0x00 Preface
---
This article documents the details of building a vRealize Log Insight vulnerability debugging environment from scratch.
0x01 Introduction
---
This article will cover the following topics:
- vRealize Log Insight Installation
- vRealize Log Insight Vulnerability Debugging Environment Configuration
- Database Operations
0x02 vRealize Log Insight Installation
---
Reference: https://docs.vmware.com/en/vRealize-Log-Insight/index.html
1. Download OVA File
Download page: https://customerconnect.vmware.com/evalcenter?p=vr-li
Download requires user registration first, then select the desired version for download
2. Installation
(1) Import the OVA file in VMware Workstation
(2) Configuration
Access the configuration page at https:///
Select Starting New Deployment, set the admin user password
3. Enable remote debugging function
(1) Check the status of all services
Result as shown in the figure below
Locate the web-related service as loginsight.service
(2) View detailed information of loginsight.service
systemctl status loginsight.service |
Result as shown in the figure below
Locate the service startup file: /usr/lib/loginsight/application/bin/loginsight
(3) View process parameters
Execute command: ps aux|grep java
Return result:
root 1977 4.7 34.5 4687676 1396852 ? Sl 00:04 6:55 /usr/lib/loginsight/application/3rd_party/bin/java -Xrs -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/storage/core/loginsight/var/heapdump/li_heapdump.hprof -XX:ErrorFile=/storage/core/loginsight/var/jvm_hs_err_pid.log -Djava.util.logging.config.level=SEVERE -Djdk.tls.ephemeralDHKeySize=2048 -Dorg.bouncycastle.fips.approved_only=false -Djavax.net.ssl.trustStorePassword=changeit -Djdk.http.auth.tunneling.disabledSchemes="" -DLOGINSIGHT_HOME=/usr/lib/loginsight -Dstrata.pgid=1961 -cp /usr/lib/loginsight/application/lib/* -Xmx1972m -Xms1972m -Xss256k -Xmn1024M -XX:+UseConcMarkSweepGC -XX:+UseParNewGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+ScavengeBeforeFullGC -XX:TargetSurvivorRatio=80 -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=15 -XX:ParallelGCThreads=4 -XX:+UseCompressedOops -XX:+OptimizeStringConcat -XX:+AlwaysPreTouch com.vmware.loginsight.daemon.LogInsightDaemon --wait=120
root 2157 0.1 2.0 2685308 84276 ? Sl 00:04 0:17 /usr/lib/loginsight/application/3rd_party/bin/java -Xms100m -Xmx256m -jar -Dapp.log.home=/storage/var/loginsight /usr/lib/loginsight/application/3rd_party/vI18nManager-logInsight-8.10.latest.jar --server.scheme=https -c --swagger-ui.enable=false
root 2327 0.6 15.1 3577064 612048 ? Sl 00:04 0:57 /usr/lib/loginsight/application/3rd_party/bin/java -Dnop -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -server -DLOGINSIGHT_HOME=/usr/lib/loginsight -Dorg.bouncycastle.fips.approved_only=false -Dorg.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true -Djava.awt.headless=true -Dorg.apache.jasper.runtime.JspFactoryImpl.USE_POOL=false -Djdk.tls.rejectClientInitiatedRenegotiation=true -Dorg.apache.el.parser.SKIP_IDENTIFIER_CHECK=true -Djavax.net.ssl.trustStorePassword=changeit -Djava.endorsed.dirs= -classpath /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/log4j2/lib/*:/usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/log4j2/conf:/usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/bin/bootstrap.jar:/usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/bin/tomcat-juli.jar -Dcatalina.base=/usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82 -Dcatalina.home=/usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82 -Djava.io.tmpdir=/usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/temp org.apache.catalina.startup.Bootstrap start
root 3097 1.7 33.0 2860656 1336624 ? SLl 00:06 2:31 /usr/bin/java -Xloggc:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../logs/gc.log -ea -XX:+UseThreadPriorities -XX:ThreadPriorityPolicy=42 -XX:+HeapDumpOnOutOfMemoryError -Xss256k -XX:StringTableSize=1000003 -XX:+AlwaysPreTouch -XX:-UseBiasedLocking -XX:+UseTLAB -XX:+ResizeTLAB -XX:+UseNUMA -XX:+PerfDisableSharedMem -Djava.net.preferIPv4Stack=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:SurvivorRatio=8 -XX:MaxTenuringThreshold=1 -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:CMSWaitDuration=10000 -XX:+CMSParallelInitialMarkEnabled -XX:+CMSEdenChunksRecordAlways -XX:+CMSClassUnloadingEnabled -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintHeapAtGC -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -XX:+PrintPromotionFailure -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=10 -XX:GCLogFileSize=10M -Xms1024M -Xmx1024M -Xmn200M -XX:+UseCondCardMark -XX:CompileCommandFile=/storage/core/loginsight/cidata/cassandra/config/hotspot_compiler -javaagent:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jamm-0.3.0.jar -Djava.rmi.server.hostname=192.168.112.156 -Dcassandra.jmx.local.port=7199 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.password.file=/storage/core/loginsight/cidata/cassandra/config/jmxremote.password -Djava.library.path=/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/sigar-bin -Dcassandra.consistent.rangemovement=false -XX:OnOutOfMemoryError=kill -9 %p -Dlogback.configurationFile=logback.xml -Dcassandra.logdir=/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../logs -Dcassandra.storagedir=/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../data -Dcassandra-foreground=yes -cp /storage/core/loginsight/cidata/cassandra/config:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../build/classes/main:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../build/classes/thrift:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/airline-0.6.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/antlr-runtime-3.5.2.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/apache-cassandra-3.11.11.