• Stars
    star
    154
  • Rank 242,095 (Top 5 %)
  • Language
    Python
  • Created over 2 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2022-22972

POC for CVE-2022-22972 affecting VMware Workspace ONE, vIDM, and vRealize Automation 7.6.

Technical Analysis

A technical root cause analysis of the vulnerability can be found on our blog: https://www.horizon3.ai/vmware-authentication-bypass-vulnerability-cve-2022-22972-technical-deep-dive

Summary

This script can be used by bypass authentication on vRealize Automation 7.6 using CVE-2022-22972. Workspace ONE and vIDM have different authentication endpoints, but the crux of the vulnerability remains the same. We're happy to accept pull requests if you happen to have test articles to verify the flow.

This script works by changing the Host header of a HTTP POST request of a VMware authentication endpoint to a Host controlled by an attacker. This causes the VMware application to reach out to the Host with credential information and if the Host returns 200, the user is successfully authenticated.

This script results in a HZN cookie which can be included with later requests to perform actions as the compromised user.

NOTE: The script's default args will send the authentication request to our AWS API gateway which is configured to reply with a 200 for the specific endpoint mentioned in the blog. You can change this with the --host option. This endpoint will not receive any sensitive data during the exploit flow - just a request from the vulnerable application with the bogus auth header which it replies to.

Usage

dev@ubuntu:~/vmware/vra/exploit$ python3 CVE-2022-22972.py https://vra-app01.vra.intranet
Extracting state from vcac redirects...
Sending POST to auth endpoint

HZN=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJiM2E3MDJiOS01NjJkLTQwODgtYTg2Ny0xZjY5ZWE4YjAyZjMiLCJwcm4iOiJhZG1pbmlzdHJhdG9yQFZTUEhFUkUuTE9DQUwiLCJkb21haW4iOiJ2c3BoZXJlLmxvY2FsIiwidXNlcl9pZCI6IjMiLCJhdXRoX3RpbWUiOjE2NTM0MjUwOTAsImlzcyI6Imh0dHBzOi8vZWkzd3B0OTEwMC5leGVjdXRlLWFwaS51cy1lYXN0LTIuYW1hem9uYXdzLmNvbS9TQUFTL3QvdnNwaGVyZS5sb2NhbC9hdXRoIiwiYXVkIjoiaHR0cHM6Ly9laTN3cHQ5MTAwLmV4ZWN1dGUtYXBpLnVzLWVhc3QtMi5hbWF6b25hd3MuY29tL1NBQVMvdC92c3BoZXJlLmxvY2FsL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjp2bXdhcmU6bmFtZXM6YWM6Y2xhc3NlczpMb2NhbFBhc3N3b3JkQXV0aFwiLFwiaWF0XCI6MTY1MzQyNTA5MCxcImlkXCI6M31dIiwic2NwIjoicHJvZmlsZSBhZG1pbiB1c2VyIGVtYWlsIG9wZXJhdG9yIiwiaWRwIjoiMiIsImVtbCI6ImFkbWluaXN0cmF0b3JAdnJhLWFwcDAxLnZyYS5pbnRyYW5ldCIsImNpZCI6IiIsImRpZCI6IiIsIndpZCI6IiIsInJ1bGVzIjp7ImV4cGlyeSI6MTY1MzQyNjg5MCwicnVsZXMiOlt7InJlc291cmNlcyI6WyIqIl0sImFjdGlvbnMiOlsiKiJdLCJjb25kaXRpb25zIjpudWxsfV0sImxpbmsiOm51bGx9LCJleHAiOjE2NTM0MjY4OTAsImlhdCI6MTY1MzQyNTA5MCwic3ViIjoiYWQzODkzODEtNTRmNS00ODFkLWFmNWEtOWZjNmIzOGI0NzQ0IiwicHJuX3R5cGUiOiJVU0VSIn0.Kkq2UnmqpW6yJb3GGCp7dSXc5PlU1y8YyDULIYLHIvYlB3OC4j5xFDy91a2tk4bi1lAUITymV-NUgweoCl15LXFVfBFYLEs-OAvMLKZhhGnFF-BrxmyYLPJutkxsi-gL0rF4VmYykuYw9tdUY2DghWiGGZ6QTYOts21QUzcvU-8

Set the HZN cookie in your browser to bypass authentication

Mitigations

Update to the latest version or mitigate by following the instructions within the VMSA

Follow the Horizon3.ai Attack Team on Twitter for the latest security research:

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

More Repositories

1

vcenter_saml_login

A tool to extract the IdP cert from vCenter backups and log in as Administrator
Python
477
star
2

CVE-2022-40684

A proof of concept exploit for CVE-2022-40684 affecting Fortinet FortiOS, FortiProxy, and FortiSwitchManager
Python
336
star
3

CVE-2022-39952

POC for CVE-2022-39952
Python
266
star
4

CVE-2021-21972

Proof of Concept Exploit for vCenter CVE-2021-21972
Python
248
star
5

CVE-2021-38647

Proof on Concept Exploit for CVE-2021-38647 (OMIGOD)
Python
234
star
6

CVE-2022-1388

POC for CVE-2022-1388
Python
230
star
7

vRealizeLogInsightRCE

POC for RCE using vulnerabilities described in VMSA-2023-0001
Python
149
star
8

CVE-2023-34362

MOVEit CVE-2023-34362
Python
136
star
9

CVE-2022-47966

POC for CVE-2022-47966 affecting multiple ManageEngine products
Python
123
star
10

proxyshell

Proof of Concept for CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207
Python
107
star
11

CVE-2023-27524

Basic PoC for CVE-2023-27524: Insecure Default Configuration in Apache Superset
Python
101
star
12

backup_dc_registry

A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY
Python
71
star
13

CVE-2023-34051

VMware Aria Operations for Logs CVE-2023-34051
Python
63
star
14

CVE-2024-0204

Authentication Bypass in GoAnywhere MFT
Python
61
star
15

CVE-2023-27532

POC for Veeam Backup and Replication CVE-2023-27532
C#
58
star
16

CVE-2023-27350

Proof of Concept Exploit for PaperCut CVE-2023-27350
Python
45
star
17

CVE-2022-28219

PoC for ManageEngine ADAudit Plus CVE-2022-28219
Python
44
star
18

CVE-2023-48788

Fortinet FortiClient EMS SQL Injection
Python
42
star
19

CVE-2023-38035

Ivanti Sentry CVE-2023-38035
Python
39
star
20

CVE-2024-23108

CVE-2024-23108: Fortinet FortiSIEM Unauthenticated 2nd Order Command Injection
Python
31
star
21

CVE-2021-44077

Proof of Concept Exploit for ManageEngine ServiceDesk Plus CVE-2021-44077
Python
29
star
22

CVE-2023-34992

CVE-2023-34992: Fortinet FortiSIEM Command Injection Proof of Concept Exploit
Python
25
star
23

CVE-2023-26067

Lexmark CVE-2023-26067
Python
22
star
24

CVE-2024-1403

Progress OpenEdge Authentication Bypass
Java
16
star
25

h3-cli

CLI tool for the Horizon3.ai API
Shell
14
star
26

CVE-2024-29824

Ivanti EPM SQL Injection Remote Code Execution Vulnerability
Python
13
star
27

CVE-2021-44142

Python
10
star
28

cyanide

Python
9
star
29

SecureConnect-Auth-Bypass

An exploit proof of concept for ConnectWise SecureConnect authentication bypass vulnerability.
Python
9
star