CVE-2019-12181 Serv-U Exploit Writeup

Tl;dr: I found a privilege escalation 0day (CVE-2019-12181) in the Serv-U FTP Server through command injection.
POC code available here
Target 🎯 I searched for a program that isn't too niche and market specific that it hasn't had time to develop its security. Yet, I didn't want to commit long months of research to find a vulnerability in an extremely popular program that has already been reviewed by many security researchers. I came across Serv-U FTP Server from shodan and decided to pursue this target after seeing the respectable number of over 168,000 instances running worldwide exposed to the Internet.
As its name suggests, Serv-U FTP Server is an FTP server; but it also has a web interface for easy file management and a web admin interface.
Serv-U is available both for Linux and Windows. On Linux, the ftp server is a SUID executable and runs as root. Therefore, even an attack that can only be executed locally is still a threat as it will give the attacker…
POC code available here
Target 🎯 I searched for a program that isn't too niche and market specific that it hasn't had time to develop its security. Yet, I didn't want to commit long months of research to find a vulnerability in an extremely popular program that has already been reviewed by many security researchers. I came across Serv-U FTP Server from shodan and decided to pursue this target after seeing the respectable number of over 168,000 instances running worldwide exposed to the Internet.
As its name suggests, Serv-U FTP Server is an FTP server; but it also has a web interface for easy file management and a web admin interface.
Serv-U is available both for Linux and Windows. On Linux, the ftp server is a SUID executable and runs as root. Therefore, even an attack that can only be executed locally is still a threat as it will give the attacker…