SolarWinds Local Privilege Escalation (CVE-2019-9546)

While conducting research on insecure Windows Communication Foundation (WCF) endpoints we stumbled upon SolarWinds fleet of products for two reasons; first, they have handful of software that you can test and secondly, most of the services were built using .NET Framework which makes it a strong candidate for our research.

During the testing process, we usually look for the low-hanging fruit variety of bugs. This includes, amongst other things, dynamic analysis of the target program folder if any under “C:\ProgramData” directory and that is how we found a rather trivial elevation of privileges vulnerability in SolarWinds Orion Platform that affected a total of 14 products.
 
The following is the process used to find and exploit the security vulnerability using SolarWinds Network Configuration Manager v7.8 on Windows Server 2012 R2 Standard instance. First off, we set the following self-explanatory filters in Procmon64.exe

​Running it will reveal that the process cmd.exe is trying to run handle.exe binary as “NT AUTHORITY\SYSTEM” under “C:\ProgramData\SolarWinds\Orion\RabbitMQ\” directory every 5 seconds!

We can see the full command that was used in the command line section under event properties. Now if you haven’t used or heard of handle.exe before, its a Windows Sysinternals utility that displays information about open handles for any given process on the system:

Examining the properties of Parent PID 4272 under procexp64.exe clearly shows the logic behind this abnormal behavior:

Both the erl.exe process command line arguments and current directory path are enforcing “C:\ProgramData\SolarWinds\Orion\RabbitMQ\” as the current working directory. Before diving in too far, let’s talk more about RabbitMQ which is according to its official website here:
 
With more than 35,000 production deployments of RabbitMQ world-wide at small startups and large enterprises, RabbitMQ is the most popular open source message broker.
 
RabbitMQ is lightweight and easy to deploy on premises and in the cloud. It supports multiple messaging protocols. RabbitMQ can be deployed in distributed and federated configurations to meet high-scale, high-availability requirements.
 
RabbitMQ runs on many operating systems and cloud environments, and provides a wide range of developer tools for most popular languages.
 
Reading through a few RabbitMQ installation guides for Windows we’ve noticed that for some reason ERLANG is a must have in order for RabbitMQ to function. In Addition, handle.exe is used by RabbitMQ to monitor the local file system and update “File descriptors” field under RabbitMQ web dashboard. All we need at this point is to confirm that we can create/write files as low privileged user via AccessEnum.exe which is the default DACL for the Users group on “C:\ProgramData” and its sub-folders due to inheritance:

​We used msfvenom from Metasploit toolset to create calc.exe payload:

​We logged in as standard user and then copied handle.exe to the problematic folder while running procexp64.exe in the background which will effectively pop a calc every 5 seconds as “NT AUTHORITY\SYSTEM”

​We’ve also recorded a demonstration video for SolarWinds Patch Manager v2.1 on Windows Server 2016 Standard install for your convenience:

It's worth mentioning that unlike the other affected products, Access Rights Manager 8MAN v9.1.181.0 uses the vulnerable path “C:\ProgramData\rabbitmq\” instead. Also, we were quite impressed by the exceptional response time and professionalism delivered by SolarWinds PSIRT team. A link to the knowledgebase article regarding this vulnerability can be found here.

While wrapping up this blog post we had an interesting thought; how many applications out there utilize RabbitMQ? And what are the chances of those applications experiencing the same issue? We will leave this as an exercise for the reader. Lastly, feel free to reach out to at labs@activecyber.us if you have any questions. See the link here for complete list of ACTIVELabs advisories.
 
Affected Products

• SolarWinds IP Address Manager v4.7.0
• SolarWinds Log Manager for Orion v1.1.0
• SolarWinds Network Configuration Manager v7.8
• SolarWinds Orion Network Performance Monitor v12.3
• SolarWinds Orion Network Traffic Analyzer v4.4
• SolarWinds Server & Application Monitor v6.7
• SolarWinds Server Configuration Monitor v1.0
• SolarWinds Storage Resource Monitor v6.7
• SolarWinds User Device Tracker v3.3.1
• SolarWinds Virtualization Manager v8.3
• SolarWinds VoIP and Network Quality Manager v4.5
• SolarWinds Web Performance Monitor v2.2.2
• SolarWinds Patch Manager v2.1
• Access Rights Manager 8MAN v9.1.181.0

 
 
Disclosure Timeline

• 02-19-19: ACTIVELabs sent security vulnerability report to SolarWinds PSIRT team
• 02-20-19: PSIRT team acknowledged report and stated that they will investigate the issue
• 02-27-19: PSIRT team communicated that the security vulnerability has been addressed
• 02-27-19: ACTIVELabs requested more information
• 02-28-19: PSIRT team confirmed that a patch has been included/released in HotFix 2 version
• 03-01-19: ACTIVELabs requested CVE from MITRE
• 03-01-19: CVE-2019-9546 assigned
• 03-01-19: ACTIVELabs notified PSIRT team about CVE assignment and a blog post will be published in the near future
• 03-04-19: PSIRT team requested to delay blog post release until proper knowledge base article can be prepared/published
• 03-04-19: Notified PSIRT team that we will hold off on the blog post until further notice
• 03-06-19: PSIRT team informed us that a knowledge base article has been released
• 05-03-19: Blog post released