hacktricks/network-services-pentesting/5985-5986-pentesting-omi.md
2022-09-09 16:14:55 +00:00

4.6 KiB

5985,5986 - Pentesting OMI

Support HackTricks and get benefits!

Basic Information

OMI is an open-source remote configuration management tool developed by Microsoft. OMI agents are commonly found installed on Azure Linux servers when the following services are in use:

  • Azure Automation
  • Azure Automatic Update
  • Azure Operations Management Suite
  • Azure Log Analytics
  • Azure Configuration Management
  • Azure Diagnostics

When these services are configured, the omiengine process will listen on all interfaces and being running as the root user.

Default port: 5985(http), 5986(https)

CVE-2021-38647

As of September 16, newly created Linux servers in Azure are still packaged with a vulnerable version of the OMI agent. After deploying a Linux server and enabling one the services listed above, the server will be in a vulnerable state.

The OMI server receives configuration management messages via the /wsman endpoint. Typically, an Authentication header is passed along with the message and the OMI server will ensure the client is authorized communicate. In this case the vulnerability is that when there is no Authentication header the server incorrectly accepts the message and executes the instruction under the root user.

By posting an “ExecuteShellCommand” SOAP payload to the server with no Authentication header specified, it will execute the command as root.

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
   ...
   <s:Body>
      <p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
         <p:command>id</p:command>
         <p:timeout>0</p:timeout>
      </p:ExecuteShellCommand_INPUT>
   </s:Body>
</s:Envelope>

Find full exploit in https://github.com/horizon3ai/CVE-2021-38647

References

Support HackTricks and get benefits!