SolarWinds Orion Platform Vulnerability: Messages Queued, Processed, Deserialized and Exploited
In light of the recent SolarWinds supply chain attack, I decided to take a quick look at SolarWinds products based on the Orion framework. SolarWinds offers trial versions for download. I picked User Device Tracker and installed it on a vanilla Windows Server 2019 virtual machine. As a part of the installation, there is a setup of Microsoft Message Queue (MSMQ), which has been around for more than two decades. This immediately grabbed my attention since, by default, this technology is not installed on modern Windows systems. Next, the installer suggested installing Microsoft SQL Server Express for the product backend database management, but I could have opted to use an existing Microsoft SQL Server instance too. After a few more steps – voilà – we have the product up and running.
Since MSMQ was installed, the first thing I tried was to open the Computer Management console to see what’s going on under the Message Queuing, as you can see in Figure 1.
Figure 1: SolarWinds Orion Collector uses MSMQ heavily.
As you can see, there is a huge list of private queues, and literally, every one of them has a specific problem. See if you can pinpoint it in Figure 2 below.
Figure 2: Security is not configured on the queues.
It’s pretty hard to miss that warning shield showing that the queue, like all the queues, is unauthenticated. In short, unauthenticated users can send messages to such queues over TCP port 1801. My interest was piqued, and I jumped in to look at the code that handles incoming messages. Unfortunately, it turned out to be an unsafe deserialization victim. A simple Proof of Concept (PoC) (which again, we will release on Feb. 9) allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system.
After the patch is applied, there is a digital signature validation step performed on arrived messages so that messages having no signature or not signed with a per-installation certificate are not further processed. On the other hand, the MSMQ is still unauthenticated and allows anyone to send messages to it.
SolarWinds Orion Platform Vulnerability (CVE-2021-25275): Database Credentials for Everyone
My next step in research was to check how well SolarWinds secured the credentials for the backend database since database security is a research area we care about very much. After simple grep across the files installed by the product, one file was found (well, actually two, but more on that later), as shown in Figure 3.
Figure 3: Configuration file with Orion backend database credentials.
Permissions are generously granted to all locally authenticated users, as shown in Figure 4.
Figure 4: Authenticated users can read the file content.
Inside this file, we find credentials for the SolarWinds backend database called SOLARWINDS_ORION:
Figure 5: Inside the configuration file are database credentials for the Orion backend database.
I spent some time finding code that decrypts the password but essentially, it’s a one-liner. In the end, unprivileged users who can log in to the box locally or via RDP will be able to run decrypting code and get a cleartext password for the SolarWindsOrionDatabaseUser. We are withholding all Proof of Concept (PoC) code for these vulnerabilities to give users a little more time to patch, but you’ll be able to test this out for yourselves next week on Feb. 9. The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database. From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.
Figure 6: After using a small decryption utility, we can connect to the database.
As mentioned earlier, I performed my tests on the trial version and when verifying the patch noticed that while it secures the SWNetPerfMon.DB file it does not secure the SWNetPerfMon.DB.Eval found in the trial.
This concludes the section about configuration file insecure storage. On to the next finding!
SolarWinds Serv-U FTP Vulnerability (CVE-2021-25276) – FTP Server: Let Me Add an Admin User for Myself
Finally, I took a quick look at another SolarWinds product called Serv-U FTP for Windows. It turns out that the accounts are stored on disk in separate files. Directory access control lists allow complete compromise by any authenticated Windows user. Specifically, anyone who can log in locally or via Remote Desktop can just drop a file that defines a new user, and the Serv-U FTP will automatically pick it up. Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem.
Figure 7: Authenticated users can write to the configuration directory.
Summary
In this post, we discussed two findings in SolarWinds Orion User Device Tracker and one in SolarWinds Serv-U FTP. These issues could allow an attacker full remote code execution, access to credentials for recovery, and the ability to read, write to or delete any file on the system.
Trustwave reported all three findings to SolarWinds, and patches were released in a very timely manner. We want to thank SolarWinds for their partnership during the disclosure process. We recommend that administrators upgrade as soon as possible. We will also be releasing an update to this blog post with Proof of Concept (PoC) code next week on Feb. 9, to give users some additional time to patch. Having direct PoC code helps information security professionals better understand these issues as well as develop protections to prevent exploitation.
Disclosure Timeline
12/30/2020 – Orion vulnerabilities disclosed to vendor
01/04/2021 – Confirmation of Orion CVEs
01/04/2021 – ServU-FTP vulnerabilities disclosed to vendor
01/05/2021 – Confirmation of ServU-FTP CVE
01/22/2021 – Serv-U-FTP hotfix released
01/25/2021 – Orion patches released
02/03/2021 – Advisory published
02/09/2021 – Proof of Concept code released
References
- Fixes are available in the following versions of SolarWinds products:
- Orion Platform 2020.2.4
- ServU-FTP 15.2.2 Hotfix 1 (direct download .zip patch)