Vulnerabilities > CVE-2015-5371 - Remote Code Execution vulnerability in SolarWinds Storage Manager

047910
CVSS 10.0 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
low complexity
solarwinds
critical
nessus
metasploit
NVD
Published: 2015-07-06
Updated: 2016-11-28

Summary

The AuthenticationFilter class in SolarWinds Storage Manager allows remote attackers to upload and execute arbitrary scripts via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Solarwinds
1

Metasploit

descriptionThis module exploits an authentication bypass vulnerability in Solarwinds Storage Manager. The vulnerability exists in the AuthenticationFilter, which allows to bypass authentication with specially crafted URLs. After bypassing authentication, is possible to use a file upload function to achieve remote code execution. This module has been tested successfully in Solarwinds Store Manager Server 5.1.0 and 5.7.1 on Windows 32 bits, Windows 64 bits and Linux 64 bits operating systems.
idMSF:EXPLOIT/MULTI/HTTP/SOLARWINDS_STORE_MANAGER_AUTH_FILTER
last seen2020-05-20
modified2018-07-12
published2014-08-31
referenceshttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5371
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/solarwinds_store_manager_auth_filter.rb
titleSolarWinds Storage Manager Authentication Bypass

Nessus

NASL familyCGI abuses
NASL idSOLARWINDS_STORAGEMANAGER_AUTHFILTERBYPASS_FILEUPLOAD.NASL
descriptionThe version of SolarWinds Storage Manager running on the remote host is affected by a remote code execution vulnerability due to a flaw in the AuthenticationFilter class. An unauthenticated, remote attacker can exploit this to bypass the authentication filter and upload arbitrary scripts, resulting in the execution of arbitrary code under the context of SYSTEM.
last seen2020-06-01
modified2020-06-02
plugin id87600
published2015-12-22
reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/87600
titleSolarWinds Storage Manager AuthenticationFilter Script Upload RCE
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87600);
  script_version("1.7");
  script_cvs_date("Date: 2019/11/20");

  script_cve_id("CVE-2015-5371");
  script_bugtraq_id(51639);
  script_xref(name:"ZDI", value:"ZDI-15-275");

  script_name(english:"SolarWinds Storage Manager AuthenticationFilter Script Upload RCE");
  script_summary(english:"Attempts to bypass authentication and upload file directly.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a web application that is affected by a
remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of SolarWinds Storage Manager running on the remote host
is affected by a remote code execution vulnerability due to a flaw in
the AuthenticationFilter class. An unauthenticated, remote attacker
can exploit this to bypass the authentication filter and upload
arbitrary scripts, resulting in the execution of arbitrary code under
the context of SYSTEM.");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-15-275/");
  # https://downloads.solarwinds.com/solarwinds/Release/HotFix/STM-v6.1.0-HotFix1.zip
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9fc74b6f");
  script_set_attribute(attribute:"solution", value:
"Apply the vendor-supplied patch.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"d2_elliot_name", value:"SolarWinds Storage Manager 5.1.2 SQL Injection");
  script_set_attribute(attribute:"exploit_framework_d2_elliot", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'SolarWinds Storage Manager Authentication Bypass');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/30");
  script_set_attribute(attribute:"patch_publication_date", value:"2015/07/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/22");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:solarwinds:storage_manager");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("solarwinds_storagemanager_detect.nasl");
  script_require_keys("www/solarwinds_storage_manager");
  script_require_ports("Services/www", 9000);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("audit.inc");

app_name = "SolarWinds Storage Manager";
app_name_kb = "solarwinds_storage_manager";
get_install_count(app_name:app_name_kb, exit_if_zero:TRUE);
port = get_http_port(default:9000); 
install = get_single_install(app_name:app_name_kb, port:port);
path = install['path'];
url = build_url(qs:path, port:port);
postdata = '';
res = http_send_recv3(port:port, method: 'POST',
        item: "/images/../jsp/ProcessFileUpload.jsp",
        data: postdata,
        content_type: "multipart/form-data; boundary=----GVSfnwGTvjBMvr",
        exit_on_fail: TRUE );
# see if upload is successful
if (
  "Upload Successful!" >< res[2]
)
{
  if (report_verbosity > 0)
  {
    report =
      '\nNessus was able to bypass authentication and directly access\n' +
      'file upload functionality with the following HTTP Request : \n\n' + 
      http_last_sent_request() + '\n';
    security_hole(port:port, extra: report);
  }
  else security_hole(port);
  exit(0);
}
else audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, url);

References