Three Code Execution Vulnerabilities in Cisco Hyperflex
Three meme vulnerabilities in Cisco Hyperflex, two unauthenticated RCEs, one unauthenticated directory traversal attack in a file upload, and two traversal attacks that were authenticated.
The first RCE is during the authentication process. In order to generate the password hash to compare with the content of the /etc/shadow
file the Golang application generates some python code which it passes to python as an argument to -c
. In tradition, RCE form, there is no sanitization of the password to ensure the attacker cannot breakout of the resulting python code resulting in a fairly easy command injection.
The second RCE is in the /storfs-asup
endpoint, which is handled by a service running on Apache Tomcat. Decompiling the class file they found that the service was ultimately created command string that would be passed into bash -c
that would reflect a couple request parameters (token
, and mode
) without sanitization into the command line allowing for a trivial escape and code execution.
There was one trick of note here though, and that was because the storfs-asup
service is only available if port 80 is exposed. So an https service wouldn’t expose, however /crossdomain.xml
will get proxies to the same tomcat instance. So a trick with tomcat is to use /crossdoamin.xml/..;/storfs-asup/
to access the otherwise blocked off endpoint.
The third vulnerability is a file upload endpoint /upload
which was vulnerable to directory traversal and also accessible without authentication.
There were also two similar traversal vulnerabilities found in two authenticated endpoints which resulted in filewrites as root. These bugs were not accepted by Cisco though as they would require knowledge of the same credentials used to SSH onto the machine.