VM Stealing: The Nmap way (CVE-2009-3733 exploit)

Greetings!

If you were at Shmoocon this past weekend, you might remember a talk on Friday, done by Justin Morehouse and Tony Flick, on VMWare Guest Stealing. If you don't, you probably started drinking too early. :)

Anyway, somebody in the audience asked if there was a Nessus or Nmap script to detect this vulnerability. If I was the kind to yell things out, I would have yelled "there will be!" -- and now, there is. It'll be included in the next full version of Nmap, but in the meantime here's how you can do it yourself.

Requires: Nmap 5.10BETA1 or higher (download directory)

Script: http://www.skullsecurity.org/blogdata/http-vmware-path-vuln.nse

Instructions: http://www.skullsecurity.org/blog/?p=459

Details

This is a vulnerability in the VMWare management interface, which is a Web server. All you have to do is add a bunch of "../" sequences to the URL, and give it your chosen path, and it'll let you grab any file on the filesystem. I'm not kidding, but I wish I was. You can even do the classic: https://x.x.x.x/sdk/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/%2E%2E/etc/passwd

The applicable vulnerability identifiers are: CVE-2009-3733, VMSA-2009-0015.

The Nmap script simply downloads, parses, and displays the virtual machine inventory (assuming you're in verbose mode -- without verbose, it only prints 'VULNERABLE'). The exploit released at Shmoocon will download the full vmware disk (vmdk) file, or you can do it yourself with your browser or wget.

Mitigation

DO NOT let anybody have access to the VMWare management interface (the web server). It should be on a separate network. That makes this attack significantly more difficult to perform.

Other than that, install the patches from the advisory.

UPDATE: I forgot to mention the punchline: ESX/ESXi run the Web server as root. /etc/shadow is fair game!

9 thoughts on “VM Stealing: The Nmap way (CVE-2009-3733 exploit)

  1. Reply

    J

    Where's the link to this .nse?

    1. Reply

      Ron Post author

      In the next post -- http://www.skullsecurity.org/blog/?p=441

      This was intended as a generic/instructional post.

      Ron

  2. Reply

    Ron Post author

    Sorry, I'm an idiot and posted the wrong link. Everything's fixed now. :)

  3. Reply

    MemphisBytes

    Thanks Ron -- Help a lot - Some peeps may even have work to do tonight/tomorrow :)

    I also used the GuestStealer perl script which also worked wonderfully well, each confirming the other worked. (After I realized I had to add a perl library or two ;))

    --
    MB

    1. Reply

      Ron Post author

      Sweet, I'm glad to hear it!

  4. Reply

    MemphisBytes

    Hey Ron,

    Am I correct in thinking that if there is no vulnerability (ie. it's patched :)) - that nmap doesn't report any additional output (such as "clean" or "patched")

    1. Reply

      Ron Post author

      MemphisBytes: That is correct, there is no output for patched servers. The reason being, there's no obvious way to tell a 'patched' VMWare server from, say, google. It either has the vulnerability, or it won't serve me the web site.

      And yeah, I am aware of 8222/8333 -- I put them in my @usage at the top of the .nse file. Hopefully people are aware.. probably not, though. :)

  5. Reply

    MemphisBytes

    Lastly - Just wanted to point out as a reminder that you should scan for ports 8222 and 8333 (SSL) if you are looking for or interested in finding any VM Server version out there on your network. (Guess you can just add them to your scan for 80,443 really :)) (The Nmap script finds them nicely too) :)

  6. Reply

    MemphisBytes

    You know we don't read -- we just use lol

    Take take take ....

    I used the script to send results to a file and grepped out the VMware from the http 'version' string, (nmap's handy -A option), that way I hopefully see what I need to concentrate on.

    Thanks again.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>