Full Report
SSO providers are the main authentication scheme to login to platforms, such as Google. Besides this, there are many corporate products, such as Cisco Identity Services Engine, Oracle Access Manager (OAM) and VMWare Workshop One Access. This post is aimed at finding a vulnerability in the SSO provider VMWare Workshop One Access. To start with, there is a minimal attack surface for unauthenticated users; as a result, an auth bypass is required. The API generateActivationToken will generate an activation code for an existing OAuth2 client. Calling activate will return the client ID and client secret for this user. Instead of finding a bad code path, they abused functionality in the app itself! By calling generateActivationToken to get the code and sending this code to activate for a default client in the system, we can now act as a application calling the provider. This gives us much more attack surface to work with. The second vulnerability is a Java Database Connectivity (JDBC) Injection vulnerability. The function dbCheck accepts a JDBC URI in order to make a database connection remotely. However, this is a known vulnerable sink that can be taken to code execution. One method is sending back an arbitrarily serialized object that will be deserialized into any object we want. Using the CommonsBeanutils1 gadget (found from ysoserial tool), a shell can easily be gained. A second way is abusing the local gadget socketFactory. By instantiating this object, an attacker can control trigger the execution of a constructor defined in an arbitrary Java class with a controlled string argument. Is code execution enough? Nope! The author wanted to escalate the privileges on the box to become root. While reviewing the permissions of the horizon user on the box via sudo -l, they reviewed the scripts that could be run as root. First, the script publishCaCert.hzn will copy a file into a specified location then make it read/writable by the executor of the script. By doing this, sensitive files can be leaked. The script gatherConfig.hzn will take a DEBUG file and change the permissions of this to be in the TOMCAT user/group. Using this script, we can specify a symbolic link called debugConfig.txt to a root owned file to change the permissions. To get persist access via either of these methods, the script certproxyService.sh can be set to modifiable then run as root. Overall, really awesome post on finding vulnerabilities in the logic of an application and code execution bugs via non-command injection/memory corruption fashion. The post is extremely detailed with many extra routes on top of everything else.
Analysis Summary
# Vulnerability: Pre-Authenticated Remote Root Exploit Chain in VMWare Workspace ONE Access (Hekate)
## CVE Details
- CVE ID: Not explicitly assigned in the summary context, but likely associated with a chain of vulnerabilities leading to Remote Code Execution (RCE) and Privilege Escalation.
- CVSS Score: Not explicitly provided, but the impact described (Pre-authenticated Remote Root Exploit) suggests **Critical Severity**.
- CWE: Likely related to Improper Neutralization of Special Elements used in an Embedded Language (e.g., potential for JDBC Injection, Deserialization of Untrusted Data).
## Affected Systems
- Products: VMWare Workspace ONE Access (formerly VMWare Workshop One Access/Identity Manager)
- Versions: `21.08.0.1` (Latest at time of testing, deployed via `identity-manager-21.08.0.1-19010796_OVF10.ova`)
- Configurations: Impacted the cloud version in its default configuration.
## Vulnerability Description
This research identifies a chain of vulnerabilities leading to pre-authenticated Remote Root Access, nicknamed "Hekate." The chain involves three main steps:
1. **Authentication Bypass:** Exploiting logic flaw in the `generateActivationToken` and `activate` API endpoints. Generating an activation code for an existing OAuth2 client and reusing that code against a default system client allows the attacker to impersonate that application, gaining access to a larger attack surface.
2. **Remote Code Execution (RCE) via JDBC Injection:** A function susceptible to accepting a remote JDBC URI (`dbCheck`) is abused. This leads to RCE through two main methods:
* **Deserialization Abuse:** Sending back an arbitrarily serialized object, triggering deserialization using the `CommonsBeanutils1` gadget (from ysoserial) to gain a shell.
* **Local Gadget Abuse:** Instantiating the `local gadget socketFactory` object to trigger a constructor execution of an arbitrary Java class with a controlled string argument.
3. **Privilege Escalation to Root:** Once code execution is achieved as the `horizon` user, several scripts are abused to escalate privileges to `root`:
* **File Leakage:** Abusing `publishCaCert.hzn` to copy sensitive files to a malicious location after making them writable by the low-privileged user.
* **Permission Modification:** Abusing `gatherConfig.hzn` by creating a symbolic link named `debugConfig.txt` pointing to a root-owned file, then using the script to change the permissions of the linked file to be owned by the `TOMCAT` user/group.
* **Persistence:** Setting the `certproxyService.sh` script to be modifiable and then running it as root to achieve persistent access.
## Exploitation
- Status: PoC available (Exploits downloadable from the researcher's repository, demonstrated at Black Hat USA 2022).
- Complexity: Low (Pre-authenticated, 0-click exploit chain).
- Attack Vector: Network (Targets port 443, which is often exposed externally).
## Impact
- Confidentiality: High (Achieved root access, potential to leak sensitive JWTs/system info).
- Integrity: High (Achieved root access, ability to modify system files/configurations).
- Availability: High (Complete compromise of the appliance).
## Remediation
### Patches
- Specific patch versions addressing these vulnerabilities were released by VMWare (details found in vendor advisories). The researcher implies fixes were available prior to the public disclosure date of August 11, 2022.
### Workarounds
- Block external access to the primary ports, especially 443, if possible, until patching is complete.
- Review and restrict outbound network connections made by VMWare services (as implied by the server-side exploit variant avoiding network connections).
## Detection
- **Indicators of Compromise (IOCs):**
* Uncharacteristic calls to the `/api/v1/oath2/generateActivationToken` and subsequent calls to the `/activate` endpoint by unusual clients.
* Unexpected creation or modification of files owned by the `horizon` user, particularly scripts like `publishCaCert.hzn`, `gatherConfig.hzn`, or `certproxyService.sh`.
* Evidence of JDBC connection attempts to remote, unexpected URIs originating from the application server.
* Deserialization attempts targeting known gadget classes like `CommonsBeanutils1`.
- **Detection Methods and Tools:**
* Monitoring for unusual deserialization patterns or usage of dangerous classes in Java application logs.
* Runtime Application Self-Protection (RASP) tools configured to monitor sinks like JDBC connection construction.
## References
- Vendor Advisories: Check VMWare security advisories corresponding to the disclosure date (August 2022) for the specific CVE IDs associated with this chain.
- Relevant Links:
* hrrps://github.com/sourceincite/hekate/ (PoC repository)
* hrrps://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html (Original write-up)