Serv-U FTP Server (SERV-U) is a relatively wide FTP server, powerful, easy to use, serv-u> 3.x version has local permissions to increase vulnerability, using guest permission combined with EXP can be SYSTEM privileges Run the program, combined with EXP in combination with WebShell has become a commonly used improvement method.
Introduction to the Vulnerability: Vulnerability is the use of the Serv-U local default management port to execute commands with the default administrator to execute the command, Serv-U> 3.x version default local management port is: 43958, default administrator: LocaLaDministrator, default Password: #l@ or @p, this is integrated in the SERV-U inside, can be connected as guest permissions, and manage the Serv-U.
Preventive methods and countermeasures: General prevention method: set directory permissions, to prevent the use of Webshell from running the EXP program by removing the execution permission of the Web Directory IUSR user. Countermeasure: This method has certain limitations, there are many directorys that need to be set, and you can't have a little omissions. For example, I have found a lot of virtual hosts in the c: / documents and settings / all users / documents directory and the next few subdirectory Documents are not set. Permissions, leading to this directory to run EXP, this directory has X: / PHP, X: / Perl, etc., because this directory is completely controlled. Some hosts also support PHP, PL, ASPX, etc., which is simply the server's serv-u disaster, ^ _ ^, and running program is more convenient. Senior prevention method: Modify the Serv-U management port, open Servudaemon.exe with UltraEdit to find B6AB (43958 16), replace it with your own defined port, such as 3930 (12345), open servuadmin.exe to find the last B6AB replacement Cheng 3930 (12345), launching the Serv-U, now the local management port is 12345:
TCP 127.0.0.1:0345 0.0.0.0:0 Listening
Countermeasure: It is also very simple to deal with this, NetStat -an, you can see the port, some people say NetStat can't run, in fact, you will upload a netstat.exe to the executable of the directory to run, then modify EXP compilation, upload It's okay, I modified an EXP that could be customizes, running format:
USAGE: Serv-U.exe Port "Command" EXAMPLE: Serv-U.exe 43958 "Net User XL Xiaoxue / Add"
Advanced Prevention Method: Modify administrator name and password, open servudaemon.exe with UltraEdit to find ASCII: Localadministrator, and #L@'ak#.lk; 0 @p, modify other characters that are equal length, servuadmin. EXE is also processed.
Countermeasure: Is there any way to connect this default administrator? Hey, some administrators install Serv-U are used by default directory C: / Program Files / Serv-u installation, although this directory cannot be written, but the default IUSR is readable, we can use WebShell to download Servudaemon.exe, use UltraEdit to open the analysis, the SERV-U account password is in hand, modifying the EXP compilation upload operation, we have won. Ultimate Defense: 1. Set good directory permissions, do not neglect; 2.Serv-u is best not to use the default installation path, set the permissions of the Serv-U directory, only administrators can access; -U's default administrator name and password, you can change it.
Postscript: Invasion and defense is like a spear and the shield, there is no weakness on the shield, otherwise it will be difficult to see. This article is designed to provide the server administrator to provide the defense of this vulnerability, inadequate, please advise. (The above test is passed on SERV-U 5.0, 5.1, 5.2)
