0x00 Preface

---

A recent exploitation technique I learned: Using administrator privileges on vCenter to extract the IdP certificate from /storage/db/vmware-vmdir/data.mdb, create a SAML request for an administrator user, and finally authenticate using the vCenter server to obtain a valid administrator cookie.

Intuitive understanding: From local administrator privileges on vCenter to administrator access to the VCSA management panel.

Learning materials:

https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/

https://github.com/horizon3ai/vcenter_saml_login

This article will improve the code based on the learning materials, enhance its versatility, and provide defense recommendations in conjunction with exploitation ideas.

0x01 Introduction

---

This article will cover the following:

  • Method reproduction
  • Script optimization
  • Exploitation ideas
  • Defense Recommendations

0x02 Method Reproduction

---

Testing on Kali System

Install Openssl:

apt install python3-openssl

1. Obtain Database File from vCenter

Path: /storage/db/vmware-vmdir/data.mdb

vCenter Administrator Privileges Required

2. Run the Script

Download URL:

https://github.com/horizon3ai/vcenter_saml_login/blob/main/vcenter_saml_login.py

Command Parameter Example:

python3 ./vcenter_saml_login.py -t 192.168.1.1 -p data.mdb

Command Line Return Result:

JSESSIONID=XX533CDFA344DE842517C943A1AC7611

3. Log in to the VCSA management panel

Access https://192.168.1.1/ui

Set Cookie: JSESSIONID=XX533CDFA344DE842517C943A1AC7611

Successfully logged into the management panel as administrator

0x03 Script Optimization

---

Typically, the size of data.mdb is at least 20MB

To reduce interaction traffic, choose to modify vcenter_saml_login.py to be usable directly under vCenter

Note:

Python is installed by default on vCenter

Specifically, the following issues need to be considered when modifying the script:

1. Remove the reference to the third-party package bitstring

The approach I adopted is to streamline the content of the third-party package bitstring and directly insert it into the Python script

2. Avoid using f-string formatting

Python 3.6 introduced a new f-string formatting feature

vCenter 6.7 uses Python 3.5.6, which does not support the 'f' prefix for formatted string literals

The approach I adopted was to use the format method for string formatting

For example:

cn = stream.read(f'bytes:{cn_len}').decode()

Replaced with:

cn = stream.read('bytes:{}'.format(cn_len)).decode()

The complete code has been uploaded to GitHub at the following address:

An open-source project

vCenter_ExtraCertFromMdb.py can be uploaded to vCenter and executed directly. After execution, the following four important parameters will be obtained:

  • domain, displayed in the command line
  • idp_cert, saved as idp_cert.txt
  • trusted_cert_1, saved as trusted_cert_1.txt
  • trusted_cert_2, saved as trusted_cert_2.txt

Next, a SAML request can be created for the administrator user on any host, using the vCenter server for authentication to obtain a valid administrator cookie. The complete code has been uploaded to GitHub at the following address:

An open-source project

Parameter description is as follows:

  • target: URL of the VCSA management panel
  • hostname: Corresponds to the CN in the certificate Subject attribute of the VCSA management panel
  • domain: Can be obtained from data.mdb using vCenter_ExtraCertFromMdb.py
  • idp_cert path: Can be obtained from data.mdb using vCenter_ExtraCertFromMdb.py
  • trusted_cert_1 path: Can be obtained from data.mdb using vCenter_ExtraCertFromMdb.py
  • trusted_cert_2 path: Can be obtained from data.mdb using vCenter_ExtraCertFromMdb.py

0x04 Exploitation Approach

---

1. From vCenter local administrator privileges to VCSA management panel administrator access

Prerequisite: Gained vCenter local administrator privileges through a vulnerability

Exploitation effect:

Obtain administrator access to the VCSA management panel, enabling interaction with virtual machines manageable by vCenter

Note:

At this point, administrator users can also be added via the LDAP database using the method described in 'vSphere Development Guide 5 - LDAP', enabling interaction with virtual machines manageable by vCenter.

2. Obtain data.mdb from vCenter backup files

Prerequisite: Need to obtain the correct data.mdb file

Exploitation effect:

Gain administrator access to the VCSA management panel, enabling interaction with virtual machines manageable by vCenter

0x05 Defense Recommendations

---

1. Apply patches to prevent attackers from obtaining vCenter local administrator privileges

2. Avoid leakage of vCenter backup files in use

0x06 Summary

---

This article introduces optimization ideas for vcenter_saml_login, enhances its generality, and provides defense recommendations based on exploitation approaches.