Overview
Local privilege escalation (LPE) vulnerabilities represent a critical class of security weaknesses that allow unauthorized users to gain higher-level permissions within a system. One such notable vulnerability is identified as CVE-2019-12181, which affects the Serv-U FTP Server, specifically versions prior to 15.1.7. Discovered by security researcher Guy Levin, this flaw highlights a significant security risk in the popular Serv-U FTP Server software, which is used widely for file transfer services on Linux systems.
The Serv-U FTP Server vulnerability allows local attackers to exploit the software to escalate their privileges from a standard user account to root level. This exploitation is possible due to a flaw in how the Serv-U FTP Server handles command-line arguments and subprocess execution. When exploited, this vulnerability can allow an attacker to execute arbitrary commands with root privileges, leading to a complete compromise of the affected system.
The exploit for CVE-2019-12181 involves crafting a specific payload that manipulates the command-line arguments passed to the Serv-U FTP Server binary. By injecting malicious commands into these arguments, an attacker can trick the server into executing arbitrary shell commands with elevated privileges. The provided code snippet showcases a simple yet effective exploit that leverages this flaw to open a root shell, thereby granting unauthorized access to critical system functions and data.
Targets
Information
How they operate
The heart of CVE-2019-12181 lies in the way the Serv-U FTP Server processes command-line arguments during its execution. The vulnerability is triggered when malicious input is passed to the server’s executable, specifically the Serv-U binary located in /usr/local/Serv-U/. Attackers can craft a payload that manipulates these arguments, exploiting the server’s handling of command-line inputs to execute arbitrary commands with root privileges. The exploit involves the use of a specially crafted argument that includes shell commands designed to be executed by the server.
The exploit code for CVE-2019-12181 is relatively straightforward yet effective. The provided code snippet illustrates how an attacker can use the execv system call to execute the Serv-U binary with malicious arguments. The payload in the vuln_args array contains a command injection vector: “\” ; id; echo ‘opening root shell’ ; /bin/sh; \”. This payload injects a command to display the current user ID, followed by a message indicating that a root shell is being opened, and then executes /bin/sh to provide a shell with root privileges. By running this exploit, attackers can gain unauthorized access to a root shell, giving them full control over the affected system.
References
