantage
Virtual Space Race: How IT with The Right Stuff Creates a Competitive AdvantageVirtual Space Race: How IT with The Right Stuff Creates a Competitive Advantage
Virtual Space Race: How IT with The Right Stuff Creates a Competitive Advantage
 

Similar to How to hack VMware vCenter server in 60 seconds

Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_
VCAP5_wordpress
 
ZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdfZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdf
testslebew
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
qqlan
 
OSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js TutorialOSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js Tutorial
Tom Croucher
 
VMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and FlexibilityVMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and Flexibility
Paulo Freitas
 

Similar to How to hack VMware vCenter server in 60 seconds (20)

[OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!!
[OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!![OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!!
[OpenStack Day in Korea 2015] Track 1-4 - VDI OpenStack? It Works!!!
 
vCenter Server 5.5 Single Sign-On VMDir deep dive
vCenter Server 5.5 Single Sign-On VMDir deep divevCenter Server 5.5 Single Sign-On VMDir deep dive
vCenter Server 5.5 Single Sign-On VMDir deep dive
 
VMware
VMwareVMware
VMware
 
Configuring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop SitesConfiguring and Troubleshooting XenDesktop Sites
Configuring and Troubleshooting XenDesktop Sites
 
EUC State of the Union 2021
EUC State of the Union 2021EUC State of the Union 2021
EUC State of the Union 2021
 
Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_Vsicm51 m02 virtualization_intro_
Vsicm51 m02 virtualization_intro_
 
Securing your Cloud Environment
Securing your Cloud EnvironmentSecuring your Cloud Environment
Securing your Cloud Environment
 
VDI-in-a-Box installation guide for Lab PCs
VDI-in-a-Box installation guide for Lab PCs VDI-in-a-Box installation guide for Lab PCs
VDI-in-a-Box installation guide for Lab PCs
 
ZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdfZertoCON_Support_Toolz.pdf
ZertoCON_Support_Toolz.pdf
 
CloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and TroubleshootingCloudStack - Top 5 Technical Issues and Troubleshooting
CloudStack - Top 5 Technical Issues and Troubleshooting
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
VSICM8_M02.pptx
VSICM8_M02.pptxVSICM8_M02.pptx
VSICM8_M02.pptx
 
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
Securing a Windows Infrastructure using Windows Server 2012 & Windows 8 Built...
 
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
 
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
VMworld 2013: Introducing NSX Service Composer: The New Consumption Model for...
 
Automating That "Other" OS
Automating That "Other" OSAutomating That "Other" OS
Automating That "Other" OS
 
SafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual InfrastructureSafeNet ProtectV Data Protection for Virtual Infrastructure
SafeNet ProtectV Data Protection for Virtual Infrastructure
 
Positive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-raysPositive Technologies - S4 - Scada under x-rays
Positive Technologies - S4 - Scada under x-rays
 
OSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js TutorialOSCON 2011 - Node.js Tutorial
OSCON 2011 - Node.js Tutorial
 
VMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and FlexibilityVMWARE Professionals - Security, Multitenancy and Flexibility
VMWARE Professionals - Security, Multitenancy and Flexibility
 

More from Positive Hack Days

Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
Positive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
Positive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
Positive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Positive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
Positive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
Positive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
Positive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

