A Quick Look at CVE-2021–21985 VCenter Pre-Auth RCE

service-control --restart vsphere-ui
iptables -P INPUT ACCEPT
*this’s what i actually do at that time … 🤣
- POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setTargetObject
- POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setStaticMethod
- POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/setArguments
- POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/prepare
- POST /ui/h5-vsan/rest/proxy/service/&vsanProviderUtils_setVmodlHelper/invoke
boolean, byte, char, class [B, class [C, class [I, class [J, class [Ljava.lang.Class;, class [Ljava.lang.String;, class [Lorg.springframework.core.io.Resource;, class [S, class java.io.File, class java.io.InputStream, class java.io.Reader, class java.lang.Boolean, class java.lang.Byte, class java.lang.Character, class java.lang.Class, class java.lang.Double, class java.lang.Float, class java.lang.Integer, class java.lang.Long, class java.lang.Short, class java.math.BigDecimal, class java.math.BigInteger, class java.net.URI, class java.net.URL, class java.nio.charset.Charset, class java.time.ZoneId, class java.util.Currency, class java.util.Locale, class java.util.Properties, class java.util.regex.Pattern, class java.util.TimeZone, class java.util.UUID, class org.xml.sax.InputSource, double, float, int, interface java.nio.file.Path, interface java.util.Collection, interface java.util.List, interface java.util.Set, interface java.util.SortedMap, interface java.util.SortedSet, long, short

--

--

asdasd asdasdasd asdasdasd

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store