Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
Chaining Multiple bugs for Unauthenticated RCE in the SolarWinds Orion Platform
Sivathmican Sivakumaran - ZDIPosted 5 Years Ago- The Solarwinds breach affected the bulk of Fortune 500 companies across the United States. For obvious reasons, people started looking at this widely used software's security.
- The most impactful bug was an authorization bypass by containing one of the following keys: Skipi18n, i18n.ashx and others. The idea was that the JavaScript and CSS files needed to be gathered without authorization. So, these keyed strings were checked for. However, simply adding these to the request (unsure if this is just the path or query parameters too) skipped authorization.
- With the authorization bypass in place, it is time to take over the device. A non-administrative user is able to specify a running VBS script to execute upon some alert happening. But, the path for the interpreter is included, allowing an attacker to set this to
cmd.exeThe final bug is just the ability to run arbitrary SQL from a request, by design. I personally feel this is an intended feature and not a vulnerability though. The threat model assumes that only authenticated users can access this functionality anyway.
