2,858 views
Case Study: SolarWinds Orion (video)
Special Thanks:
To my wife for putting up with my crap. Also SolarWinds for keeping an open communication while fixing the issue. And of course… Corelan Team :P
Audio:
Many thanks to DJ Great Scott for supplying me with the music. Definitely check out some of his work!
http://soundcloud.com/greatscott
http://glitch.fm/
Music in Video:
Defcon (Samples Remix) | link to track
Leuce Rhythms – Bad Brain (Great Scott Remix) | link to track
Great Scott – Caravan | link to track
Video:
This video is based on an ActiveX bug discovered in SolarWinds Orion version 10 and below. The bug was fixed in version 10.1.
I decided to make a movie instead of releasing code because the .dll is marked not safe for scripting, so the "exploit-ability" doesn’t make it very practical.
The other reason for making a movie is I thought this wasn’t a "typical" bug. There were many encounters with different problems that needed to be solved.
While developing the exploit I had some issues with getting the code to execute.
I had previously thought that the memory block where the payload was loaded into would not execute (due to the permissions in memory), so I decided to make use of the buffer space available to stage the shellcode somewhere else using a memcpy() call. In essence, I told it to write the payload back onto the stack so it can be executed.
After revisiting this bug months later (after it was fixed by SolarWinds), I realized the problem existed between the keyboard and chair and it was not the case … the code could be executed from memory so there was no need for the memcpy() call. Anyways, it still is a good technique to make your shellcode executable when needed :).
So at either rate, it still makes for a fun video. Enjoy!
(Make sure to toggle full screen)
– Lincoln
(or click here)
Copyright secured by Digiprove © 2010 Peter Van Eeckhoutte
© 2010 – 2021, Corelan Team (Lincoln). All rights reserved.
Donate
Your donation will help funding server hosting.
