Multiple bugs in Carbon Black and vRealize Operations Manager, authentication bypassing through proxy trickery, server-side request forgery, credential leaking, and ultimately RCE.

VMWare Carbon Black - Authentication Bypass

Two core issues leading to an authentication bypass, first being that the SERVICE_USER role is overly permissive. Any service could generate a JWT that had all permissions, regardless of what the service actually needed. This was exposed on an internal endpoint /acs/api/v1/service-token/{serviceName}. Getting access to this internal endpoint was the more interesting issue.

This endpoint under normal circumstances could not be reached from external sources, the front end Envoy proxy that handling incoming requests would route /acs/ routes to the correct place, but there was a particular rule in place rewriting requests matching /acs/api/v1/service-token/ so it wouldn’t be found. The problem is that Envoy by default would not normalize URLs, whereas the receiving Tomcat server would. So by encoding one of the characters in the path, they could craft a url that would get routed for /acs/ but not match the service-token rule: /acs/api/v1/%72ervice-token/.... Granting them a SERVICE_USER token.

VMware vRealize Operations Manager

Server-Side Request Forgery

Pretty standard SSRF here, the casa/nodes/thumbprints endpoint would take an array of addresses, and respond with the page contents. With no checks it could be directed to internal endpoints such as 127.0.01/casa/private/security/passwordsync to reveal administrative password hashes.

Credentials Leak

Using the same SSRF, by making a request to an attacker controlled server, the Authorization header would include a super-user’s credentials that could be replayed against other endpoints.

Password Reset

The password reset endpoint at PUT /casa.os/slice/user only required a username and new password, no additional verification to ensure you know the current password (likely by design to allow administrators to change user credentials). This could be abused to change the admin account and login over SSH for RCE.

Path Traversal

A straight forward path traversal using the /casa/private/config/slice/ha/certificate API one could directly upload a .jsp webshell and include path traversal in the name to write it into the webroot if they know the location.