Since the first revelations about the SolarWinds compromise in December, there have been a number of after effects, one of which is that security researchers have focused more attention on the company’s products. Unsurprisingly, that has resulted in the discovery of several new vulnerabilities, including a pair of bugs that, when combined, can lead to remote code execution.
Until the disclosure of the compromise of SolarWinds’ internal infrastructure, which resulted in an adversary gaining access to a build server and delivering a malicious update to some customers, the company’s software had not been the focus of much public vulnerability research. The SolarWinds Orion platform is used for monitoring IT infrastructure and it is deployed quite broadly in enterprise and government networks around the world. In the aftermath of the attack on SolarWinds, Martin Rakhmanov, a researcher on Trustwave’s SpiderLabs team, decided to have a look at Orion and some of SolarWinds’ other applications and discovered three separate vulnerabilities, two in Orion and one in the Serv-U FTP product. All of the vulnerabilities he discovered have been patched by SolarWinds.
The most serious bug Rakhmanov discovered is a combination of two issues in Orion related to the way that the software handles incoming messages from clients. One of the services that’s part of the installation process is the Microsoft Message Queuing (MSMQ) service, a technology from the 1990s that is no longer used on modern Windows systems. MSMQ is designed to send and receive messages between apps both internally and externally. Rakhmanov found that all of the private message queues spun up in Orion are unauthenticated, allowing any user to send messages to the application over TCP port 1801.
“My interest was piqued, and I jumped in to look at the code that handles incoming messages. Unfortunately, it turned out to be an unsafe deserialization victim. A simple Proof of Concept (PoC) allows remote code execution by remote, unprivileged users through combining those two issues. Given that the message processing code runs as a Windows service configured to use LocalSystem account, we have complete control of the underlying operating system,” Rakhmanov said in a post on the flaws.
"Users who can log in to the box locally or via RDP will be able to run decrypting code and get a cleartext password."
The fix for this issue involved checking for a digital signature on incoming messages and discarding those that aren’t signed.
After discovering this vulnerability, Rakhmanov had a look at the database Orion uses. Looking at all of the files installed by Orion, he found a configuration file that held the credentials for the database. All authenticated local users have the ability to read that config file, and though the password is encrypted, Rakhmanov found a one-line bit of code that decrypted it.
“In the end, unprivileged users who can log in to the box locally or via RDP will be able to run decrypting code and get a cleartext password for the SolarWindsOrionDatabaseUser,” he said.
“The next step is to connect to the Microsoft SQL Server using the recovered account, and at this point, we have complete control over the SOLARWINDS_ORION database. From here, one can steal information or add a new admin-level user to be used inside SolarWinds Orion products.”
The third issue Rakhmanov found was a bug in the Serv-U FTP product that allows any authenticated Windows user to add a file that will define a new user.
“Next, since we can create any Serv-U FTP user, it makes sense to define an admin account by setting a simple field in the file and then set the home directory to the root of C:\ drive. Now we can log in via FTP and read or replace any file on the C:\ since the FTP server runs as LocalSystem,” Rakhmanov said.
SolarWinds released fixes for these vulnerabilities on Jan. 25.