The “s” is meant to mean “secure”, right?
A little while ago, out of a mix of both boredom and curiosity, I decided to take a look at the SolarWinds free SFTP server. I tend to get a bit wary of “free” and “secure” phrases within the same product description/name as that can generally not be the case.
After some (extremely) lazy fuzzing that returned exactly what I expected, I decided to take a look around the application structure itself — config files, DLL hijacking etc. and found a couple of interesting things.
CVE-2018–16791 — Insecure Password Storage
The config file itself is stored in C:\ProgramData\SolarWinds\sftp_cfg.xml. User configurations are stored within this file, including user passwords as a Base64 encoded SHA1 string. You can reproduce this by creating a user with a password of ‘supers3curep4ssw0rd’ and checking the password string stored in the file:
As this file was world read-writable anyone is able to harvest passwords, or create their own user. (As this application would potentially be used for servers transferring log or configuration files, the risk of domain admin compromise significantly increases..)
CVE-2018–16792 — OOB XXE
In addition to the above, I also found that the application was loading and processing XML External Entities. This provided the ability for exfiltration of data of any files the user had access to. Again, as the config file was world read-writable this allowed an attacker to force the server to load an external entity file.
The SFTP server will refresh settings on the fly, so no restart is required.
It did appear that only files the user had access to could be sent externally, but if an attacker had admin or SYSTEM privileges, then that wouldn’t be an issue.
Both vulnerabilities require an attacker to already have access to a system running SFTP Server, but both allow an attacker to move laterally or exfiltrate data, both of which are still serious issues.
Both issues are resolved as of the November release of the SFTP Server.