VMware ESX多个敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110713 漏洞类型 信任管理
发布时间 2006-07-31 更新时间 2006-08-10
CVE编号 CVE-2006-2481 CNNVD-ID CNNVD-200607-528
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/28312
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-528
|漏洞详情
VMwareESXServer是一个适用于任何系统环境的企业级虚拟计算机软件。VMwareESXServer的管理界面使用了两个Cookies(vmware.mui.kid和vmware.mui.sid)中的会话ID。会话ID格式是私有的,包含有简单base64编码格式的用户帐号和口令。如果攻击者可以通过任何机制(如跨站脚本攻击)访问了Cookies的话,就可以获取认证凭据。VMwareESXServer的管理界面允许用户更改口令。如果是root用户的话,还可以更改其他用户的口令。在更改口令时,会通过一个HTML表单要求用户输入并确认新的口令,然后通过HTTPGET请求将数据发送给服务器。上述请求和口令都被记录在了Apache访问日志/var/log/httpd/access_log和/var/log/httpd/ssl_request_log中,并转存到了相应的备份日志中。上述文件都是完全可读的,因此本地用户可能浏览这些文件,获得使用管理界面设置的所有口令。
|漏洞EXP
source: http://www.securityfocus.com/bid/19249/info

VMware ESX is prone to multiple information-disclosure vulnerabilities. These issues are due to a design error in the application. The following issues were reported:

1. An information disclosure vulnerability that could disclose the session ID, username, and password if an attacker can access session cookies used by the management interface.

2. An information disclosure vulnerability that could expose authentication credentials to local users on the computer hosting the VMWare ESX Server. This vulnerability occurs because authentication credentials are also handled insecurely by the VMWare ESX management interface.

VMware ESX server versions 2.5.3 P2, 2.1.3 P1, 2.0.2, 2.0.2 P1, and 2.5.2 P4 are reported to be vulnerable; other versions may also be affected.

https://www.example.com/sx-users?op=setUsr&ag=&rg=&nm=root&hd=%2Froot&pw=test&pwc=test&grpSlct=
|参考资料

来源:MISC
链接:http://www.corsaire.com/advisories/c060512-001.txt
来源:BID
名称:19249
链接:http://www.securityfocus.com/bid/19249
来源:BUGTRAQ
名称:20060801VMSA-2006-0004Crosssitescriptingvulnerabilityandotherfixes
链接:http://www.securityfocus.com/archive/1/archive/1/441825/100/100/threaded
来源:BUGTRAQ
名称:20060731CorsaireSecurityAdvisory-VMwareESXServerPasswordDisclosureinCookieissue
链接:http://www.securityfocus.com/archive/1/archive/1/441728/100/100/threaded
来源:VUPEN
名称:ADV-2006-3075
链接:http://www.frsirt.com/english/advisories/2006/3075
来源:SECUNIA
名称:21230
链接:http://secunia.com/advisories/21230
来源:kb.vmware.com
链接:http://kb.vmware.com/kb/2118366