Skip to content

Instantly share code, notes, and snippets.

@alert3
Created June 24, 2020 05:48
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save alert3/c9dcce5474e55f408c93c086c30cdbb7 to your computer and use it in GitHub Desktop.
Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4
This is a description of arbitrary code execution vulnerability found in Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4
@alert3
Copy link
Author

alert3 commented Jun 24, 2020

Product

Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4

Author

Amin Rawah

CVE ID

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14005

Description

A user can define an VB script on network event occurs to perform a specific action (more info https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Executing-a-Visual-Basic-Script-sw1055.htm). Since there is no restriction on running VB, a malicious user with privilege to run VB on defined event can gain access to OS by executing a reverse shell. The following script was tested to run on specific event and the attacker gains access to OS as result https://github.com/bitsadmin/revbshell with admin privilege

@zmanion
Copy link

zmanion commented Dec 15, 2020

To clarify, an authenticated user with access to some SolarWinds web interface can get VB to run, this VB could be a reverse shell that gives OS access? And with SYSTEM privileges? It may be obvious I'm not a SolarWinds user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment