There is a Remote Command Injection in the xorux lpar2rrd and stor2rrd applications via the “Tool upgrade” functionality. The application does not correctly verify for the integrity of the upgrade package version, before processing it. As a result official upgrade version packages can be modified to inject arbitrary bash script which will be executed by the underlying system. It is possible to achieve this by • modifying the values in the file “files.SUM “, which are used as integrity control by the application; and • injecting malicious code in the upgrade.sh file.
The following steps can be followed to trigger the issue: • Logging to the administration panel; • Browsing to the “Tool Upgrade” page; • Uploading the modified package; and Once uploaded the application will valid the file and the underlying system will run the commands.
This issue was demonstrated on the last VM Xorux-2.41 of lpar2rrd/stor2rrd available, with lpar2rrd 6.11 and stor2rrd 2.61 at the time of this writing available via the following links: • https://www.lpar2rrd.com/download-xorux.htm?4.0 • https://www.stor2rrd.com/download-xorux.htm?1.1
As a result, any server hosting the application is vulnerable to Remote Command Injection.
A sample payload exploit via the following link http://justashadow.com/2exploit_linux/lpar2rrd-6.02.tar