The VMware vSphere Data Protection (VDP) appliance is based on the EMC Avamar solution. To perform an in-depth analysis of VDP, a virtual test appliance of EMC Avamar was downloaded. Known Avamar default credentials did work fine on the Avamar appliance, but were not valid to log into the vSphere Data Protection. Further file system objects in the EMC Avamar appliance were analyzed, leading to the interesting detection of a private SSH key belonging to the admin user.
A web search did reveal that the corresponding password for the SSH key file is ‘P3t3rPan’ (see http://judsonian.com/content/licensing-an-avamar-system/). Using the SSH key file a login as admin to the VMware Data Protection was successful and did grant root permissions on the appliance.
11.08.2016 report of vulnerability to VMware Security Response team
12.08.2016 VMware confirms the vulnerability and reaches out to EMC
22.12.2016 VMware publishes advisory and patch
04.01.2017 release of metasploit module
VMware Advisory https://www.vmware.com/security/advisories/VMSA-2016-0024.html
MSF module https://github.com/phroxvs/metasploit-framework/tree/exploit_vdp_known_privkey in modules/exploits/linux/ssh/vmware_vdp_known_privkey.rb
where is the module?