Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "VMware Detection" module is designed to detect vulnerabilities in VMware vCenter servers. It sends a POST request containing a SOAP payload to a vCenter server to obtain version information. This module is created by elouhi and has an informative severity level.
This module helps identify potential vulnerabilities in VMware vCenter servers, allowing users to take appropriate action to secure their systems. By detecting vulnerabilities, it helps prevent potential security breaches and data leaks.
The "VMware Detection" module uses a specific HTTP request template to interact with the target vCenter server. Here is an example of the request:
POST /sdk/ HTTP/1.1
Host: {%Hostname%}
<?xml version="1.0" encoding="UTF-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soap:Header>
<operationID>00000001-00000001</operationID>
</soap:Header>
<soap:Body>
<RetrieveServiceContent xmlns="urn:internalvim25">
<_this xsi:type="ManagedObjectReference" type="ServiceInstance">ServiceInstance</_this>
</RetrieveServiceContent>
</soap:Body>
</soap:Envelope>
The module then applies matching conditions to the response received from the vCenter server. The following conditions are used:
- The response status must be 200. - The response body must contain either "ha-folder-root" or "RetrieveServiceContentResponse". - The response header must contain the word "text/xml".If all the matching conditions are met, the module reports a vulnerability.
For more information, you can refer to the following references:
- https://www.pwndefend.com/2021/09/23/exposed-vmware-vcenter-servers-around-the-world-cve-2021-22005/ - https://svn.nmap.org/nmap/scripts/vmware-version.nse