Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Serv-U FTP Server prepareinstallation Privilege Escalation #12030

Merged

Conversation

@bcoles
Copy link
Contributor

@bcoles bcoles commented Jun 29, 2019

Add Serv-U FTP Server prepareinstallation Privilege Escalation module.

    This module attempts to gain root privileges on systems running
    Serv-U FTP Server versions prior to 15.1.7.

    The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
    in a call to `system()`, without validation, when invoked with
    the `-prepareinstallation` flag, resulting in command execution
    with root privileges.

    This module has been tested successfully on Serv-U FTP Server
    version 15.1.6 (x64) on Debian 9.6 (x64).

@guywhataguy

@asoto-r7
Copy link
Contributor

@asoto-r7 asoto-r7 commented Jul 1, 2019

Installation steps:

@asoto-r7
Copy link
Contributor

@asoto-r7 asoto-r7 commented Jul 1, 2019

Love the code. I wish we could do some kind of version check, but I'm not seeing a way to do it reliably. Given that the check returns accurate information, and there are no side effects from throwing this against a non-vulnerable version, I'm quite happy to land this as is.

Thanks for the clean and quick PR! 😃

@asoto-r7 asoto-r7 merged commit 895a5b6 into rapid7:master Jul 1, 2019
3 checks passed
@asoto-r7
Copy link
Contributor

@asoto-r7 asoto-r7 commented Jul 1, 2019

Release Notes

The Serv-U FTP Server Prepare Installation Privilege Escalation module has been added to the framework. It escalates privileges using a vulnerable setUID-enabled binary in *nix-based Serv-U FTP server versions prior to 15.1.7.

@bcoles bcoles deleted the servu_ftp_server_prepareinstallation_priv_esc branch Jul 1, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants