Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Serv-U FTP Server prepareinstallation Privilege Escalation #12030

Merged

Conversation

Projects
None yet
2 participants
@bcoles
Copy link
Contributor

commented Jun 29, 2019

Add Serv-U FTP Server prepareinstallation Privilege Escalation module.

    This module attempts to gain root privileges on systems running
    Serv-U FTP Server versions prior to 15.1.7.

    The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
    in a call to `system()`, without validation, when invoked with
    the `-prepareinstallation` flag, resulting in command execution
    with root privileges.

    This module has been tested successfully on Serv-U FTP Server
    version 15.1.6 (x64) on Debian 9.6 (x64).

@guywhataguy

bcoles added some commits Jun 29, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 1, 2019

Installation steps:

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 1, 2019

Love the code. I wish we could do some kind of version check, but I'm not seeing a way to do it reliably. Given that the check returns accurate information, and there are no side effects from throwing this against a non-vulnerable version, I'm quite happy to land this as is.

Thanks for the clean and quick PR! 😃

@asoto-r7 asoto-r7 merged commit 895a5b6 into rapid7:master Jul 1, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

asoto-r7 added a commit that referenced this pull request Jul 1, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 1, 2019

Release Notes

exploit/linux/local/servu_ftp_server_prepareinstallation_priv_esc escalates privileges using a vulnerable setUID-enabled binary in *nix-based Serv-U FTP server versions prior to 15.1.7.

msjenkins-r7 added a commit that referenced this pull request Jul 1, 2019

@bcoles bcoles deleted the bcoles:servu_ftp_server_prepareinstallation_priv_esc branch Jul 1, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.