Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

Xorux-critical-vulnerability CVE-2019-19041


Xorux Lpar2rrd Stor2rrd Remote Command Execution through File Upload (CVE-2019-19041)

Gatien Goteni - BSI Group, 2019


There is a Remote Command Injection in the xorux lpar2rrd and stor2rrd applications via the “Tool upgrade” functionality. The application does not correctly verify for the integrity of the upgrade package version, before processing it. As a result official upgrade version packages can be modified to inject arbitrary bash script which will be executed by the underlying system. It is possible to achieve this by • modifying the values in the file “files.SUM “, which are used as integrity control by the application; and • injecting malicious code in the upgrade.sh file.


The following steps can be followed to trigger the issue: • Logging to the administration panel; • Browsing to the “Tool Upgrade” page; • Uploading the modified package; and Once uploaded the application will valid the file and the underlying system will run the commands.


This issue was demonstrated on the last VM Xorux-2.41 of lpar2rrd/stor2rrd available, with lpar2rrd 6.11 and stor2rrd 2.61 at the time of this writing available via the following links: • https://www.lpar2rrd.com/download-xorux.htm?4.0https://www.stor2rrd.com/download-xorux.htm?1.1

As a result, any server hosting the application is vulnerable to Remote Command Injection.


A sample payload exploit via the following link http://justashadow.com/2exploit_linux/lpar2rrd-6.02.tar