Skip to content

Instantly share code, notes, and snippets.

@alert3

alert3/main.txt

Created Jun 24, 2020
Embed
What would you like to do?
Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4
This is a description of arbitrary code execution vulnerability found in Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4
@alert3

This comment has been minimized.

Copy link
Owner Author

@alert3 alert3 commented Jun 24, 2020

Product

Solarwinds Orion - Web Console WPM: 2019.4.1 Orion Platform HF4, NPM HF2: 2019.4

Author

Amin Rawah

CVE ID

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14005

Description

A user can define an VB script on network event occurs to perform a specific action (more info https://documentation.solarwinds.com/en/Success_Center/orionplatform/Content/Core-Executing-a-Visual-Basic-Script-sw1055.htm). Since there is no restriction on running VB, a malicious user with privilege to run VB on defined event can gain access to OS by executing a reverse shell. The following script was tested to run on specific event and the attacker gains access to OS as result https://github.com/bitsadmin/revbshell with admin privilege

@zmanion

This comment has been minimized.

Copy link

@zmanion zmanion commented Dec 15, 2020

To clarify, an authenticated user with access to some SolarWinds web interface can get VB to run, this VB could be a reverse shell that gives OS access? And with SYSTEM privileges? It may be obvious I'm not a SolarWinds user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment