In a recent blog post, we showed how certain endpoints in the SolarWinds Orion platform were accessible to low privileged users and could be exploited to achieve remote code execution. We also showed how authentication could be bypassed altogether using CVE-2020-10148. In this blog post, we discuss three other vulnerabilities submitted by an anonymous researcher, which when chained with a privilege escalation bug, could be exploited by a guest user. This will be a brief blog post due to the simplicity of the aforementioned bugs.

Privileges

In the previous blog post, we briefly discussed privileges in the SolarWinds Orion platform. One of the predefined roles is the guest account, which requires no password and has no assigned privileges by default. Although this account is disabled by default, it is fair to assume that some deployments may have the guest account enabled.

Picture1.png

CVE-2020-27870: Directory Traversal leading to arbitrary file read

The endpoint /orion/ExportToPDF.aspx converts HTML to PDF, but it fails to check if the HTML contains references to local files. Furthermore, the guest user account can access this endpoint. By supplying HTML files that contain references to local files, it is possible to read arbitrary files on the server in the context of SYSTEM.

For example, the following request can be used to retrieve the contents of C:\Windows\system32\drivers\etc\hosts:

A PDF contains the disclosed file contents can be retrieved as follows:

CVE-2020-27871: Directory Traversal leading to arbitrary file upload

Orion allows the installation of various modules, with each module capable of performing a specific network monitoring and management function. One such module is the Network Configuration Manager (NCM) module. Where this module is installed, there is an arbitrary file upload vulnerability that could be leveraged for remote code execution. The root cause of this vulnerability is illustrated in the following code snippet:

As shown, the NCM module has a firmware vulnerability management functionality that downloads a ZIP file containing JSON files from an external website. By default, it downloads from https://nvd.nist.gov, but this default can be overridden. It then automatically extracts data from the .zip archive. It does not check the file extensions of the extracted files, nor does it verify the file upload path. Thus it is possible to upload the file anywhere in the file system. Files are extracted and written in the context of SYSTEM.

This flaw can be easily exploited. For example, by issuing the following request, it is possible to upload an arbitrary ASPX file to the www directory:

This vulnerability has one caveat in that it can only be exploited by an Admin user. However, this requirement can be bypassed by the vulnerability we will discuss next.

ZDI-CAN-11903/ZDI-21-192: Privilege escalation

This vulnerability is present when any of the following SolarWinds Orion platform modules are installed:
       - Network Configuration Manager
       - Server Configuration Manager
       - IP Address Manager

When any one of these products are installed, SolarWinds stores account roles in the WebUserSettings table.

Picture2.png

The researcher discovered this table can be modified by a hidden SaveUserSetting endpoint. A guest user can elevate their privileges to Administrator by simply issuing the following request:

Conclusion

This series of blog posts shows that simple bugs and oversights can have severe consequences. Luckily, SolarWinds has addressed all the above vulnerabilities in Orion Platform 2020.2.1 HF2. We highly recommend those running a vulnerable version of this platform to upgrade.

You can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.