Submit a ticketCall us

WebinarUpcoming Webinar: Know What’s Changed – with NEW Server Configuration Monitor

Change management in IT is critical. But, even with a good change management process, changes are too often not correctly tracked, if at all. The configuration of your servers and applications is a key factor in their performance, availability, and security. Many incidents can be tracked back to an authorized (and sometimes unauthorized) configuration change, whether to a system file, configuration file, or Windows® Registry entry. Join SolarWinds VP of product management Brandon Shopp to discover how the new SolarWinds® Server Configuration Monitor is designed to help you.

Register now.

Home > Success Center > Serv-U Managed File Transfer & Serv-U FTP Server > Serv-U - Knowledgebase Articles > Local privilege escalation vulnerability in Serv-U FTP Server

Local privilege escalation vulnerability in Serv-U FTP Server

Table of contents

Updated April 25, 2017 

Overview

This article describes the local privilege escalation vulnerability in Serv-U FTP Server.

 

Environment

All Serv-U versions

Detail

The default LocalAdministrator account in Serv-U allows a local computer user to escalate their privileges on the target computer. The LocalAdministrator account is the default account used by the Serv-U Administration program to administer the FTP server. It uses a default user name and password to perform actions. The account is only accessible from the loopback IP address of the computer. This means that it can only be used when connecting to Serv-U from the same machine it is installed on.

With the LocalAdministrator account only working from the loopback IP address, anyone who tries to exploit this account must have a full access to the server computer. The published code to demonstrate the "exploit" emulates the native behavior of the Serv-U Administrator program. Since physical access to the server machine is assumed by the "exploit", it suggesto to copy the ServUAdmin.exe file to the machine and execute it. With the LocalAdministrator only working from the local system, it is impossible for this to be used to compromise the software or the machine from a remote location. The only way to gain access to 'exploit' is when a user has a complete local access to the server computer.

Older versions of Serv-U allowed customization of the LocalAdministrator account. However, since this information must be stored locally, it offered a few additional security (assuming that there is a physical access to the server computer) and only confused system administrators. 

 

 

 

Last modified

Tags

Classifications

Public