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/apache-cassandra-thrift-3.11.11.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/asm-5.0.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/caffeine-2.2.6.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/cassandra-driver-core-3.0.1-shaded.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/commons-cli-1.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/commons-codec-1.9.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/commons-lang3-3.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/commons-math3-3.2.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/compress-lzf-0.8.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/concurrentlinkedhashmap-lru-1.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/concurrent-trees-2.4.0.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/disruptor-3.0.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/ecj-4.4.2.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/guava-18.0.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/HdrHistogram-2.1.9.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/high-scale-lib-1.0.6.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/hppc-0.5.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jackson-annotations-2.9.10.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jackson-core-2.9.10.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jackson-databind-2.9.10.8.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jamm-0.3.0.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/javax.inject-1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jbcrypt-0.3m.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jcl-over-slf4j-1.7.7.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jctools-core-1.2.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jflex-1.6.0.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jna-4.2.2.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/joda-time-2.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/json-simple-1.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/libthrift-0.9.2.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/log4j-api-2.17.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/log4j-core-2.17.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/log4j-over-slf4j-1.7.7.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/log4j-slf4j-impl-2.17.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/logback-classic-1.1.3.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/logback-core-1.1.3.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/lz4-1.3.0.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/metrics-core-3.1.5.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/metrics-jvm-3.1.5.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/metrics-logback-3.1.5.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/netty-all-4.0.44.Final.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/ohc-core-0.4.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/ohc-core-j8-0.4.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/reporter-config3-3.0.3.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/reporter-config-base-3.0.3.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/sigar-1.6.4.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/slf4j-api-1.7.30.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/slf4j-api-1.7.7.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/snakeyaml-1.11.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/snappy-java-1.1.1.7.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/snowball-stemmer-1.3.0.581.1.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/ST4-4.0.8.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/stream-2.5.2.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/thrift-server-0.3.7.jar:/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/../lib/jsr223/*/*.jar: org.apache.cassandra.service.CassandraDaemon |
Result analysis is as follows:
Process 1977:
Process parameters correspond to file: /usr/lib/loginsight/application/sbin/loginsight-daemon.sh
Corresponding lib folder: /usr/lib/loginsight/application/lib/
Process 2157:
Process parameters correspond to file: /usr/lib/loginsight/application/sbin/vI18nManager
Corresponding lib file: /usr/lib/loginsight/application/3rd_party/vI18nManager-logInsight-8.10.latest.jar
Process 2327:
Process parameter corresponding file: /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/bin/catalina.sh
Corresponding lib folder: /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/
Process 3097:
Process parameter corresponding file: /usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/conf/jvm.options
Corresponding lib folder: /usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/lib/
Method to add debug parameters to process 3097:
Modify file /usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/conf/jvm.options
Add content: -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=1414
Restart service: service loginsight restart
Add firewall rule: iptables -I INPUT -p tcp --dport 1414 -j ACCEPT
0x03 Database Operations
---
1. Reset web login user admin password
Implementation file: /usr/lib/loginsight/application/sbin/li-reset-admin-passwd.sh
Database operation-related information can be obtained from the file, as shown in the figure below
2. Command parameters for connecting to the database
Implementation file: /usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/cqlsh-no-pass
The file content is as follows:
_bin() {
local CASSANDRA_BIN=$(find $BASE -name nodetool | sort | tail -n 1)
if [ ! -e "$CASSANDRA_BIN" ]; then
echo "ERROR: Unable to locate Cassandra's bin directory!"
exit 255
else
# Echo the bin directory
echo ${CASSANDRA_BIN%/*}
fi
return 0
}
BASE="$(dirname $(readlink -f $0 2>/dev/null) 2>/dev/null)/"
if [ $? != 0 ]; then
# If mac then no need to worry about symlink
BASE="$(dirname $0)"
BASE="${BASE%.*}"
if [ ! -z "$BASE" ]; then
BASE="$BASE/";
fi
elif [ "$BASE" == "/opt/vmware/bin/" ]; then
BASE="/usr/lib/loginsight/application/lib/apache-cassandra-*"
fi
CASSANDRA_BIN=$(_bin)
if [ $? != 0 ]; then
echo $CASSANDRA_BIN
exit 255
fi
user_password=`$CASSANDRA_BIN/credentials-look-up | tr "\n" " " | sed 's/.*"\(.*\)".*"\(.*\)".*/\1\t\2/g'`
cuser=`echo "${user_password}" | cut -f1`
cpassword=`echo "${user_password}" | cut -f2`
$CASSANDRA_BIN/cqlsh -u $cuser -p $cpassword --cqlshrc=/storage/core/loginsight/cidata/cassandra/config/cqlshrc "$@"r |
Specific parameters for database operations can be obtained from the file:
- Obtain username and password from $CASSANDRA_BIN/credentials-look-up
- Configuration file is /storage/core/loginsight/cidata/cassandra/config/cqlshrc
3. Username and password for database connection
Implementation file: /usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/credentials-look-up
Returns username and password after execution:
The implementation principle involves reading the file /storage/core/loginsight/config/loginsight-config.xml* and extracting plaintext username and password credentials from the XML file
4. Database connection configuration information
Implementation file: /storage/core/loginsight/cidata/cassandra/config/cqlshrc
File contents are as follows:
[connection]
hostname = 127.0.0.1
port = 9042
client_timeout = 120
ssl = true
;[authentication]
;username = cassandra
;password = cassandra
[ssl]
certfile = /storage/core/loginsight/cidata/cassandra/config/cacert.pem
;usercert = cert.pem
;userkey = cert_key.pem |
Based on the above content, two methods for connecting to the database can be summarized:
(1) Using a file with pre-packaged parameters
/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/cqlsh-no-pass |
(2) Connecting using parameters
/usr/lib/loginsight/application/lib/apache-cassandra-3.11.11/bin/cqlsh -u lisuper -p slshitn2@S --cqlshrc=/storage/core/loginsight/cidata/cassandra/config/cqlshrc |
From the returned results, it can be seen that the database uses CQL (Cassandra Query Language)
Commands for querying user configuration:
select * from logdb.user;
select * from logdb.user_auth; |
5. Graphical interface for database operations
Here, the software TablePlus is used
Firewall configuration needs to be modified to open port 9042: iptables -I INPUT -p tcp --dport 9042 -j ACCEPT
Certificate file to use: /storage/core/loginsight/cidata/cassandra/config/cacert.pem
Successful connection is shown in the figure below
0x04 Summary
---
After setting up the vRealize Log Insight vulnerability debugging environment, we can proceed to study the vulnerability.
