EMC Secure Remote Services Virtual Edition Command Injection

                							

                ------------------------------------------------------------------------
Command injection vulnerability in EMC Secure Remote Services Virtual
Edition
------------------------------------------------------------------------
Han Sahin, November 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
A command injection vulnerability was found in EMC Secure Remote
Services Virtual Edition (ESRS VE) that allows an attacker to execute
arbitrary system commands and take full control over ESRS VE.

------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
EMC reports that the following versions are affected by this
vulnerability:

- EMC Secure Remote Services Virtual Edition 3.02
- EMC Secure Remote Services Virtual Edition 3.03

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- CVE-2015-0525
- ESA-2015-040: EMC Secure Remote Services Virtual Edition Security
Update for Multiple Vulnerabilities

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
EMC released EMC Secure Remote Services Virtual Edition 3.04 that
resolves this vulnerability. Registered EMC Online Support customers can
download patches and software from support.emc.com at:

EMC Secure Remote Services -> EMC Secure Remote Services Virtual Edition
-> Downloads

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20141112/command_injection_vulnerability_in_emc_secure_remote_services_virtual_edition.html

The command injection vulnerability exists in the PVSServiceImpl class of the Provisioning component. In particular, the serialno argument is not validated and used insecurely to construct a system command. An attacker can supply a specially crafted value as serialno, which results in arbitrary commands being executed.

com/emc/esrs/provisioning/service/PVSServiceImpl.java:

private void copyCertstoDir(String serialno)
   throws IOException
{
   try
   {
      String[] cmd_exec = new String[4];
      String s = null;

      cmd_exec[0] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmers " + (String)this.configurations.get("gw.dir"));
      cmd_exec[1] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/wgcmersgw " + (String)this.configurations.get("gw.dir"));
      cmd_exec[2] = ("/bin/cp " + (String)this.configurations.get("provclient.session.directory") + "/session-" + serialno + "/Temp1/Gateway/xgDeployConfig.xml " + (String)this.configurations.get("gw.dir"));
      cmd_exec[3] = ((String)this.configurations.get("provclient.datfile.generation") + " -generateDat");

      for (String cmd : cmd_exec) {
         this.logger.debug("Copy Certs to Dir:" + cmd);
         Process p_exec = Runtime.getRuntime().exec(cmd);
         BufferedReader stdInput2 = new BufferedReader(new InputStreamReader(p_exec.getInputStream()));
         BufferedReader stdError2 = new BufferedReader(new InputStreamReader(p_exec.getErrorStream()));
<p>