CVE-2021-21978 PoC — VMware View Planner 代码问题漏洞

Source

https://github.com/skytina/CVE-2021-21978

Associated Vulnerability

Title:VMware View Planner 代码问题漏洞 (CVE-2021-21978)
Description:VMware View Planner 4.x prior to 4.6 Security Patch 1 contains a remote code execution vulnerability. Improper input validation and lack of authorization leading to arbitrary file upload in logupload web application. An unauthorized attacker with network access to View Planner Harness could upload and execute a specially crafted file leading to remote code execution within the logupload container.

Description

带回显版本的漏洞利用脚本

Readme

# CVE-2021-21978
带回显版本的漏洞利用脚本，更简单的方式

## 0. 漏洞信息
>VMware View Planner Web管理界面存在一个上传日志功能文件的入口，没有进行认证且写入的日志文件路径用户可控，通过覆盖上传日志功能文件`log_upload_wsgi.py`，即可实现RCE

漏洞代码：

```python
def application(environ, start_response):
    logger.debug("application called")

    if environ['REQUEST_METHOD'] == 'POST':
        post = cgi.FieldStorage(
            fp=environ['wsgi.input'],
            environ=environ,
            keep_blank_values=True
        )

        # TO DO: Puth path in some config or read from config is already available
        resultBasePath = "/etc/httpd/html/vpresults"
        try:
            filedata = post["logfile"]
            metaData = post["logMetaData"]

            if metaData.value:
                logFileJson = LogFileJson.from_json(metaData.value)

            if not os.path.exists(os.path.join(resultBasePath, logFileJson.itrLogPath)):
                os.makedirs(os.path.join(resultBasePath, logFileJson.itrLogPath))

            if filedata.file:
                if (logFileJson.logFileType == agentlogFileType.WORKLOAD_ZIP_LOG):
                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, WORKLOAD_LOG_ZIP_ARCHIVE_FILE_NAME.format(str(logFileJson.workloadID)))
                else:
                    filePath = os.path.join(resultBasePath, logFileJson.itrLogPath, logFileJson.logFileType)
                with open(filePath, 'wb') as output_file:
                    while True:
                        data = filedata.file.read(1024)
                        # End of file
                        if not data:
                            break
                        output_file.write(data)
```



## 1. 依赖

```
pip install requests
```



## 2. 检测

```
git clone https://github.com/skytina/CVE-2021-21978
cd CVE-2021-21978
python3 CVE-2021-21978.py https://192.168.80.3/
```

![image-20210305162131318](./images/detect.png)



## 3. 漏洞利用

漏洞利用脚本会重写`log_upload_wsgi.py`，让它成为一个后门

![image-20210305162339613](./images/backdoor.png)

## 4. 参考链接

漏洞利用来源：https://twitter.com/osama_hroot/status/1367258907601698816



VMware官方公告: https://www.vmware.com/security/advisories/VMSA-2021-0003.html



## 声明

- 工具仅用于安全人员安全测试与研究使用，任何未授权检测造成的直接或者间接的后果及损失，均由使用者本人负责。
- The tool is only used for security testing and research by security personnel. Any direct or indirect consequences and losses caused by unauthorized testing are the responsibility of the user.



如果觉得上面的内容有帮助的话，可以关注一下公众号



![](./images/qrcode_for_gh_0b1156c93460_258.jpg)

File Snapshot


 [4.0K]  /data/pocs/e7bb1b4b98db577a321c6755a919070f44db5aa9
├── [2.5K]  CVE-2021-21978.py
├── [4.0K]  images
│   ├── [107K]  backdoor.png
│   ├── [121K]  detect.png
│   └── [ 27K]  qrcode_for_gh_0b1156c93460_258.jpg
├── [4.3K]  payload.txt
├── [2.8K]  README.md
└── [4.2K]  upload.txt

1 directory, 7 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!