Posts

Showing posts with the label CVE

Serv-U CVE-2019-12181 Patch Analysis

Image
TL;DR 👓 The patch in Serv-U FTP server version 15.1.7 that fixes my vulnerability (CVE-2019-12181), does so properly. Continue reading to for a walkthrough of the patch analysis.

This blog post depends on knowledge and context from this blog post, please read it before continuing.
Motivation 🧠 I was told by a smart and trusted @yoavalon that failed patches are a norm in our industry, and I should therefore ensure the vulnerability I found is properly fixed in the latest allegedly safe version of the program.
Potentially Inadequate Fixes 👎 It is possible (and depending on the security mindset of the company, maybe even probable) to unsuccessfully fix a vulnerability or even introduce a new vulnerability in a patch. For example, if some filtering logic is added to block malicious input from the user, it is worth ensuring the filter can't be bypassed.

Analysis Process 🔬 The first thing I did was check if my initial POC code worked on the patched Serv-U 15.1.7. Thankfully it didn…

CVE-2019-12181 Serv-U Exploit Writeup

Image
Tl;dr: I found a privilege escalation 0day (CVE-2019-12181) in the Serv-U FTP Server through command injection.

POC code available here
Target 🎯 I searched for a program that isn't too niche and market specific that it hasn't had time to develop its security. Yet, I didn't want to commit long months of research to find a vulnerability in an extremely popular program that has already been reviewed by many security researchers. I came across Serv-U FTP Server from shodan and decided to pursue this target after seeing the respectable number of over 168,000 instances running worldwide exposed to the Internet.

As its name suggests, Serv-U FTP Server is an FTP server; but it also has a web interface for easy file management and a web admin interface.
Serv-U is available both for Linux and Windows. On Linux, the ftp server is a SUID executable and runs as root. Therefore, even an attack that can only be executed locally is still a threat as it will give the attacker…