Lädt...

🕵️ Three Bugs in Orion’s Belt: Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform


Nachrichtenbereich: 🕵️ Hacking
🔗 Quelle: thezdi.com

This blog post details a few recently patched vulnerabilities in the SolarWinds Orion Platform that were recently patched. When combined, these bugs can be exploited by an unauthenticated attacker to execute arbitrary code as Administrator on an affected system. One of these vulnerabilities, CVE-2020-14005, has been linked to the recent SUNBURST cyberattack on SolarWinds. However, the exact details around how, or if, this specific bug was used in the wild are still unclear.  

In addition to details of vulnerabilities acquired by ZDI, this blog also contains research from our N-day team about an authentication bypass that allows these bugs to be exploited without authentication. We would like to thank the Trend Micro Security Research team for their efforts in analyzing the technical details of this auth bypass. 

Before we get to the details, here’s a quick video showing how CVE-2020-10148 and CVE-2020-14005 can be used in conjunction to achieve remote code execution as Administrator without authentication.

SolarWinds Account Privileges

SolarWinds users can have any one of the following privileges, some of which are more permissive than others: 

Picture1.png

For example, the Alert Management privilege allows a user to modify or create new alerts. An alert is an automated notification that a network event has occurred.

SolarWinds API

Upon installation, the SolarWinds Orion Platform loads a web-based GUI. The SolarWinds REST API can perform the same actions available in this interface.

The ZDI initially learned about this attack surface through an anonymous researcher who was able to show that a user with Alert Management Privileges (henceforth referred to as a non-admin user) can achieve serious side effects on the SolarWinds Orion Platform via the web-based GUI or REST API. 

CVE-2020-14005: Command injection and Execution of Arbitrary VBScript

The product allows a non-admin user to specify a path to a VBS script to be executed when an alert is triggered. There is no restriction on VBS files hosted on a remote SMB share. This lets an attacker specify arbitrary VBS scripts for execution.

Picture2.png

The execution of the VBS script is handled by the following method:

During the analysis of this case, we noticed the interpreter parameter can be controlled by manipulating the JSON body of the API request. Hence, by specifying cmd.exe instead of WScript.exe, this vulnerability can be exploited as a straightforward command injection:

Another feature available to non-admin users allows the execution of external scripts, which can be exploited in a similar fashion:

Picture3.png

The specified script is later executed by the following:

CVE-2020-27869: SQL Injection Privilege Escalation Vulnerability

There is also a SQL injection vulnerability that is reachable by the Configure Action setting (or corresponding API command) by non-admin users.

Picture4.png

These requests are handled by the following code:

As shown, if the “Body to POST” contains the string “${SQL:”, the subsequent string will be evaluated as a SQL statement, which results in a SQL injection. This can allow the takeover of the Administrator account by using the following malicious string:

${SQL: SELECT @@version; UPDATE [dbo].[Accounts] SET PasswordHash = 'Yj505tc0oUwHdI1tgBoOtGWvKlGviV7tGGb276YZwyaADa/iyFhg1JHCJF1RwwNfvYiVGXca1AFFJvrIGgNHdQ==' WHERE AccountID = 'admin'; UPDATE [dbo].[Accounts] SET PasswordSalt= '8M4EuLag9Lpl+d9i0GQKDw==' WHERE AccountID = 'admin'}

CVE-2020-10148: Authentication Bypass

While evaluating the patch introduced by Hotfix 2, our N-day team was analyzing another vulnerability that could be used to bypass authentication altogether. This bug was assigned CVE-2020-10148. The application contains logic to bypass authentication when the client is requesting a resource for which no authentication is necessary, such as JavaScript or Cascading Style Sheets (CSS) files. Specifically, authentication is bypassed if the request URL path contains “Skipi18n” or ends with “i18n.ashx”, “WebResource.axd”, or “ScriptResource.axd”. 

While these individual bugs may not be severe on their own, when they are chained together, they can allow an attacker to gain unauthenticated remote code execution at the highest level. Finding and fixing these types of bugs helps clear the ecosystem of high-impact bugs – hopefully before they are used by an adversary. Applying the fixes from the vendor shores up your defenses and helps prevent unwanted intrusions into your enterprise.

