CVE-2012-2576
published 2017-12-20CVE-2012-2576: SQL injection vulnerability in the LoginServlet page in SolarWinds Storage Manager before 5.1.2, SolarWinds Storage Profiler before 5.1.2, and SolarWinds…
PriorityP279critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
59.15%
99.0th percentile
SQL injection vulnerability in the LoginServlet page in SolarWinds Storage Manager before 5.1.2, SolarWinds Storage Profiler before 5.1.2, and SolarWinds Backup Profiler before 5.1.2 allows remote attackers to execute arbitrary SQL commands via the loginName field.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | backup_profiler | < 5.1.2 | 5.1.2 |
| solarwinds | storage_manager | < 5.1.2 | 5.1.2 |
| solarwinds | storage_profiler | < 5.1.2 | 5.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests to /LoginServlet on port 9000 for SQL injection patterns in the `loginName` field, specifically strings containing UNION SELECT, INTO OUTFILE, or boolean payloads like `1' or 1=1#--`. ↗
- →Alert on POST parameters to LoginServlet where `loginName` contains single-quote characters combined with SQL keywords (UNION, SELECT, INTO OUTFILE) or comment sequences (#, --). ↗
- →Detect new .jsp file creation under the SolarWinds Storage Manager web root directory (c:/Program Files/SolarWinds/Storage Manager Server/webapps/ROOT/) as an indicator of successful exploitation and webshell drop. ↗
- →Monitor for outbound TCP connections from the SolarWinds Storage Manager process to attacker-controlled hosts, as the dropped JSP webshell establishes a reverse shell via a raw socket to attacker's lhost:lport. ↗
- →Detect child process `cmd.exe` spawned by the SolarWinds Storage Manager Java process (e.g., java.exe or tomcat), which is indicative of the JSP reverse shell executing. ↗
- ·The SQL injection uses MySQL-specific syntax (INTO OUTFILE, hex encoding with 0x prefix, # comment delimiter), so the backend database must be MySQL for this specific exploit chain to succeed. Detection rules targeting INTO OUTFILE and 0x-prefixed hex blobs in SQL are appropriate. ↗
- ·The dropped webshell filename is randomly generated (6 alphanumeric characters + .jsp), so static filename-based detection will not work; use directory monitoring or file-creation events on the web root path instead. ↗
- ·The exploit targets SolarWinds Storage Manager versions prior to 5.1.2; versions 5.1.2 and later are patched and not vulnerable. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
http://www.exploit-db.com/exploits/18818http://www.exploit-db.com/exploits/18833http://www.securityfocus.com/bid/51639http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htmhttps://exchange.xforce.ibmcloud.com/vulnerabilities/72680http://www.exploit-db.com/exploits/18818http://www.exploit-db.com/exploits/18833http://www.securityfocus.com/bid/51639http://www.solarwinds.com/documentation/storage/storagemanager/docs/ReleaseNotes/vulnerability.htmhttps://exchange.xforce.ibmcloud.com/vulnerabilities/72680
2017-12-20
Published