craig-m-unsw/omigod-lab

A Vagrant VM test lab to learn about CVE-2021-38647 in the Open Management Infrastructure agent (aka "omigod").

Readme

An educational lab VM to learn about the 9.6 CVSS unauthenticated Remote Code Execution (RCE) vulnerability in Open Management Infrastructure software (CVE-2021-38647).

Disclosure (original research): https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

OMI source code: https://github.com/microsoft/omi

news:

• https://nakedsecurity.sophos.com/2021/09/16/omigod-an-exploitable-hole-in-microsoft-open-source-code/
• https://www.zdnet.com/article/omigod-azure-users-running-linux-vms-need-to-update-now/
• https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/

Write up:

• https://censys.io/blog/understanding-the-impact-of-omigod-cve-2021-38647/

Read some of the above before proceeding.

Setup

• Install Vagrant
• Install a supported hypervisor

git clone https://github.com/craig-m-unsw/omigod-lab.git
cd omigod-lab
vagrant up
vagrant ssh

This will setup Ubuntu 20.04 (Focal Fossa). Thanks Roboxes for the Vagrant box.

Installed by Ansible playbook.yml:

• omi-1.6.8-0.ssl_110.ulinux.x64.deb - sha256:2e0813ee3f2a71028f071d9933ca2f336faaaf9b6126d5f1767ffcbc7e803279
• scx-1.6.8-1.ssl_110.ulinux.x64.deb - sha256:1cba16e3b307177cbe15bd3fd8a2a87ab8d638846988202be8a17981b5e900c9

Don't put this VM on the internet :-)

Exploiting

Thanks to vagrant a port forward on localhost:5986 to 5986 in the VM will be open after bring the box up. We have a lab VM to test with now.

CVE-2021-38647

We just need to send a SOAP request to the vulberable OMI server, ansible uri module can be used to post this XML payload:

cd /vagrant
ansible-playbook attack-play.yml -e "rcecmd=uptime"

You should see the output to uptime command in <p:StdOut>.

If you change the command to be id you can see uid=0(root) gid=0(root) groups=0(root) outputs.

😬😬😬

Other public exploit code:

• https://github.com/AlteredSecurity/CVE-2021-38647
• https://github.com/horizon3ai/CVE-2021-38647
• https://github.com/Immersive-Labs-Sec/cve-2021-38647

Using omi

The Getting Started doco from MS: https://github.com/microsoft/omi/blob/master/Unix/doc/omi/omi.pdf

Detect

Inside the VM auditd is installed.

Log all command exec:

sudo auditctl -a exit,always -F arch=b32 -S execve -k execve
sudo auditctl -a exit,always -F arch=b64 -S execve -k execve

sudo tail -f /var/log/audit/audit.log

The output from sending a command:

type=SYSCALL msg=audit(1631977306.937:107): arch=c000003e syscall=59 success=yes exit=0 a0=7f906c002570 a1=7f906c001330 a2=7fffe5148108 a3=7f90751453f0 items=2 ppid=8552 pid=9974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/dash" key="execve"
type=EXECVE msg=audit(1631977306.937:107): argc=3 a0="/bin/sh" a1="-c" a2="whoami"
type=CWD msg=audit(1631977306.937:107): cwd="/var/opt/microsoft/scx/tmp"
type=PATH msg=audit(1631977306.937:107): item=0 name="/bin/sh" inode=5374016 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1631977306.937:107): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5377053 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PROCTITLE msg=audit(1631977306.937:107): proctitle=2F62696E2F7368002D630077686F616D69
type=SYSCALL msg=audit(1631977306.937:108): arch=c000003e syscall=59 success=yes exit=0 a0=564c4e436b90 a1=564c4e436b38 a2=564c4e436b48 a3=7f5b83f28850 items=2 ppid=9974 pid=9975 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="whoami" exe="/usr/bin/whoami" key="execve"
type=EXECVE msg=audit(1631977306.937:108): argc=1 a0="whoami"
type=CWD msg=audit(1631977306.937:108): cwd="/var/opt/microsoft/scx/tmp"
type=PATH msg=audit(1631977306.937:108): item=0 name="/usr/bin/whoami" inode=5374366 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1631977306.937:108): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=5377053 dev=08:03 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PROCTITLE msg=audit(1631977306.937:108): proctitle="whoami"

Someone has run "whoami".

Microsoft note this in the blog post "Additional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions" on detection:

https://msrc-blog.microsoft.com/2021/09/16/additional-guidance-regarding-omi-vulnerabilities-within-azure-vm-management-extensions/