OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

Overview

omigood (OM I GOOD?)

This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threat research team, specifically CVE-2021-38647.

Original blog post from Wiz: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

Overview

The scanner requires Azure credentials to connect to Azure APIs and, given a subscription and a resource group (or by default it will scan all the available ones), retrieves the list of Linux VMs and reports whether the machine might be vulnerable.

Also make sure to check out Microsoft's own tool for this purpose: https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck

Authentication

To authenticate against Azure APIs, both azure cli (default) and Interactive Browser authentication are supported, check the --auth command line parameter.

Performed checks

There isn't a straightforward way to determine whether your machines are vulnerable to OMI without running commands on the Linux machine itself, which is supported through Azure APIs using the RunShellScript command through an extension. Microsoft's own tool (https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck) uses this approach as well.

It's worth noting that, even if the VM is vulnerable, it might not be exposing the OMI server via HTTP/HTTPS (which is the default) and, even if it does, those ports might be blocked by Azure's Network Security Groups, hence not reachable. This is not a reason to avoid patching but, if you have a lot of vulnerable Linux VMs, it might be useful to know which ones are more exposed and prioritize your efforts.

omigood follows this more comprehensive approach and will produce a JSON output with a number of checks that you can trigger through command line options in order to determine your attack surface.

These are the checks performed by omigood:

  • Check against Azure API if the VM is running Linux
  • Check against Azure API if the VM is running the OMSAgentForLinux extension, which is a good hint on whether the machine might be running OMI as well.
  • Check against Azure API the version of the OMS Agent, as it is often correlated to the OMI version. This check can be performed without running any script on the VM. OMS Agent should be at least version 1.13.40. You can check out the script we run here.
  • Check against Azure API the Network Security Groups of the VM, and determine (using a very simple algorithm that can trigger false positives) whether the OMI server ports might be open.
  • Check against Azure API the Effective Network Security Groups of the VM (combination of network interface and subnet) and determine whether the OMI server ports might be open. This check is optional as it requires the VM to be running, higher API privileges and it takes more time to run. Enable it with the -e command line option.
  • Use the Azure API to run a simple bash script on the VM that determines whether the OMI server is running, its version and whether it's exposed only on UNIX socket (default) or also TCP. This check is optional as it requires the VM to be running, higher API privileges and it takes more time to run. Enable it with the -r command line option. Use at your own risk!
  • Try to attack the machine's public IP running the /usr/bin/id command. This check is optional as it involves trying to exploit the VM. Enable it with the -a command line option. Use it only on targets that you are authorized to test. Use it at your own risk!

Output

The generated JSON output file contains all the information on the scanned VMs: IDs, operating system, network security groups, power state, etc.

The flags ('YES'/'NO') that are relevant for the checks are:

  • check_oms_extension: YES if OMS Agent Extension is found on the VM.
  • check_oms_vulnerable: YES if OMS Agent Extension version is lower than 1.13.40.
  • check_permissive_rules: YES if Network Security Group rules seem to permit connections to OMI ports.
  • check_permissive_effective_rules: YES if Effective Security rules seem to permit connections to OMI ports. Only with -e command line option.
  • check_omi_vulnerable: YES if OMI server version was retrieved via script and determined to be lower than 1.6.8-1. Only with -r command line option.
  • check_omi_listening_on_tcp: YES if OMI server status was retrieved via script and determined to be listening on TCP and not only UNIX sockets. Only with -r command line option.
  • check_attack_successful: YES if the attack on the VM's Public IP was successful. Only with -r command line option.

Usage

usage: omigood_scanner.py [-h] [-v] [--auth {azurecli,interactivebrowser}] [-r] [-a] [-e] [-s SUBSCRIPTIONS]
                          [-g RESOURCEGROUPS] [-m VMS] -o OUTPUT

OMIGood scanner for CVE-2021-38647

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         [OPTIONAL] Verbose mode: Displays additional debug details.
  --auth {azurecli,interactivebrowser}
                        Authentication mode. Default: azurecli.
  -r, --runscript       [OPTIONAL] Run Script. Runs bash script on target VMs to check for OMI server, agent and
                        version. Disabled by default. Use at your own risk.
  -a, --attack          [OPTIONAL] Try to attack the host. Disabled by default. Use at your own risk.
  -e, --effective       [OPTIONAL] Check Effective Security Rules. Disabled by default. Requires higher permissions on
                        Azure.
  -s SUBSCRIPTIONS, --subscriptions SUBSCRIPTIONS
                        [OPTIONAL] Comma separate list of subscriptions IDs. If not specified, it will try all.
  -g RESOURCEGROUPS, --resourcegroups RESOURCEGROUPS
                        [OPTIONAL] Comma separated list of Resource Group names. If not specified, it will try all. If
                        specified, it will work only with a single subscription provided.
  -m VMS, --vms VMS     [OPTIONAL] Comma separated list of VM names. If not specified, it will try all. If specified,
                        it will work only with a single subscription and a single resource group provided.
  -o OUTPUT, --output OUTPUT
                        JSON output file with results.

