πŸ”’
There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

Three More Bugs in Orion’s Belt

In a recent blog post, we showed how certain endpoints in the SolarWinds Orion platform were accessible to low privileged users and could be exploited to achieve remote code execution. We also showed how authentication could be bypassed altogether using CVE-2020-10148. In this blog post, we discuss three other vulnerabilities submitted by an anonymous researcher, which when chained with a privilege escalation bug, could be exploited by a guest user. This will be a brief blog post due to the simplicity of the aforementioned bugs.

Privileges

In the previous blog post, we briefly discussed privileges in the SolarWinds Orion platform. One of the predefined roles is the guest account, which requires no password and has no assigned privileges by default. Although this account is disabled by default, it is fair to assume that some deployments may have the guest account enabled.

Picture1.png

CVE-2020-27870: Directory Traversal leading to arbitrary file read

The endpoint /orion/ExportToPDF.aspx converts HTML to PDF, but it fails to check if the HTML contains references to local files. Furthermore, the guest user account can access this endpoint. By supplying HTML files that contain references to local files, it is possible to read arbitrary files on the server in the context of SYSTEM.

For example, the following request can be used to retrieve the contents of C:\Windows\system32\drivers\etc\hosts:

A PDF contains the disclosed file contents can be retrieved as follows:

CVE-2020-27871: Directory Traversal leading to arbitrary file upload

Orion allows the installation of various modules, with each module capable of performing a specific network monitoring and management function. One such module is the Network Configuration Manager (NCM) module. Where this module is installed, there is an arbitrary file upload vulnerability that could be leveraged for remote code execution. The root cause of this vulnerability is illustrated in the following code snippet:

As shown, the NCM module has a firmware vulnerability management functionality that downloads a ZIP file containing JSON files from an external website. By default, it downloads from https://nvd.nist.gov, but this default can be overridden. It then automatically extracts data from the .zip archive. It does not check the file extensions of the extracted files, nor does it verify the file upload path. Thus it is possible to upload the file anywhere in the file system. Files are extracted and written in the context of SYSTEM.

This flaw can be easily exploited. For example, by issuing the following request, it is possible to upload an arbitrary ASPX file to the www directory:

This vulnerability has one caveat in that it can only be exploited by an Admin user. However, this requirement can be bypassed by the vulnerability we will discuss next.

ZDI-CAN-11903/ZDI-21-192: Privilege escalation

This vulnerability is present when any of the following SolarWinds Orion platform modules are installed:
Β Β Β Β Β Β Β - Network Configuration Manager
Β Β Β Β Β Β Β - Server Configuration Manager
Β Β Β Β Β Β Β - IP Address Manager

When any one of these products are installed, SolarWinds stores account roles in the WebUserSettings table.

Picture2.png

The researcher discovered this table can be modified by a hidden SaveUserSetting endpoint. A guest user can elevate their privileges to Administrator by simply issuing the following request:

Conclusion

This series of blog posts shows that simple bugs and oversights can have severe consequences. Luckily, SolarWinds has addressed all the above vulnerabilities in Orion Platform 2020.2.1 HF2. We highly recommend those running a vulnerable version of this platform to upgrade.

You can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.

Three More Bugs in Orion’s Belt

Three Bugs in Orion’s Belt: Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform

This blog post details a few recently patched vulnerabilities in the SolarWinds Orion Platform. When combined, these bugs can be exploited by an unauthenticated attacker to execute arbitrary code as Administrator on an affected system. One of these vulnerabilities, CVE-2020-14005, has been linked to the recent SUNBURST cyberattack on SolarWinds. However, the exact details around how, or if, this specific bug was used in the wild are still unclear.Β Β 

In addition to details of vulnerabilities acquired by ZDI, this blog also contains research from our N-day team about an authentication bypass that allows these bugs to be exploited without authentication. We would like to thank the Trend Micro Security Research team for their efforts in analyzing the technical details of this auth bypass.Β 

Before we get to the details, here’s a quick video showing how CVE-2020-10148 and CVE-2020-14005 can be used in conjunction to achieve remote code execution as Administrator without authentication.

SolarWinds Account Privileges

SolarWinds users can have any one of the following privileges, some of which are more permissive than others:Β 

Picture1.png

For example, the Alert Management privilege allows a user to modify or create new alerts. An alert is an automated notification that a network event has occurred.

SolarWinds API

Upon installation, the SolarWinds Orion Platform loads a web-based GUI. The SolarWinds REST API can perform the same actions available in this interface.

The ZDI initially learned about this attack surface through an anonymous researcher who was able to show that a user with Alert Management Privileges (henceforth referred to as a non-admin user) can achieve serious side effects on the SolarWinds Orion Platform via the web-based GUI or REST API.Β 

CVE-2020-14005: Command injection and Execution of Arbitrary VBScript

The product allows a non-admin user to specify a path to a VBS script to be executed when an alert is triggered. There is no restriction on VBS files hosted on a remote SMB share. This lets an attacker specify arbitrary VBS scripts for execution.

Picture2.png

The execution of the VBS script is handled by the following method:

During the analysis of this case, we noticed the interpreter parameter can be controlled by manipulating the JSON body of the API request. Hence, by specifying cmd.exe instead of WScript.exe, this vulnerability can be exploited as a straightforward command injection:

Another feature available to non-admin users allows the execution of external scripts, which can be exploited in a similar fashion:

Picture3.png

The specified script is later executed by the following:

CVE-2020-27869: SQL Injection Privilege Escalation Vulnerability

There is also a SQL injection vulnerability that is reachable by the Configure Action setting (or corresponding API command) by non-admin users.

Picture4.png

These requests are handled by the following code:

As shown, if the β€œBody to POST” contains the string β€œ${SQL:”, the subsequent string will be evaluated as a SQL statement, which results in a SQL injection. This can allow the takeover of the Administrator account by using the following malicious string:

${SQL: SELECT @@version; UPDATE [dbo].[Accounts] SET PasswordHash = 'Yj505tc0oUwHdI1tgBoOtGWvKlGviV7tGGb276YZwyaADa/iyFhg1JHCJF1RwwNfvYiVGXca1AFFJvrIGgNHdQ==' WHERE AccountID = 'admin'; UPDATE [dbo].[Accounts] SET PasswordSalt= '8M4EuLag9Lpl+d9i0GQKDw==' WHERE AccountID = 'admin'}

CVE-2020-10148: Authentication Bypass

While evaluating the patch introduced by Hotfix 2, our N-day team was analyzing another vulnerability that could be used to bypass authentication altogether. This bug was assignedΒ CVE-2020-10148. The application contains logic to bypass authentication when the client is requesting a resource for which no authentication is necessary, such as JavaScript or Cascading Style Sheets (CSS) files. Specifically, authentication is bypassed if the request URL path contains β€œSkipi18n” or ends with β€œi18n.ashx”, β€œWebResource.axd”, or β€œScriptResource.axd”.Β 

While these individual bugs may not be severe on their own, when they are chained together, they can allow an attacker to gain unauthenticated remote code execution at the highest level. Finding and fixing these types of bugs helps clear the ecosystem of high-impact bugs – hopefully before they are used by an adversary. Applying the fixes from the vendor shores up your defenses and helps prevent unwantedΒ intrusionsΒ into your enterprise.

Conclusion

The SolarWinds Orion Platform is a critical piece of infrastructure within an organization. SolarWinds has released patches to address these and other bugs. You should follow thisΒ guidanceΒ to ensure your system has the latest security updates. We are glad to be able to contribute to the security of this codebase via the ZDI program. Stay tuned for Part 2 of this blog, which will cover vulnerabilities in other components of the SolarWinds Orion Platform with similar effects.Β 

Until then, you can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.

Three Bugs in Orion’s Belt: Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform

  • There are no more articles
❌