Regarding VMWare and OpenSSH vulns

[Aleksandar Nikolic <nikolic.alek () gmail com>]

Hi all,

on the last nse brainstorming meeting, I was tasked with looking
into recent VMWare and OpenSSH vulns and selecting the ones
which would be suitable for nse scripts. This is what I've found.

VMWare

I've browsed trough VMWare security advisories for this year.
Most of the vulns are local privileges escalation and guest to
host escape vulns. I have found only three remotely exploitable
vulns, which are pretty specific.
Those are:
http://www.vmware.com/security/advisories/VMSA-2012-0011.html
VMware Virtual Machine Remote Device Denial of Service

VMWare has the ability to attach remote devices, like CDROMs or such, to
a virtual machine. An attacker that controls the remote device, can exploit
this vulnerability to cause Denial Of Service against the VM.

Since this vulnerability requires a control over remote device,
without it we are unable
to check for this vuln. Only way would be by fingerprinting the VMWare software
and matching the vulnerable version.

http://www.vmware.com/security/advisories/VMSA-2012-0009.html
ESX NFS traffic parsing vulnerability

There is a vulnerability in ESX(i) when parsing NFS traffic.
An attacker that can control NFS traffic can exploit this vulnerability to
cause Denial Of Service against the VM or even achieve remote code execution.

Same comment applies for this one. It might not be impossible to trigger the
bug by NSE script, but it will most certainly be very very difficult.
Apart from that obvious complexity, the advisory is lax on details which would
make it even more difficult. Also, it would require a pretty specific ESX setup.

http://www.vmware.com/security/advisories/VMSA-2012-0002.html
The vCenter Chargeback Manager (CBM) contains a flaw in its handling
of XML API requests. This vulnerability allows an unauthenticated
remote attacker to download files from the CBM server or conduct a
denial-of-service against the server.

This one might not be that hard to check for or even exploit. But
again, very specific software which I don't think is freely available,
and lack of info in the advisory.


For all this vulnerabilities, easiest way to check for them is to
match fingerprints.
When we have VMWare Workstation or player, only thing we can access remotely is
vmauthd whose version rarely changes and which doesn't reflect the VM version.
So that one is useless for out purpose.
Another thing is fingerprinting ESX. I've discussed this with David,
and there are already
service probes for it, so fingerprinting would be done by version scan.

I've looked into metasploit's vmware scripts, and only two pre-auth
scripts are vmauth brute, which we already have, and ESX
fingerprinting which I've discussed above.

I must say that I'm somewhat disappointed as I can't say that any of
these vulns
would be suitable for NSE scripts.

Maybe the original author of the idea on the ScriptIdeas page has some
further ideas?


Now for OpenSSH vulns:

Idea here was to go trough recent OpenSSH vulns and select ones that
are _practical_ vulns and not theoretical crypto flaws, and select the
ones that would make a nice NSE script.
There is really only one problem here. There weren't that many OpenSSH
vulns in the past 10 years.
Only vuln I could find that might be suitable for NSE script and
wasn't more than 10 years old was Tavis Ormandy's CRC DoS vuln from
2006 which would very well be detected by version matching.

Believe me, I am as sad as you are that there are no more OpenSSH vulns...
Again, if the original idea author has some specific ideas, please share.

And of course, if anybody has some ideas about these two topics, please
comment.


Thanks,
Aleksandar
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/