OMIGOD! OM I GOOD? A free scanner to detect VMs vulnerable to one of the

Overview

omigood (OM I GOOD?)

This repository contains a free scanner to detect VMs vulnerable to one of the "OMIGOD" vulnerabilities discovered by Wiz's threat research team, specifically CVE-2021-38647.

Original blog post from Wiz: https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure

Overview

The scanner requires Azure credentials to connect to Azure APIs and, given a subscription and a resource group (or by default it will scan all the available ones), retrieves the list of Linux VMs and reports whether the machine might be vulnerable.

Also make sure to check out Microsoft's own tool for this purpose: https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck

Authentication

To authenticate against Azure APIs, both azure cli (default) and Interactive Browser authentication are supported, check the --auth command line parameter.

Performed checks

There isn't a straightforward way to determine whether your machines are vulnerable to OMI without running commands on the Linux machine itself, which is supported through Azure APIs using the RunShellScript command through an extension. Microsoft's own tool (https://github.com/microsoft/OMS-Agent-for-Linux/tree/master/tools/OMIcheck) uses this approach as well.

It's worth noting that, even if the VM is vulnerable, it might not be exposing the OMI server via HTTP/HTTPS (which is the default) and, even if it does, those ports might be blocked by Azure's Network Security Groups, hence not reachable. This is not a reason to avoid patching but, if you have a lot of vulnerable Linux VMs, it might be useful to know which ones are more exposed and prioritize your efforts.

omigood follows this more comprehensive approach and will produce a JSON output with a number of checks that you can trigger through command line options in order to determine your attack surface.

These are the checks performed by omigood:

  • Check against Azure API if the VM is running Linux
  • Check against Azure API if the VM is running the OMSAgentForLinux extension, which is a good hint on whether the machine might be running OMI as well.
  • Check against Azure API the version of the OMS Agent, as it is often correlated to the OMI version. This check can be performed without running any script on the VM. OMS Agent should be at least version 1.13.40. You can check out the script we run here.
  • Check against Azure API the Network Security Groups of the VM, and determine (using a very simple algorithm that can trigger false positives) whether the OMI server ports might be open.
  • Check against Azure API the Effective Network Security Groups of the VM (combination of network interface and subnet) and determine whether the OMI server ports might be open. This check is optional as it requires the VM to be running, higher API privileges and it takes more time to run. Enable it with the -e command line option.
  • Use the Azure API to run a simple bash script on the VM that determines whether the OMI server is running, its version and whether it's exposed only on UNIX socket (default) or also TCP. This check is optional as it requires the VM to be running, higher API privileges and it takes more time to run. Enable it with the -r command line option. Use at your own risk!
  • Try to attack the machine's public IP running the /usr/bin/id command. This check is optional as it involves trying to exploit the VM. Enable it with the -a command line option. Use it only on targets that you are authorized to test. Use it at your own risk!

Output

The generated JSON output file contains all the information on the scanned VMs: IDs, operating system, network security groups, power state, etc.

The flags ('YES'/'NO') that are relevant for the checks are:

  • check_oms_extension: YES if OMS Agent Extension is found on the VM.
  • check_oms_vulnerable: YES if OMS Agent Extension version is lower than 1.13.40.
  • check_permissive_rules: YES if Network Security Group rules seem to permit connections to OMI ports.
  • check_permissive_effective_rules: YES if Effective Security rules seem to permit connections to OMI ports. Only with -e command line option.
  • check_omi_vulnerable: YES if OMI server version was retrieved via script and determined to be lower than 1.6.8-1. Only with -r command line option.
  • check_omi_listening_on_tcp: YES if OMI server status was retrieved via script and determined to be listening on TCP and not only UNIX sockets. Only with -r command line option.
  • check_attack_successful: YES if the attack on the VM's Public IP was successful. Only with -r command line option.

Usage

usage: omigood_scanner.py [-h] [-v] [--auth {azurecli,interactivebrowser}] [-r] [-a] [-e] [-s SUBSCRIPTIONS]
                          [-g RESOURCEGROUPS] [-m VMS] -o OUTPUT

OMIGood scanner for CVE-2021-38647

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         [OPTIONAL] Verbose mode: Displays additional debug details.
  --auth {azurecli,interactivebrowser}
                        Authentication mode. Default: azurecli.
  -r, --runscript       [OPTIONAL] Run Script. Runs bash script on target VMs to check for OMI server, agent and
                        version. Disabled by default. Use at your own risk.
  -a, --attack          [OPTIONAL] Try to attack the host. Disabled by default. Use at your own risk.
  -e, --effective       [OPTIONAL] Check Effective Security Rules. Disabled by default. Requires higher permissions on
                        Azure.
  -s SUBSCRIPTIONS, --subscriptions SUBSCRIPTIONS
                        [OPTIONAL] Comma separate list of subscriptions IDs. If not specified, it will try all.
  -g RESOURCEGROUPS, --resourcegroups RESOURCEGROUPS
                        [OPTIONAL] Comma separated list of Resource Group names. If not specified, it will try all. If
                        specified, it will work only with a single subscription provided.
  -m VMS, --vms VMS     [OPTIONAL] Comma separated list of VM names. If not specified, it will try all. If specified,
                        it will work only with a single subscription and a single resource group provided.
  -o OUTPUT, --output OUTPUT
                        JSON output file with results.

