2017/03/23

SolarWinds LEM: SSH Jailbreak and Privilege Escalation

BACKGROUND
SolarWinds LEM (or SIEM) is a log management software for security, compliance, and troubleshooting. Log & Event Manager includes rules and reports for standards like HIPAA, PCI-DSS, SOX, GLBA, NCUA, NERC-CIP, DISA-STIG, and more.

DESCRIPTION
SolarWinds LEM <= 6.3 is affected by two vulnerabilities that allow remote authenticated users to escape from sandbox and elevate privileges to root. The vulnerable interface exposes some internal tools that could be used to escape from jail and execute arbitrary commands on the system. A second flaw related with improper permissions allows users to execute commands as root. 

PROOF OF CONCEPT
The affected resource is the custom SSH interface. It is a limited shell which only allows specific management actions, like modify network interfaces or view the server status. Due to weak isolation, it is possible to escape from this interface and launch a system shell without restrictions.

1. CVE-2017-5199 - SolarWinds SIEM authenticated custom shell Jailbreak and command execution

- Login through SSH (port 32022 by deafult)
- Acess "appliance" section.
- Enter "editbanner" command. A "nano" editor will be shown.
- Press "F5" key and then <CTRL+T>. This combination will open a file explorer.
- Navigate to "/usr/local/contego/scripts/" and open "mgrconfig.pl". This is the logon shell script and is writable, but can't save to the right file jet.
- Press <ALT+F>, then <CTRL+R>. It will enable multibuffer and ask for a file to insert into. Put "/usr/local/contego/scripts/mgrconfig.pl".
- When loaded, search for "sub do_main" with <CTRL+W>.
- Insert 'system("/bin/bash");' line, just after 'print "cmc>";'.
- Finally, save the file with <CTRL+O> and ENTER.
- Exit SSH and login again.
- When logged in, a bash shell will be shown.



2. CVE-2017-5198 - SolarWinds SIEM incorrect permissions on management scripts allows privilege escalation 

- Once logged into bash shell, check available "sudo" commands: sudo -l
- Due to incorrect permissions, it is possible to edit the content of several scripts which are allowed to run as sudo.
- I've choosen "/usr/local/contego/scripts/hostname.sh". Open it with nano, delete the content and just put "/bin/bash -i". Save it with <CTRL+O>.
- Execute "sudo /usr/local/contego/scripts/hostname.sh" to get a root shell.


BUSINESS IMPACT
An attacker can execute arbitrary commands as root, which leads in a total machine compromise.


LIMITATIONS
The last published version (6.3.1) is affected by the sandbox escape vulnerability, but the privilege escalation was patched by setting correct permissions on the affected files. Anyway, it was verified that is still possible to escalate privileges due to outdated system kernel.

SOLUTION
Improve the isolation on the custom SSH interface and set correct permissions on all sensitive files to prevent unwanted access or modification.
It is also recommended to upgrade the system kernel to prevent privilege escalation issues. The SolarWinds team has confirmed that they are working on it.


TIMELINE
January 6, 2017: CVE assigned CVE-2017-5198 and CVE-2017-5199
January 6, 2017: Contact with SolarWinds Team
January 10, 2017: SolarWinds confirms the vulnerability. They said that are working in a fix.
January 14, 2017: SolarWinds confirms the patch and public release date (February 15, 2017).
March 23, 2017: Advisory published.

DISCOVERED BY
Jose Antonio Pérez Piedra