id: CVE-2021-35211 info: name: SolarWinds Serv-U FTP - Remote Code Execution author: pussycat0x severity: critical description: | SolarWinds Serv-U Managed File Transfer and Serv-U Secure FTP for Windows before 15.2.3 HF2 contain a remote memory escape caused remote code execution vulnerability, letting attackers gain privileged access, exploit requires remote attacker to send crafted memory operations. impact: | Attackers can execute arbitrary code with high privileges on the affected system, potentially leading to full system compromise. remediation: | Update to version 15.2.3 HF2 or later. reference: - https://github.com/BishopFox/CVE-2021-35211 - https://www.rapid7.com/db/vulnerabilities/solarwinds-serv-u-cve-2021-35211/ - https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ metadata: verified: true max-request: 1 shodan-query: "SSH-2.0-Serv-U" tags: js,enum,ssh,misconfig,network,kev,vkev,passive javascript: - pre-condition: | isPortOpen(Host,Port); code: | let m = require("nuclei/ssh"); let c = m.SSHClient(); let response = c.ConnectSSHInfoMode(Host, Port); // Convert response to string if it's an object let responseStr = typeof response === 'string' ? response : JSON.stringify(response); let jsonStart = responseStr.indexOf('{'); let jsonEnd = responseStr.lastIndexOf('}') + 1; let jsonString = responseStr.substring(jsonStart, jsonEnd); let result = JSON.parse(jsonString); Export(result.ServerID.Raw); args: Host: "{{Host}}" Port: "22" matchers: - type: dsl dsl: - "success == true" - "contains(response, 'SSH-2.0-Serv-U')" - "compare_versions(version, ' < 15.2.3.742')" condition: and extractors: - type: regex name: version part: response group: 1 regex: - 'SSH-2.0-Serv-U_(\d+\.\d+\.\d+)(?:\.(\d+))?' # digest: 4a0a0047304502201e5ee23e6c5699e78a87b8d7fcefa67856270a3479cb9eeb19f1f187dd59de4e0221008ecd31dd226bc02ed448d1e2ec4bd2f9fad94fc17737f9a9d3cb3cd57336f61e:922c64590222798bb761d5b6d8e72950