Add CVE-2015-2284: Solarwinds Firewall Security Manager 6.6.5 Session Handling Vulnerability #5050
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits multiple problems against Solarwinds Firewall Security Manager 6.6.5. The first one is an authentication bypass due to the improper use of session.putValue, allowing the attacker to set the "username" attribute. The second problem is that the fileUpload action will only check the "username" attribute before authorizing the upload resource, which can be abused to upload a malicious JSP payload, and this will result in arbitrary code execution under the context of SYSTEM.
To prepare for testing
The specific setup I have is this: Windows Server 2008 Enterprise SP2, with Solarwinds FSM 6.6.5 (build 6.6.5-115-20141020, express install). If you no longer have the vulnerable version, you can try my box instead in person.
Testing
use exploit/windows/http/solarwinds_fsm_userlogin
set rhost [IP]
run
Note: The default password to login as admin is "admin", in case you're curious. The exploit does not need to use this though.