OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

Overview

omigood (OM I GOOD?)

This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threat research team, specifically CVE-2021-38647.

Original blog post from Wiz: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

Overview

The scanner requires Azure credentials to connect to Azure APIs and, given a subscription and a resource group (or by default it will scan all the available ones), retrieves the list of Linux VMs and reports whether the machine might be vulnerable.

Also make sure to check out Microsoft's own tool for this purpose: https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck

Authentication

To authenticate against Azure APIs, both azure cli (default) and Interactive Browser authentication are supported, check the --auth command line parameter.

Performed checks

There isn't a straightforward way to determine whether your machines are vulnerable to OMI without running commands on the Linux machine itself, which is supported through Azure APIs using the RunShellScript command through an extension. Microsoft's own tool (https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck) uses this approach as well.

It's worth noting that, even if the VM is vulnerable, it might not be exposing the OMI server via HTTP/HTTPS (which is the default) and, even if it does, those ports might be blocked by Azure's Network Security Groups, hence not reachable. This is not a reason to avoid patching but, if you have a lot of vulnerable Linux VMs, it might be useful to know which ones are more exposed and prioritize your efforts.

omigood follows this more comprehensive approach and will produce a JSON output with a number of checks that you can trigger through command line options in order to determine your attack surface.

These are the checks performed by omigood:

  • Check against Azure API if the VM is running Linux
  • Check against Azure API if the VM is running the OMSAgentForLinux extension, which is a good hint on whether the machine might be running OMI as well.
  • Check against Azure API the version of the OMS Agent, as it is often correlated to the OMI version. This check can be performed without running any script on the VM. OMS Agent should be at least version 1.13.40. You can check out the script we run here.
  • Check against Azure API the Network Security Groups of the VM, and determine (using a very simple algorithm that can trigger false positives) whether the OMI server ports might be open.
  • Check against Azure API the Effective Network Security Groups of the VM (combination of network interface and subnet) and determine whether the OMI server ports might be open. This check is optional as it requires the VM to be running, higher API privileges and it takes more time to run. Enable it with the -e command line option.
  • Use the Azure API to run a simple bash script on the VM that determines whether the OMI server is running, its version and whether it's exposed only on UNIX socket (default) or also TCP. This check is optional as it requires the VM to be running, higher API privileges and it takes more time to run. Enable it with the -r command line option. Use at your own risk!
  • Try to attack the machine's public IP running the /usr/bin/id command. This check is optional as it involves trying to exploit the VM. Enable it with the -a command line option. Use it only on targets that you are authorized to test. Use it at your own risk!

Output

The generated JSON output file contains all the information on the scanned VMs: IDs, operating system, network security groups, power state, etc.

The flags ('YES'/'NO') that are relevant for the checks are:

  • check_oms_extension: YES if OMS Agent Extension is found on the VM.
  • check_oms_vulnerable: YES if OMS Agent Extension version is lower than 1.13.40.
  • check_permissive_rules: YES if Network Security Group rules seem to permit connections to OMI ports.
  • check_permissive_effective_rules: YES if Effective Security rules seem to permit connections to OMI ports. Only with -e command line option.
  • check_omi_vulnerable: YES if OMI server version was retrieved via script and determined to be lower than 1.6.8-1. Only with -r command line option.
  • check_omi_listening_on_tcp: YES if OMI server status was retrieved via script and determined to be listening on TCP and not only UNIX sockets. Only with -r command line option.
  • check_attack_successful: YES if the attack on the VM's Public IP was successful. Only with -r command line option.

Usage

usage: omigood_scanner.py [-h] [-v] [--auth {azurecli,interactivebrowser}] [-r] [-a] [-e] [-s SUBSCRIPTIONS]
                          [-g RESOURCEGROUPS] [-m VMS] -o OUTPUT

OMIGood scanner for CVE-2021-38647

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         [OPTIONAL] Verbose mode: Displays additional debug details.
  --auth {azurecli,interactivebrowser}
                        Authentication mode. Default: azurecli.
  -r, --runscript       [OPTIONAL] Run Script. Runs bash script on target VMs to check for OMI server, agent and
                        version. Disabled by default. Use at your own risk.
  -a, --attack          [OPTIONAL] Try to attack the host. Disabled by default. Use at your own risk.
  -e, --effective       [OPTIONAL] Check Effective Security Rules. Disabled by default. Requires higher permissions on
                        Azure.
  -s SUBSCRIPTIONS, --subscriptions SUBSCRIPTIONS
                        [OPTIONAL] Comma separate list of subscriptions IDs. If not specified, it will try all.
  -g RESOURCEGROUPS, --resourcegroups RESOURCEGROUPS
                        [OPTIONAL] Comma separated list of Resource Group names. If not specified, it will try all. If
                        specified, it will work only with a single subscription provided.
  -m VMS, --vms VMS     [OPTIONAL] Comma separated list of VM names. If not specified, it will try all. If specified,
                        it will work only with a single subscription and a single resource group provided.
  -o OUTPUT, --output OUTPUT
                        JSON output file with results.

Contributors

  • Marco Simioni
  • Francesco Vigo
  • Giordano Bianchi

DISCLAIMER

The Software and code samples available on this repository are provided "as is" without warranty of any kind, either express or implied. Use at your own risk.

