praseodym

Exploit for VMware vCenter Directory Service (vmdir) - CVE-2020-3952 / VMSA-2020-0006

This is my proof-of-concept exploit code for the VMware vCenter Directory Service (vmdir) sensitive information disclosure vulnerability (CVE-2020-3952 / VMSA-2020-0006).

It turns out that the vmdir service, which provides an LDAP directory server (and more), allows anonymous LDAP connections (also called LDAP binding) in the ACL MODE: Legacy configuration that is present after upgrading from vCenter 6.5. While the LDAP tree doesn't expose password hashes for administrative users, it does expose the VMware SSO server's SAML identity provider (IdP) certificates and private key. This key can be downloaded and used to sign arbitrary SAML responses, allowing an attacker to

praseodym

#!/bin/bash
# csr.sh: Certificate Signing Request Generator

set -e

if [ $# -lt 1 ]; then
    echo "Usage: $0 hostname [alt.hostname1] [alt.hostname2]"
    exit 1
fi

praseodym

{
  "firewall": {
    "all-ping": "enable",
    "broadcast-ping": "disable",
    "group": {
      "address-group": {
        "authorized_guests": {
          "description": "authorized guests MAC addresses"
        },
        "guest_allow_addresses": {

praseodym

import javax.crypto.*;
import javax.crypto.spec.GCMParameterSpec;
import java.nio.ByteBuffer;
import java.security.SecureRandom;
import java.util.Arrays;

public class AESGCMUpdateAAD2 {

    // AES-GCM parameters
    public static final int AES_KEY_SIZE = 128; // in bits

praseodym

---

- name: ensure wheezy-backports is present
  apt_repository: repo="deb http://ftp.nl.debian.org/debian/ wheezy-backports main contrib non-free" state=present update_cache=yes
  when: ansible_distribution_release == 'wheezy'

- name: ensure jessie-backports is present
  apt_repository: repo="deb http://ftp.nl.debian.org/debian/ jessie-backports main contrib non-free" state=present update_cache=yes
  when: ansible_distribution_release == 'jessie'

praseodym

apiVersion: v1
kind: Namespace
metadata:
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  name: ingress-nginx
---

kind: ConfigMap

praseodym

import java.io.ByteArrayInputStream;
import java.io.ObjectInputStream;
import java.sql.*;
import java.time.LocalDate;

public class Migration {
    public static void main(String[] args) throws Exception {
        String url = "jdbc:postgresql://joost.chnet/choice?ssl=true&sslrootcert=wisvch.crt";
        Connection conn = DriverManager.getConnection(url, "user", "password");

praseodym

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
- role: worker
- role: worker

praseodym

-------------------------------------------------------------------------------
NGINX Ingress controller
  Release:       0.30.0
  Build:         git-7e65b90c4
  Repository:    https://github.com/kubernetes/ingress-nginx
  nginx version: nginx/1.17.8

-------------------------------------------------------------------------------

W0301 00:31:38.725688       8 flags.go:260] SSL certificate chain completion is disabled (--enable-ssl-chain-completion=false)

praseodym

diff --git a/roles/bootstrap-os/tasks/bootstrap-debian.yml b/roles/bootstrap-os/tasks/bootstrap-debian.yml
index aec6d78b..e16b9c6e 100644
--- a/roles/bootstrap-os/tasks/bootstrap-debian.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-debian.yml
@@ -59,9 +59,17 @@
   when:
     - need_bootstrap.rc != 0
 
-# Workaround for https://github.com/ansible/ansible/issues/25543
-- name: Install dbus for the hostname module