7*7 = a simple equation for taking total control of multiple VMware-powered clouds

Ethical hackers detail how they popped vCloud Director, the tool Virtzilla offers to service providers hosting pods of private clouds

16 Reg comments Got Tips?

Ethical hacking firm Citadelo has explained a bug it discovered which allowed complete takeover of multiple VMware-powered clouds.

The flaw, CVE-2020-3956, was thankfully patched in mid-May. We say thankfully because it impacted vCloud Director, the tool VMware recommends service providers use to run multiple clouds for their customers or big users run to manage multiple private clouds. Popping vCloud Director is therefore a way into potentially hundreds of organisations’ resources, or to gain a way into a broad VMware estate at a big user.

The hack allowed the following actions:

  • View content of the internal system database, including password hashes of any customers allocated to this infrastructure.
  • Modify the system database to steal foreign virtual machines (VM) assigned to different organizations within Cloud Director.
  • Escalate privileges from “Organization Administrator” (normally a customer account) to “System Administrator” with access to all cloud accounts (organization) as an attacker can change the hash for this account.
  • Modify the login page to Cloud Director, which allows the attacker to capture passwords of another customer in plaintext, including System Administrator accounts.
  • Read other sensitive data related to customers, like full names, email addresses or IP addresses.

So how was this possible? Citadelo penetration testers Tomáš Melicher and Lukáš Václavík explained that during a penetration test they tried using ${7*7} as a hostname for the SMTP server in vCloud Director.

Doing so produced the following error:

 String value has invalid format, value: [49]

That was telling because it suggested something on the server side was executing the contents of the ${ } construct – and multiplying 7 by 7 to produce the value 49. Citadelo’s people therefore placed some Java code in the ${ } construct in the hostname, found that executed, too, and were able to go deeper and deeper until they owned one cloud.

Their goal was to crack the lot, which was accomplished by identifying the credential file, decrypting it with two lines of Java, and then putting their feet up because they had all the usernames and passwords for all the clouds managed by this instance of vCloud Director.

Next step? Changing user passwords, at which point the pair of ethical hackers wrote “After that, we were able to login as System Administrator and access data of all customers. And that was the real game over.”

Here’s a video of their efforts.

Youtube Video

Thankfully, the Citadelo pair responsibly disclosed the situation to VMware which on May 19th revealed both the flaw and the patches.

Which brings us to now, because Citadelo has also offered a sample exploit meaning that those users who haven’t patched vCloud Director now have very good reason to do so very, very, quickly. ®

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Biting the hand that feeds IT © 1998–2020