Powered by ACTIVECYBER, LLC
Powered by ACTIVECYBER, LLC
While conducting research on insecure Windows Communication Foundation (WCF) endpoints we stumbled upon SolarWinds fleet of products for two reasons; first, they have handful of software that you can test and secondly, most of the services were built using .NET Framework which makes it a strong candidate for our research.
During the testing process, we usually look for the low-hanging fruit variety of bugs. This includes, amongst other things, dynamic analysis of the target program folder if any under “C:\ProgramData” directory and that is how we found a rather trivial elevation of privileges vulnerability in SolarWinds Orion Platform that affected a total of 14 products.
The following is the process used to find and exploit the security vulnerability using SolarWinds Network Configuration Manager v7.8 on Windows Server 2012 R2 Standard instance. First off, we set the following self-explanatory filters in Procmon64.exe
Running it will reveal that the process cmd.exe is trying to run handle.exe binary as “NT AUTHORITY\SYSTEM” under “C:\ProgramData\SolarWinds\Orion\RabbitMQ\” directory every 5 seconds!
We can see the full command that was used in the command line section under event properties. Now if you haven’t used or heard of handle.exe before, its a Windows Sysinternals utility that displays information about open handles for any given process on the system:
Examining the properties of Parent PID 4272 under procexp64.exe clearly shows the logic behind this abnormal behavior:
Both the erl.exe process command line arguments and current directory path are enforcing “C:\ProgramData\SolarWinds\Orion\RabbitMQ\” as the current working directory. Before diving in too far, let’s talk more about RabbitMQ which is according to its official website here:
With more than 35,000 production deployments of RabbitMQ world-wide at small startups and large enterprises, RabbitMQ is the most popular open source message broker.
RabbitMQ is lightweight and easy to deploy on premises and in the cloud. It supports multiple messaging protocols. RabbitMQ can be deployed in distributed and federated configurations to meet high-scale, high-availability requirements.
RabbitMQ runs on many operating systems and cloud environments, and provides a wide range of developer tools for most popular languages.
Reading through a few RabbitMQ installation guides for Windows we’ve noticed that for some reason ERLANG is a must have in order for RabbitMQ to function. In Addition, handle.exe is used by RabbitMQ to monitor the local file system and update “File descriptors” field under RabbitMQ web dashboard. All we need at this point is to confirm that we can create/write files as low privileged user via AccessEnum.exe which is the default DACL for the Users group on “C:\ProgramData” and its sub-folders due to inheritance:
We used msfvenom from Metasploit toolset to create calc.exe payload:
We logged in as standard user and then copied handle.exe to the problematic folder while running procexp64.exe in the background which will effectively pop a calc every 5 seconds as “NT AUTHORITY\SYSTEM”
We’ve also recorded a demonstration video for SolarWinds Patch Manager v2.1 on Windows Server 2016 Standard install for your convenience:
It's worth mentioning that unlike the other affected products, Access Rights Manager 8MAN v18.104.22.168 uses the vulnerable path “C:\ProgramData\rabbitmq\” instead. Also, we were quite impressed by the exceptional response time and professionalism delivered by SolarWinds PSIRT team. A link to the knowledgebase article regarding this vulnerability can be found here.
While wrapping up this blog post we had an interesting thought; how many applications out there utilize RabbitMQ? And what are the chances of those applications experiencing the same issue? We will leave this as an exercise for the reader. Lastly, feel free to reach out to at email@example.com if you have any questions. See the link here for complete list of ACTIVELabs advisories.
ACTIVELabs was created in 2018 to hunt and research undiscovered vulnerabilities, report them to vendors via responsible disclosure programs, publish advisories, develop and validate new patches, and to share this information for the advancement of the cybersecurity community. ACTIVELabs was established with the mission of securing our ever-growing client base, partnerships, and the technology community as a whole.
We are actively providing the community with verified findings and research that leads to the creation of new Common Vulnerabilities and Exposures (CVEs) and updates to the National Vulnerability Database (NVD).