Hi There
2 Days ago Solarwinds issued Advisory about hardcoded credentials in Web Help Desk (WHD)
they released 12.8.3 Hotfix 2 for patching this vulnerability
if get diff on hotfix 1 and 2 , they patched some lines that kept Development Credentials , For example this 2 constant value deleted in HF2 :
in whd-security.xml the endpoints that use this credentials are :
in the comment above these line solarwinds mention this from before :
callable only from localhost, using BASIC auth with credentials generated dynamically (returns 404 for other addresses)
as the code changed and values of constants deleted , the credentials may not be generated dynamically ( and i think mention credentials that patched in advisory are those mentioned in the first of post
but still another problem; in the helpdeskIntegrationAuthenticationManager class we have another check that mention in the comment line :
this line check if the request issued from loopback address or not based on getRemoteAddress()
so from this point attack only carryable from the local point
just in case you dont have this restriction if WHD setup on reverse proxy
but if the reverse proxy didnt there, resuming attack failed.
anybody have any idea how can we bypass this restriction and reach to internal endpoints? (like HQL query runner)
glad to read your comments
have a nice day
2 Days ago Solarwinds issued Advisory about hardcoded credentials in Web Help Desk (WHD)
they released 12.8.3 Hotfix 2 for patching this vulnerability
if get diff on hotfix 1 and 2 , they patched some lines that kept Development Credentials , For example this 2 constant value deleted in HF2 :
Java:
public static final String HELPDESKINTEGRATION_DEVELOPMENT_LOGINNAME = "helpdeskIntegrationUser";
public static final String HELPDESKINTEGRATION_DEVELOPMENT_PASSWORD = "dev-C4F8025E7";in whd-security.xml the endpoints that use this credentials are :
Java:
<http pattern="/integration/**" create-session="stateless" use-expressions="true"
authentication-manager-ref="helpdeskIntegrationAuthenticationManager">
<intercept-url pattern="/**" access="hasRole('ROLE_INTEGRATION')"/>
<http-basic entry-point-ref="helpdeskIntegrationBasicAuthenticationEntryPoint"/>
<csrf disabled="true"/>
</http>
<http pattern="/discovery/**" create-session="stateless" use-expressions="true"
authentication-manager-ref="helpdeskIntegrationAuthenticationManager">
<intercept-url pattern="/**" access="hasRole('ROLE_INTEGRATION')"/>
<http-basic entry-point-ref="helpdeskIntegrationBasicAuthenticationEntryPoint"/>
<csrf disabled="true"/>
</http>
<http pattern="/config/**" create-session="stateless" use-expressions="true"
authentication-manager-ref="helpdeskIntegrationAuthenticationManager">
<intercept-url pattern="/**" access="hasRole('ROLE_INTEGRATION')"/>
<http-basic entry-point-ref="helpdeskIntegrationBasicAuthenticationEntryPoint"/>
<csrf disabled="true"/>
</http>
<http pattern="/assetReport/**" create-session="stateless" use-expressions="true"
authentication-manager-ref="helpdeskIntegrationAuthenticationManager">
<intercept-url pattern="/**" access="hasRole('ROLE_INTEGRATION')"/>
<http-basic entry-point-ref="helpdeskIntegrationBasicAuthenticationEntryPoint"/>
<csrf token-repository-ref="customCsrfTokenRepository"/>
</http>in the comment above these line solarwinds mention this from before :
callable only from localhost, using BASIC auth with credentials generated dynamically (returns 404 for other addresses)
as the code changed and values of constants deleted , the credentials may not be generated dynamically ( and i think mention credentials that patched in advisory are those mentioned in the first of post
but still another problem; in the helpdeskIntegrationAuthenticationManager class we have another check that mention in the comment line :
Java:
boolean isAllowedAddress = InternalCommunicationUtils.isAllowedAddress(details.getRemoteAddress(), isDevelopment);this line check if the request issued from loopback address or not based on getRemoteAddress()
so from this point attack only carryable from the local point
just in case you dont have this restriction if WHD setup on reverse proxy
but if the reverse proxy didnt there, resuming attack failed.
anybody have any idea how can we bypass this restriction and reach to internal endpoints? (like HQL query runner)
glad to read your comments
have a nice day