Contributors

  • Marco Simioni
  • Francesco Vigo
  • Giordano Bianchi

DISCLAIMER

The Software and code samples available on this repository are provided "as is" without warranty of any kind, either express or implied. Use at your own risk.

Owner
Marco Simioni
Marco Simioni
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 48 Dec 29, 2022
This tool ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information that allows them to know in advance if this library complies with processes.

This tool gives developers, researchers and companies the ability to analyze software packages of different programming languages that are being or will be used in their codes, providing information

Telefónica 66 Nov 08, 2022
com_media allowed paths that are not intended for image uploads to RCE

CVE-2021-23132 com_media allowed paths that are not intended for image uploads to RCE. CVE-2020-24597 Directory traversal in com_media to RCE Two CVEs

KIEN HOANG 67 Nov 09, 2022
Automated tool to exploit basic buffer overflow remotely and locally & x32 and x64

Automated tool to exploit basic buffer overflow (remotely or locally) & (x32 or x64)

5 Oct 09, 2022
This program will brute force any Instagram account you send it its way given a list of proxies.

Instagram Bruter This program will brute force any Instagram account you send it its way given a list of proxies. NOTICE I'm no longer maintaining thi

1 Nov 15, 2021
'Our Drowsinessdetector detects drivers eyes if they are closed for more than 2 seconds and alerts driver'

Data analysis Document here the project: DriverDrowsinessDetector Description: Project Description Data Source: Type of analysis: Please document the

3 Jul 03, 2022
Cam-Hacker: Ip Cameras hack with python

Cam-Hacker Hack Cameras Mode Of Execution: apt-get install python3 apt-get insta

Error 4 You 9 Dec 17, 2022
PasswordManager is a command-line program that helps you manage your secret files like passwords

PasswordManager is a command-line program that helps you manage your secret files like passwords. It's very minimalistic and easy to use.

Michael 3 Dec 30, 2021
Password List Maker

Red-Key Red-Key Password List Maker Version 1.1.2 Created By FireKing255 -=Features=- Create Random Password List Create Password List Create Password

FireKing255 7 Dec 26, 2021
Acc-Data-Gen - Allows you to generate a password, e-mail & token for your Minecraft Account

Acc-Data-Gen Allows you to generate a password, e-mail & token for your Minecraft Account How to use the generator: Move all the files in a single dir

KarmaBait 2 May 16, 2022
A simple linux keylogger project.

The project This project is a simple linux keylogger. When activated, it registers all the actions made with the keyboard. The log files are registere

1 Oct 24, 2021
Virus-Builder - This tool will generate a virus that can only destroy Windows computer

Virus-Builder - This tool will generate a virus that can only destroy Windows computer. You can also configure to auto run in usb drive

Saad 16 Dec 30, 2022
Use FOFA automatic vulnerability scanning tool

AutoSRC Use FOFA automatic vulnerability scanning tool Usage python3 autosrc.py -e FOFA EMAIL -k TOKEN Screenshots License MIT Dev 6613GitHub6613

PwnWiki 48 Oct 25, 2022
Security offerings for AWS Control Tower

Caylent Security Catalyst Reference Architecture Examples This repository contains solutions for Caylent's Security Catalyst. The Security Catalyst is

Steven Connolly 1 Oct 22, 2021
A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regardin

Cycurity 39 Dec 10, 2022
Malware Configuration And Payload Extraction

CAPE: Malware Configuration And Payload Extraction CAPE is a malware sandbox. It is derived from Cuckoo and is designed to automate the process of mal

Kevin O'Reilly 1k Dec 30, 2022
CVE-2021-45232-RCE-多线程批量漏洞检测

CVE-2021-45232-RCE CVE-2021-45232-RCE-多线程批量漏洞检测 FOFA 查询 title="Apache APISIX Das

孤桜懶契 36 Sep 21, 2022
🐝 ℹ️ Honeybee extension for export to IES-VE gem file format

honeybee-ies Honeybee extension for export a HBJSON file to IES-VE GEM file format Installation pip install honeybee-ies QuickStart import pathlib fro

Ladybug Tools 4 Jul 12, 2022
CC CAMERA HACKING TOOL

CAM-HACK CC CAMERA HACKING TOOL Installation On Termux $ apt update

Aryan 10 Sep 25, 2022