EMC Secure Remote Services Virtual Edition Command Injection

`------------------------------------------------------------------------  
Command injection vulnerability in EMC Secure Remote Services Virtual  
Edition  
------------------------------------------------------------------------  
Han Sahin, November 2014  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
A command injection vulnerability was found in EMC Secure Remote  
Services Virtual Edition (ESRS VE) that allows an attacker to execute  
arbitrary system commands and take full control over ESRS VE.  
  
------------------------------------------------------------------------  
Affected versions  
------------------------------------------------------------------------  
EMC reports that the following versions are affected by this  
vulnerability:  
  
- EMC Secure Remote Services Virtual Edition 3.02  
- EMC Secure Remote Services Virtual Edition 3.03  
  
------------------------------------------------------------------------  
See also  
------------------------------------------------------------------------  
- CVE-2015-0525  
- ESA-2015-040: EMC Secure Remote Services Virtual Edition Security  
Update for Multiple Vulnerabilities  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
EMC released EMC Secure Remote Services Virtual Edition 3.04 that  
resolves this vulnerability. Registered EMC Online Support customers can  
download patches and software from support.emc.com at:  
  
EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition  
-> Downloads  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://www.securify.nl/advisory/SFY20141112/command_injection_vulnerability_in_emc_secure_remote_services_virtual_edition.html  
  
The command injection vulnerability exists in the PVSServiceImpl class of the Provisioning component. In particular, the serialno argument is not validated and used insecurely to construct a system command. An attacker can supply a specially crafted value as serialno, which results in arbitrary commands being executed.  
  
com/emc/esrs/provisioning/service/PVSServiceImpl.java:  
  
private void copyCertstoDir(String serialno)  
throws IOException  
{  
try  
{  
String[] cmd_exec = new String[4];  
String s = null;  
  
cmd_exec[0] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmers " + (String)this.configurations.get("gw.dir"));  
cmd_exec[1] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmersgw " + (String)this.configurations.get("gw.dir"));  
cmd_exec[2] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/Gateway/xgDeployConfig.xml " + (String)this.configurations.get("gw.dir"));  
cmd_exec[3] = ((String)this.configurations.get("provclient.datfile.generation") + " -generateDat");  
  
for (String cmd : cmd_exec) {  
this.logger.debug("Copy Certs to Dir:" + cmd);  
Process p_exec = Runtime.getRuntime().exec(cmd);  
BufferedReader stdInput2 = new BufferedReader(new InputStreamReader(p_exec.getInputStream()));  
BufferedReader stdError2 = new BufferedReader(new InputStreamReader(p_exec.getErrorStream()));  
`