vcenter_saml_login icon indicating copy to clipboard operation
vcenter_saml_login copied to clipboard

Published 20 hours ago verified publisher icon horizon3ai

An error is reported when the script is running

Open Chinakentgao opened this issue 2 years ago • 6 comments

root@kent:~/CVE-2021-22005-exp# python3 vcenter_saml_login.py -p data.mdb -t xxx.xx.xxx.xxx [] Successfully extracted the IdP certificate [] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,CN=e4ed3720-803d-4d2e-bbd1-3b5221182357,CN=Ldus,CN=ComponentManager,DC=vsphere,DC=local [] Domain: vsphere.local [] Successfully extracted trusted certificate 1 [] Successfully extracted trusted certificate 2 [] Obtaining hostname from vCenter SSL certificate [] Found hostname vcenter.tech.zone for xxx.xx.xxx.xxx [] Initiating SAML request with xxx.xx.xxx.xxx [] Generating SAML assertion [] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [-] Failed logging in with SAML request Traceback (most recent call last): File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 350, in c = login(args.target, s) File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 300, in login raise Exception("expected 302 redirect") Exception: expected 302 redirect

xxx.xx.xxx.xxx Is an Internet IP

Chinakentgao avatar Mar 09 '22 07:03 Chinakentgao

Hello, in newer versions of vCenter they have added a new request parameter that we have not tested well enough that will cause this behavior. If you check out the pull request here, https://github.com/horizon3ai/vcenter_saml_login/pull/13, I believe it may address your issue.

scopedsecurity avatar Mar 09 '22 14:03 scopedsecurity

Hello, in newer versions of vCenter they have added a new request parameter that we have not tested well enough that will cause this behavior. If you check out the pull request here, #13, I believe it may address your issue.

Traceback (most recent call last): File "/root/CVE-2021-22005-exp/vcenter7.0.3_saml_login.py", line 354, in req, relaystate = saml_request(args.target) File "/root/CVE-2021-22005-exp/vcenter7.0.3_saml_login.py", line 246, in saml_request return etree.fromstring(req), parse_qs(o.query)["RelayState"][0] KeyError: 'RelayState'

Chinakentgao avatar Mar 10 '22 06:03 Chinakentgao

Do you have any additional information about the version of vCenter running? Can you inspect the traffic of a normal login to ensure the requests parameters haven't changed for this version? If they have, you should be able to edit the request to include the necessary so it won't be redirected.

scopedsecurity avatar Mar 10 '22 13:03 scopedsecurity

Do you have any additional information about the version of vCenter running? Can you inspect the traffic of a normal login to ensure the requests parameters haven't changed for this version? If they have, you should be able to edit the request to include the necessary so it won't be redirected.

I'm sorry, this is the test goal of a project I'm responsible for. The owner didn't provide me with any information about vCenter. Because I can't log in, the current information is basically not available

Chinakentgao avatar Mar 11 '22 00:03 Chinakentgao

I am getting the 302 redirect error as well.

barrett092 avatar Mar 21 '22 21:03 barrett092

Hello, in newer versions of vCenter they have added a new request parameter that we have not tested well enough that will cause this behavior. If you check out the pull request here, #13, I believe it may address your issue.

This worked :)

barrett092 avatar Mar 21 '22 21:03 barrett092