-
Notifications
You must be signed in to change notification settings - Fork 4
/
cve-2021-21972.nse
102 lines (87 loc) · 3.99 KB
/
cve-2021-21972.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
description = [[
VMware vCenter Server CVE-2021-21972 RCE Vulnerability - Check
Este script de Nmap busca verificar la vulnerabilidad CVE-2021-21972 en la siguiente ruta
"/ui/vropspluginui/rest/services/uploadova" mediante una solicitud POST e interpretando la
respuesta HTTP 500 si se encuentra la palabra "uploadFile", eso significa que vCenter está
disponible para aceptar archivos vía POST sin restricciones
Este script está basado en el script original de Alex Hernandez aka alt3kx (https://github.com/alt3kx/CVE-2021-21972)
References:
https://app.howlermonkey.io/vulnerabilities/CVE-2021-21972
https://www.vmware.com/security/advisories/VMSA-2021-0002.html
]]
---
-- @usage
-- nmap -p443 --script CVE-2021-21972.nse <target>
-- @output
-- PORT STATE SERVICE
-- 443/tcp open https
-- | CVE-2021-21972:
-- | VULNERABLE:
-- | vCenter 6.5-7.0 RCE
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2021-21972
-- | Risk factor: HIGH CVSS: 9.8
-- | The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.
-- | A malicious actor with network access to port 443 may exploit this issue to execute commands with
-- | unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects
-- | VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware
-- | Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
-- | Disclosure date: 2021-02-23
-- | References:
-- | https://app.howlermonkey.io/vulnerabilities/CVE-2021-21972
-- |_ https://www.vmware.com/security/advisories/VMSA-2021-0002.html
author= "Edgar Salazar <edgar.salazar@guayoyo.io>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit"}
local shortport = require "shortport"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "vCenter 6.5-7.0 RCE",
state = vulns.STATE.NOT_VULN,
risk_factor = "HIGH",
scores = {
CVSS = "9.8",
},
IDS = { CVE = 'CVE-2021-21972' },
description = [[
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin.
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted
privileges on the underlying operating system that hosts vCenter Server.
This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and
VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
]],
references = {
'https://app.howlermonkey.io/vulnerabilities/CVE-2021-21972',
'https://www.vmware.com/security/advisories/VMSA-2021-0002.html'
},
dates = {
disclosure = {year = '2021', month = '02', day = '23'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local uri = "/ui/vropspluginui/rest/services/uploadova"
local options = {header={}}
options['header']['User-Agent'] = "Guayoyo - Mozilla/5.0 (compatible; vCenter)"
vuln.state = vulns.STATE.NOT_VULN
local response = http.post(host, port, uri)
if ( response.status == 500 ) then
local title = string.match(response.body, "uploadFile")
if (title == "uploadFile") then
vuln.state = vulns.STATE.EXPLOIT
end
else
uri = "/ui/vropspluginui/rest/services/getstatus"
options = {header={}}
options['header']['User-Agent'] = "Guayoyo - Mozilla/5.0 (compatible; vCenter)"
response = http.get(host, port, uri)
if ( response.status == 200 and string.find(response.body, "States") ) then
vuln.state = vulns.STATE.LIKELY_VULN
end
end
return report:make_output (vuln)
end