5985,5986 - Pentesting OMI
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
OMI is presented as an tool by Microsoft, designed for remote configuration management. It's particularly relevant for Linux servers on Azure that utilize services such as:
Azure Automation
Azure Automatic Update
Azure Operations Management Suite
Azure Log Analytics
Azure Configuration Management
Azure Diagnostics
The process omiengine
is initiated and listens on all interfaces as root when these services are activated.
Default ports used are 5985 (http) and 5986 (https).
As observed on September 16, Linux servers deployed in Azure with the mentioned services are susceptible due to a vulnerable version of OMI. This vulnerability lies in the OMI server's handling of messages through the /wsman
endpoint without requiring an Authentication header, incorrectly authorizing the client.
An attacker can exploit this by sending an "ExecuteShellCommand" SOAP payload without an Authentication header, compelling the server to execute commands with root privileges.
For a more information about this CVE .
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.