| Title | Xorux 2.41 Remote Command Injection through File Upload |
|---|
| Description | A Remote Command Injection vulnerability was discovered in the xorux lpar2rrd and stor2rrd applications via the “Tool upgrade” functionality. The application does not correctly verify for the integrity of the upgrade package version, before processing it.
As a result official upgrade version packages can be modified to inject arbitrary bash script which will be executed by the underlying system. It is possible to achieve this by
• modifying the values in the file “files.SUM “, which are used as integrity control by the application; and
• injecting malicious code in the upgrade.sh file.
The following steps can be followed to trigger the issue:
• Logging to the administration panel;
• Browsing to the “Tool Upgrade” page;
• Uploading the modified package; and
Once uploaded the application will valid the file and the underlying system will run the commands.
This issue was demonstrated on the last VM Xorux-2.41 of lpar2rrd/stor2rrd available, with lpar2rrd 6.11 and stor2rrd 2.61 at the time of this writing via the following links:
• https://www.lpar2rrd.com/download-xorux.htm?4.0
• https://www.stor2rrd.com/download-xorux.htm?1.1
As a result, any server hosting the application is vulnerable to Remote Command Injection.
Sample modified package exploits to upload:
https://justashadow.com/2exploit_linux/lpar2rrd-6.02.tar |
|---|
| Source | ⚠️ https://justashadow.com/2exploit_linux/xorux_remote_command_execution.html |
|---|
| User | gotenigatien (UID 6205) |
|---|
| Submission | 11/07/2019 15:54 (7 years ago) |
|---|
| Moderation | 11/07/2019 19:41 (4 hours later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 145176 [Xorux 2.41 lpar2rrd/stor2rrd os command injection] |
|---|
| Points | 20 |
|---|