How to hack VMware vCenter server in 60 seconds

  • 1. How to hack VMware vCenter server in 60 seconds Alexey Sintsov Alexander Minozhenko
  • 2. Hijacking VMware @asintsov @al3xmin • Pen-testers at Digital Security • Researchers • DCG#7812 / Zeronights • FUN, FUN, FUN © 2002—2012, Digital
  • 3. Hijacking VMware Our target © 2002—2012, Digital
  • 4. Hijacking VMware VMware vCenter Server • VMware vCenter Server is solution to manage VMware vSphere • vSphere – virtualization operating system © 2002—2012, Digital
  • 5. Hijacking VMware Pen-test… • Vmware vCenter version 4.1 update 1 Services: • Update Manager • vCenter Orchestrator • Chargeback • Other • Most of those services has web server © 2002—2012, Digital
  • 6. Hijacking VMware VASTO and CVE-2009-1523 • Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../FILE • Discovered by Claudio Criscione • Fixed in VMware Update Manager 4.1 update 1 :( • Who want to pay me for 0day? • Pentester is not resercher? © 2002—2012, Digital
  • 8. Hijacking VMware CVE-2010-1870 • VMware vCenter Orchestrator use Struts2 version 2.11 discovered by Digital Defense, Inc • CVE-2010-1870 Struts2/XWork remote command execution discovered by Meder Kydyraliev Fixed in 4.2 © 2002—2012, Digital
  • 9. Hijacking VMware Details •Struts2 does not properly escape “#” •Could be bypass with unicode “u0023” •2 variables need to be set for RCE •#_memberAccess['allowStaticMethodAccess'] •#context['xwork.MethodAccessor.denyMethodExecution'] © 2002—2012, Digital
  • 10. Hijacking VMware But what about us? • Directory traversal in Jetty web server … AGAIN! http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%5C..%5C.. %5C..FILE.EXT •Metasploit module vmware_update_manager_traversal.rb by sinn3r • We can read any file! But what Claudio Criscione propose to read vpxd-profiler-* - /SessionStats/SessionPool/Session/Id='06B90BCB-A0A4-4B9C-B680- FB72656A1DCB'/Username=„FakeDomainFakeUser'/SoapSession/Id='A Sorry, patched in 4.1! D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1 Contains logs of SOAP requests with session ID !!! Discovered by Alexey Sintsov 8) © 2002—2012, Digital
  • 11. Hijacking VMware Attack #1 • Read vpxd-profiler via traversal… • Get Admin’s IP addresses from it… • Read secret SSL key http://target:9084/vci/downloads/...............Documents and SettingsAll UsersApplication DataVMwareVMware VirtualCenterSSLrui.key • ARP-SPOOF with SSL key - PROFIT © 2002—2012, Digital
  • 12. Hijacking VMware VMware vCenter Orchestrator • Vmware vCO – software for automate configuration and management • Install by default with vCenter • Have interesting file C:Program filesVMwareInfrastructureOrchestratorconfigurationj ettyetcpasswd.properties © 2002—2012, Digital
  • 13. Hijacking VMware VMware vCenter Orchestrator Password disclosure Read hash -> crack MD5 -> log on into Orch. -> get vCenter pass © 2002—2012, Digital
  • 14. Hijacking VMware VMware vCenter Orchestrator – more stuff • vCO stored password at files: • C:Program FilesVMwareInfrastructureOrchestratorapp- <virtual-infrastructure-host serverservervmoconfpluginsVC.xml <enabled>true</enabled> • C:Program FilesVMwareInfrastructureOrchestratorapp- <url>https://new-virtual-center-host:443/sdk</url> <administrator-username>vmware</administrator-username> serverservervmoconfvmo.properties <administrator- password>010506275767b74786b383a4a60be767864740329d5fcf 324ec7fc98b1e0aaeef </administrator-password> <pattern>%u</pattern> </virtual-infrastructure-host> © 2002—2012, Digital
  • 15. Hijacking VMware Hmmm…. 006766e7964766a151e213a242665123568256c4031702d4c78454e5b575 f60654b vmware 00776646771786a783922145215445b62322d1a2b5d6e196a6a712d712e2 4726079 vcenter • Red bytes look like length • Green bytes in ASCII range • Black bytes random Discovered by Alexey Sintsov and Alexander Minozhenko © 2002—2012, Digital
  • 16. Hijacking VMware 0day still not patched 8) © 2002—2012, Digital
  • 17. Hijacking VMware gg and bb a.sintsov@dsec.ru @asintsov a.minozhenko@dsec.ru @al3xmin © 2002—2012, Digital