Conclusion

The SolarWinds Orion Platform is a critical piece of infrastructure within an organization. SolarWinds has released patches to address these and other bugs. You should follow this guidance to ensure your system has the latest security updates. We are glad to be able to contribute to the security of this codebase via the ZDI program. Stay tuned for Part 2 of this blog, which will cover vulnerabilities in other components of the SolarWinds Orion Platform with similar effects. 

Until then, you can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.

...

🕵️ Three Bugs in Orion’s Belt: Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform


📈 131.43 Punkte
🕵️ Hacking

🕵️ Chain multiple bugs to get unauthenticated remote code execution on the SolarWinds Orion Platform


📈 52.22 Punkte
🕵️ Reverse Engineering

🕵️ Three More Bugs in Orion’s Belt


📈 49.59 Punkte
🕵️ Hacking

📰 Another Critical RCE Flaw Discovered in SolarWinds Orion Platform


📈 38.47 Punkte
📰 IT Security Nachrichten

🕵️ h1-ctf: h1-ctf writeup , finally paid the payments by chaining multiple bugs


📈 32.89 Punkte
🕵️ Sicherheitslücken

🕵️ SolarWinds fixed multiple flaws in Serv-U and SolarWinds Platform


📈 32.76 Punkte
🕵️ Hacking

⚠️ [webapps] VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)


📈 29.84 Punkte
⚠️ PoC

🕵️ SolarWinds Orion Platform 2020.2.1 VulnerabilitySettings.aspx improper authentication


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ SolarWinds Orion Platform 2020.2.1 ExportToPDF.aspx information disclosure


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ SolarWinds Orion Platform prior 2020.2.4 MSMQ permission


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ SolarWinds Orion Platform prior 2020.2.4 SQL Server Backend access control


📈 28.79 Punkte
🕵️ Sicherheitslücken

📰 SolarWinds patches critical vulnerabilities in the Orion platform


📈 28.79 Punkte
📰 IT Security Nachrichten

📰 DHS orders federal agencies to update SolarWinds Orion platform


📈 28.79 Punkte
📰 IT Security Nachrichten

🕵️ CVE-2019-12863 | SolarWinds Orion Platform 2018.4 HF3 Settings Screen injection


📈 28.79 Punkte
🕵️ Sicherheitslücken

📰 SolarWinds Issues Second Hotfix for Orion Platform Supply Chain Attack


📈 28.79 Punkte
📰 IT Security Nachrichten

🕵️ CVE-2022-36965 | SolarWinds Orion Platform prior 2022.3.0 QoE Application cross site scripting


📈 28.79 Punkte
🕵️ Sicherheitslücken

📰 SolarWinds Issues Second Hotfix for Orion Platform Supply Chain Attack


📈 28.79 Punkte
📰 IT Security Nachrichten

🕵️ CVE-2022-36961 | SolarWinds Orion Platform Verb sql injection


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ Solarwinds Orion Platform up to 2018.4 Hotfix 1 RabbitMQ Service privilege escalation


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ SolarWinds Orion Platform 2020.2 SaveUserSetting Endpoint access control


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ Low CVE-2019-17125: Solarwinds Orion platform


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ SolarWinds Orion Platform prior 2020.2.5 Custom Menu Item Options Page unknown vulnerability


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ Low CVE-2019-17127: Solarwinds Orion platform


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ SolarWinds Orion Platform prior 2020.2.5 Customize View Page cross site scripting


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ Low CVE-2020-35856: Solarwinds Orion platform


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ Medium CVE-2021-3109: Solarwinds Orion platform


📈 28.79 Punkte
🕵️ Sicherheitslücken

🕵️ Solarwinds Orion Platform updates fix two remote code execution issues


📈 28.79 Punkte
🕵️ Hacking

📰 SolarWinds patches critical code execution bug in Orion Platform


📈 28.79 Punkte
📰 IT Security Nachrichten

📰 New Code Execution Flaws In Solarwinds Orion Platform


📈 28.79 Punkte
📰 IT Security Nachrichten

matomo