Owner
Marco Simioni
Marco Simioni
Passphrase-wordlist - Shameless clone of passphrase wordlist

This repository is NOT official -- the original repository is located on GitLab

Jeff McJunkin 2 Feb 05, 2022
The disassembler parses evm bytecode from the command line or from a file.

EVM Bytecode Disassembler The disassembler parses evm bytecode from the command line or from a file. It does not matter whether the bytecode is prefix

alpharush 22 Dec 27, 2022
Generates password lists/dictionaries based on keywords written in python3.

dicbyru Introduction Generates password lists/dictionaries based on keywords. It uses the keywords and adds capital letters, numbers and special chara

ru55o 2 Oct 31, 2022
Scan all java processes on your host to check weather it's affected by log4j2 remote code execution

Log4j2 Vulnerability Local Scanner (CVE-2021-45046) Log4j 漏洞本地检测脚本,扫描主机上所有java进程,检测是否引入了有漏洞的log4j-core jar包,是否可能遭到远程代码执行攻击(CVE-2021-45046)。上传扫描报告到指定的服

86 Dec 09, 2022
Solución al reto BBVA Contigo, Hack BBVA 2021

Solution Solución propuesta para el reto BBVA Contigo del Hackathon BBVA 2021. Equipo Mexdapy. Integrantes: David Pedroza Segoviano Regina Priscila Ba

Gabriel Missael Barco 2 Dec 06, 2021
CVE-2021-26084 Remote Code Execution on Confluence Servers

CVE-2021-26084 CVE-2021-26084 Remote Code Execution on Confluence Servers. Dork Fofa: app="ATLASSIAN-Confluence" Usage Show help information. python P

FQ Hsu 63 Dec 30, 2022
An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several useful utilites to change the configuration of the device.

TMOHS1 Root Utility Description An interactive python script that enables root access on the T-Mobile (Wingtech) TMOHS1, as well as providing several

40 Dec 29, 2022
🔎 Most Advanced Open Source Intelligence (OSINT) Framework for scanning IP Address, Emails, Websites, Organizations.

🔎 Most Advanced Open Source Intelligence (OSINT) Framework for scanning IP Address, Emails, Websites, Organizations.

BhavKaran 1.5k Dec 28, 2022
A OSINT tool coded in python

Argus Welcome to Argus, a OSINT tool coded in python. Disclaimer I Am not responsible what you do with the information that is given to you by my tool

Aidan 2 Mar 20, 2022
A python script to bypass 403-forbidden.

4nought3 A python script to bypass 403-forbidden. It covers methods like Host-Header Injections, Changing HTTP Requests Methods and URL-Injections. Us

11 Aug 27, 2022
Find vulnerable Log4j2 versions on disk and also inside Java Archive Files (Log4Shell CVE-2021-44228)

log4j-finder A Python3 script to scan the filesystem to find Log4j2 that is vulnerable to Log4Shell (CVE-2021-44228) It scans recursively both on disk

Fox-IT 431 Dec 22, 2022
POC for detecting the Log4Shell (Log4J RCE) vulnerability

Interactsh An OOB interaction gathering server and client library Features • Usage • Interactsh Client • Interactsh Server • Interactsh Integration •

ProjectDiscovery 2.1k Jan 08, 2023
Cracker - Tools CRACK FACEBOOK DAN INSTAGRAM DENGAN FITUR BANYAK

CLOME TO TOOLS ME 😁 FITUR TOOLS RESULTS INSTALASI ____/-- INSTALLASI /+/+/+/ t

Jeeck X Nano 3 Jan 08, 2022
Metasploit Multi Purpose Exploiting Toolkit For Termux

MSF-EXPLOIT MSF-ANDRO is a Metasploit Multi Purpose Exploiting Toolkit For Termux . Only a Basic Script , Still in Development . FEATURES : Install Me

Mr.X 22 Dec 29, 2022
Security System using OpenCV

Security-System Security System using OpenCV Files in this Repository: email_send.py - This file contains python code to send an email when something

Mehul Patwari 1 Oct 28, 2021
AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not

AmiEviL - This program uses the Virus Total API to determine if your suspicious file is malicious or not. The program requests the hash of the file and outputs information (if any). This version will

Kirk 1 Jan 03, 2022
Monty Hall Problem simulation written in Python.

Monty Hall Problem Simulation monty_hall_sim is a brute-force method of determining the optimal strategy for the Monty Hall Problem. Usage Set boolean

Xavier D 1 Aug 29, 2022
Whois-Python - Get Whois Domain with Python GUI

Whois-Python-GUI Get Whois Domain with Python - GUI :) WARNING Dont Copy ! - W

MR.D3F417 3 Feb 21, 2022
Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr

Files related to PoC||GTFO 21:21 - NSA’s Backdoor of the PX1000-Cr 64bit2key.py

Stefan Marsiske 15 Nov 26, 2022
Hikvision 流媒体管理服务器敏感信息泄漏

Hikvisioninformation Hikvision 流媒体管理服务器敏感信息泄漏 Options optional arguments: -h, --help show this help message and exit -u url, --url url

Henry4E36 13 Nov 09, 2022