| Name | vrealize_vcofactory_deserialize |
| CVE | CVE-2015-6934 |
| Exploit Pack | CANVAS |
| Description | vrealize_vcofactory_deserialize |
| Notes | CVE Name: CVE-2015-6934 VENDOR: VMWare NOTES: IMPORTANT NOTE: Any instance of this application running Apache Commons Collections version prior to 3.0 WILL NOT WORK. VMWare VRealize has a remoting interface named vcofactory. It communicates with a client by exchanging serialized Java objects. Apache Commons pre-3.2 allows users to serialize transformers on collection values. Of importance to us is the InvokerTransfomer, which is capable of invoking Java methods. We are able to run these transformers by adding them to an annotation map whose members are acccessed. The right chain of method invocations leads to arbitrary code execution. Tested targets: > vRealize 6.0.1.2490144 - Windows 8.1 Pro x86_64 EN / Java 6u45 - SUCCESS - Windows 8.1 Pro x86_64 EN / Java 7u80 - SUCCESS - Windows 8.1 Pro x86_64 EN / Java 8u73 - SUCCESS > vCenter Orchestrator Appliance - Appliance's VMDK is corrupted > vRealize Operations Manager Appliance 6.2.0.3 - Publically accessible interfaces require client certificate authentication. A CA-signed client certificate is necessary to connect. Repeatability: Infinite References: ['https://www.vmware.com/security/advisories/VMSA-2015-0009'] CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6934 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |