Search
  • Chirag Savla

#OMIGOD - CVE-2021-38647

Updated: Sep 22

Hello All,


In this blog post, we will explore the Unauthenticated Remote Code Execution vulnerability discovered by the WIZ team in Azure Open Management Infrastructure (OMI) application that was assigned a CVE ID - CVE-2021-38647. The blog post published by the WIZ team contains all the details that are required to exploit the vulnerability if a vulnerable instance is available.


While reading the blog post, we thought of reproducing the scenario and create some quick PoC to exploit the vulnerability. We are releasing Proof of Concept (PoC) code in PowerShell & Python. The PoC code is published on the Github repo.


About Azure Open Management Infrastructure (OMI)


OMI is a UNIX/Linux application installed on the Azure UNIX/Linux VM that allows users to manage the machine & configuration remotely & locally. It is equivalent to Windows WMI that uses the Common Information Model (CIM). It runs with root privileges. The OMI application gets installed automatically when services like Azure Automation Accounts, Update Management, Log Analytics, Configuration Management, etc., are used for UNIX/Linux VM's. The OMI application also exposes the service over port 5986 if the Configuration Management service is used for managing the machine remotely.

We can extend the OMI functionality by leveraging the providers listed here. To execute OS commands we will leverage the SCXcore provider.


About OMIGOD Vulnerability


Anyone with network access to vulnerable endpoint can send a request that leverages the SCXcore provider without the Authorization header and execute OS commands on the target machine with root privileges! This vulnerability is now fixed but always worth to check against Linux VMs in Azure.


Setup


Microsoft has started rolling out the patches for newly created instances and also for the existing instances. If we want to create a lab environment in azure with vulnerable instance to test the exploit PoC or the Detection we can leverage the ARM Template created by Roberto Rodriguez. If we want to create a lab on-premises we can follow the blog published by rootsecdev.


Proof of Concept (PoC)


Both the PoC contains 2 methods to execute code on the target machine.

1) ExecuteShellCommand

2) ExecuteScript

Let's look at the PowerShell PoC -

. .\Invoke-CVE-2021-38647.ps1
Invoke-CVE-2021-38647 -TargetIP <IP> -TargetPort <PORT> -Command "<COMMAND>"

$MyScript = @"
id
uname -a
"@
$enc = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($MyScript))
$enc
Invoke-CVE-2021-38647 -TargetIP <IP> -TargetPort <PORT> -Script $enc

Now let's look at the Python PoC -

python .\CVE-2021-38647.py -t <IP> -p <PORT> -c "<COMMAND>"

$MyScript = @"
id
uname -a
"@
$enc = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($MyScript))
$enc
python .\CVE-2021-38647.py -t <IP> -p <PORT> -s "<SCRIPT>"

Detection & Mitigations


We can follow the blog published by Microsoft Team to detect the exploit.

https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093


To mitigate the vulnerability we need to update OMI agent to version 1.6.8.1 or above.


Reference

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38647

https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

https://rootsecdev.medium.com/creating-your-own-private-pwn-lab-for-omi-exploitation-b6919fc63956

https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093

https://github.com/OTRF/Azure-Sentinel2Go/tree/master/grocery-list/Linux/demos/CVE-2021-38647-OMI



Feel free to provide me the feedback on twitter @chiragsavla94


Thanks for reading the post.


Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏


Posted by:

Chirag Savla

Senior Security Researcher at AlteredSecurity


Also published at 3xpl01tc0d3r.







735 views0 comments