Contributors

  • Marco Simioni
  • Francesco Vigo
  • Giordano Bianchi

DISCLAIMER

The Software and code samples available on this repository are provided "as is" without warranty of any kind, either express or implied. Use at your own risk.

You might also like...
OpenSource Poc && Vulnerable-Target Storage Box.
OpenSource Poc && Vulnerable-Target Storage Box.

reapoc OpenSource Poc && Vulnerable-Target Storage Box. We are aming to collect different normalized poc and the vulerable target to verify it. Now re

Mass Check Vulnerable Log4j CVE-2021-44228
Mass Check Vulnerable Log4j CVE-2021-44228

Log4j-CVE-2021-44228 Mass Check Vulnerable Log4j CVE-2021-44228 Introduction Actually I just checked via Vulnerable Application from https://github.co

Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.
Python3 script for scanning CVE-2021-44228 (Log4shell) vulnerable machines.

Log4j_checker.py (CVE-2021-44228) Description This Python3 script tries to look for servers vulnerable to CVE-2021-44228, also known as Log4Shell, a v

A simple automatic tool for finding vulnerable log4j hosts
A simple automatic tool for finding vulnerable log4j hosts

Log4Scan A simple automatic tool for finding vulnerable log4j hosts Installation pip3 install -r requirements.txt Usage usage: log4scan.py [-h] (-f FI

Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.
Providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account.

We are providing DevOps and security teams script to identify cloud workloads that may be vulnerable to the Log4j vulnerability(CVE-2021-44228) in their AWS account. The script enables security teams to identify external-facing AWS assets by running the exploit on them, and thus be able to map them and quickly patch them

Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI
Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI

LFI-Hunter Searches for potentially vulnerable websites to local file inclusion, throughout the web and then exploits them for LFI A script written in

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

This repository detects a system vulnerable to CVE-2022-21907 and protects against this vulnerability if desired

Owner
Marco Simioni
Marco Simioni
A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts

log4j-scan A fully automated, accurate, and extensive scanner for finding vulnerable log4j hosts Features Support for lists of URLs. Fuzzing for more

Duc Linh Nguyen 4 Aug 8, 2022
A kAFL based hypervisor fuzzer which fully supports nested VMs

hAFL2 hAFL2 is a kAFL-based hypervisor fuzzer. It is the first open-source fuzzer which is able to target hypervisors natively (including Hyper-V), as

SafeBreach Labs 115 Dec 7, 2022
Js File Scanner This is Js File Scanner

Js File Scanner This is Js File Scanner . Which are scan in js file and find juicy information Toke,Password Etc.

null 122 Dec 12, 2022
Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets.

Yuyu Scanner Yuyu Scanner is a Web Reconnaissance & Web Analysis Scanner to find assets and information about targets. installation ! run as root

Justakazh 20 Nov 24, 2022
USSR-Scanner - USSR Scanner with python

Purposes ? Hey there is abosolutely no need to do this we do it only to irritate

Binary.club 2 Jan 24, 2022
wsvuls - website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.]

WSVuls Website vulnerability scanner detect issues [ outdated server software and insecure HTTP headers.] What's WSVuls? WSVuls is a simple and powerf

Anouar Ben Saad 47 Sep 22, 2022
SonicWALL SSL-VPN Web Server Vulnerable Exploit

SonicWALL SSL-VPN Web Server Vulnerable Exploit

null 44 Nov 15, 2022
adb - A tool that allows you to search for vulnerable android devices across the world and exploit them.

adb - An exploitation tool for android devices. A tool that allows you to search for vulnerable android devices across the world and exploit them. Fea

null 136 Jan 2, 2023
Strapi Framework Vulnerable to Remote Code Execution

CVE-2019-19609 Strapi Framework Vulnerable to Remote Code Execution well, I didnt found any exploit for CVE-2019-19609 so I wrote one. :/ Usage pytho

Dasith Vidanage 7 Mar 8, 2022
Proof of concept to check if hosts are vulnerable to CVE-2021-41773

CVE-2021-41773 PoC Proof of concept to check if hosts are vulnerable to CVE-2021-41773. Description (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CV

Jordan Jay 43 Nov 9, 2022