alert3/main.txt

Created June 24, 2020 05:48

Star 0 You must be signed in to star a gist
Fork 0 You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/alert3/c9dcce5474e55f408c93c086c30cdbb7.js"></script>
Save alert3/c9dcce5474e55f408c93c086c30cdbb7 to your computer and use it in GitHub Desktop.

Download ZIP

Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4

Raw

This is a description of arbitrary code execution vulnerability found in Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4

Author

alert3 commented Jun 24, 2020 •

edited

Product

Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4

Author

Amin Rawah

CVE ID

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14005

Description

A user can define an VB script on network event occurs to perform a specific action (more info https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Executing-a-Visual-Basic-Script-sw1055.htm). Since there is no restriction on running VB, a malicious user with privilege to run VB on defined event can gain access to OS by executing a reverse shell. The following script was tested to run on specific event and the attacker gains access to OS as result https://github.com/bitsadmin/revbshell with admin privilege

zmanion commented Dec 15, 2020 •

edited

To clarify, an authenticated user with access to some SolarWinds web interface can get VB to run, this VB could be a reverse shell that gives OS access? And with SYSTEM privileges? It may be obvious I'm not a SolarWinds user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment