Title:

SolarWinds Serv-U Managed File Transfer – Denial of Service 

Release Date:

May 3, 2018 

Reported Date:

January 8, 2018 

Vendor:

SolarWinds

Systems Affected:

Serv-U 15.1.6.25

Summary:

A denial-of-service vulnerability in SolarWinds Serv-U 15.1.6.25 allows an authenticated user to crash the application (with a NULL pointer dereference) via a specially crafted URL beginning with the /Web%20Client/ substring.

Vendor Status:

The vendor has been notified of this vulnerability, and has patched the software as of version 15.1.6 HFv1.

Exploit Availability:

An authenticated user can request a specially crafted URL from the Serv-U MFT server that will result in a null pointer dereference. By changing the Login.xml string in the URL of an authentication request to an arbitrary value, an attacker can cause the application to crash. An ordinary login request is shown below:

In this proof of concept, Login.xml was replaced with the string crash, as pictured below:

The Serv-U tray immediately displayed a pop-up notification stating that the Serv-U MFT server was offline. Shortly thereafter, an error message was displayed within the Serv-U Management Console, as seen below:

Advisory for SolarWinds vulnerability discovered by Baker Hamilton of Bishop Fox. Vendor has since remediated..

FIGURE 1 – Error produced in Serv-U Management Console after sending the malicious payload

The Management Console was otherwise unresponsive, and the Serv-U MFT server had to be manually restarted following this crash.

Researcher:

Baker Hamilton, MD, MMSc of Bishop Fox 

For Reference:

CVE-2018-10241

National Vulnerability Database Write-Up