Please consider donating: https://www.corelan.be/index.php/donate/


2,838 views

Case Study: SolarWinds Orion (video)

Special Thanks:

To my wife for putting up with my crap. Also SolarWinds for keeping an open communication while fixing the issue. And of course… Corelan Team :P

Audio:

Many thanks to DJ Great Scott for supplying me with the music. Definitely check out some of his work!

http://soundcloud.com/greatscott
http://glitch.fm/

Music in Video:
Defcon (Samples Remix) | link to track
Leuce Rhythms – Bad Brain (Great Scott Remix) | link to track
Great Scott – Caravan | link to track

Video:

This video is based on an ActiveX bug discovered in SolarWinds Orion version 10 and below. The bug was fixed in version 10.1.

I decided to make a movie instead of releasing code because the .dll is marked not safe for scripting, so the "exploit-ability" doesn’t make it very practical.

The other reason for making a movie is I thought this wasn’t a "typical" bug. There were many encounters with different problems that needed to be solved.

While developing the exploit I had some issues with getting the code to execute.

I had previously thought that the memory block where the payload was loaded into would not execute (due to the permissions in memory), so I decided to make use of the buffer space available to stage the shellcode somewhere else using a memcpy() call. In essence, I told it to write the payload back onto the stack so it can be executed.

After revisiting this bug months later (after it was fixed by SolarWinds), I realized the problem existed between the keyboard and chair and it was not the case … the code could be executed from memory so there was no need for the memcpy() call. Anyways, it still is a good technique to make your shellcode executable when needed :).

So at either rate, it still makes for a fun video. Enjoy!
(Make sure to toggle full screen)

– Lincoln

Solarwinds Orion

(or click here)

 


  Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte

© 2010 – 2021, Corelan Team (Lincoln). All rights reserved.

Comments are closed.

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories