Nmap Development mailing list archives
Regarding VMWare and OpenSSH vulns
From: Aleksandar Nikolic <nikolic.alek () gmail com>
Date: Sat, 23 Jun 2012 13:51:55 +0200
Hi all, on the last nse brainstorming meeting, I was tasked with looking into recent VMWare and OpenSSH vulns and selecting the ones which would be suitable for nse scripts. This is what I've found. VMWare I've browsed trough VMWare security advisories for this year. Most of the vulns are local privileges escalation and guest to host escape vulns. I have found only three remotely exploitable vulns, which are pretty specific. Those are: http://www.vmware.com/security/advisories/VMSA-2012-0011.html VMware Virtual Machine Remote Device Denial of Service VMWare has the ability to attach remote devices, like CDROMs or such, to a virtual machine. An attacker that controls the remote device, can exploit this vulnerability to cause Denial Of Service against the VM. Since this vulnerability requires a control over remote device, without it we are unable to check for this vuln. Only way would be by fingerprinting the VMWare software and matching the vulnerable version. http://www.vmware.com/security/advisories/VMSA-2012-0009.html ESX NFS traffic parsing vulnerability There is a vulnerability in ESX(i) when parsing NFS traffic. An attacker that can control NFS traffic can exploit this vulnerability to cause Denial Of Service against the VM or even achieve remote code execution. Same comment applies for this one. It might not be impossible to trigger the bug by NSE script, but it will most certainly be very very difficult. Apart from that obvious complexity, the advisory is lax on details which would make it even more difficult. Also, it would require a pretty specific ESX setup. http://www.vmware.com/security/advisories/VMSA-2012-0002.html The vCenter Chargeback Manager (CBM) contains a flaw in its handling of XML API requests. This vulnerability allows an unauthenticated remote attacker to download files from the CBM server or conduct a denial-of-service against the server. This one might not be that hard to check for or even exploit. But again, very specific software which I don't think is freely available, and lack of info in the advisory. For all this vulnerabilities, easiest way to check for them is to match fingerprints. When we have VMWare Workstation or player, only thing we can access remotely is vmauthd whose version rarely changes and which doesn't reflect the VM version. So that one is useless for out purpose. Another thing is fingerprinting ESX. I've discussed this with David, and there are already service probes for it, so fingerprinting would be done by version scan. I've looked into metasploit's vmware scripts, and only two pre-auth scripts are vmauth brute, which we already have, and ESX fingerprinting which I've discussed above. I must say that I'm somewhat disappointed as I can't say that any of these vulns would be suitable for NSE scripts. Maybe the original author of the idea on the ScriptIdeas page has some further ideas? Now for OpenSSH vulns: Idea here was to go trough recent OpenSSH vulns and select ones that are _practical_ vulns and not theoretical crypto flaws, and select the ones that would make a nice NSE script. There is really only one problem here. There weren't that many OpenSSH vulns in the past 10 years. Only vuln I could find that might be suitable for NSE script and wasn't more than 10 years old was Tavis Ormandy's CRC DoS vuln from 2006 which would very well be detected by version matching. Believe me, I am as sad as you are that there are no more OpenSSH vulns... Again, if the original idea author has some specific ideas, please share. And of course, if anybody has some ideas about these two topics, please comment. Thanks, Aleksandar _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Regarding VMWare and OpenSSH vulns Aleksandar Nikolic (Jun 23)
- Re: Regarding VMWare and OpenSSH vulns Aleksandar Nikolic (Jun 23)
- Re: Regarding VMWare and OpenSSH vulns stripes (Jun 23)