VMware vRealize Log Insight Unauthenticated Remote Code Execution

Secure your products with top-tier expert knowledge and advanced Penetration Testing (CREST Approved)

Let's collaborate to build and maintain secure products

We transform threats into trust by integrating advanced tech and expertise in product security. Our approach encompasses Security by Design, rigorous security assurance and penetration testing, and compliance through expert documentation, from design to post-market.

We offer CREST-approved pen testing in EMEA, upholding top security standards.Cyber Legion - CREST Approved

VMware vRealize Log Insights versions 8.x contain multiple vulnerabilities, such as directory traversal, broken access control, deserialization, and information disclosure. When chained together, these vulnerabilities allow a remote, unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. This Metasploit module achieves code execution via triggering a RemotePakDownloadCommand command via the exposed thrift service after obtaining the node token by calling a GetConfigRequest thrift command. After the download, it will trigger a PakUpgradeCommand for processing the specially crafted PAK archive, which then will place the JSP payload under a certain API endpoint (pre-authenticated) location upon extraction for gaining remote code execution. Successfully tested against version 8.0.2.   Exploit Files ≈ Packet Storm 

 

More To Explore