Local Privilege Escalation Vulnerability in Serv-U FTP Server - KB Article #1388Related Articles --
An "exploit" for Serv-U has recently been published at various security sites on the Web, originating with this one: "Local Privilege Escalation Vulnerability in Serv-U FTP server". According to the security posting, the default LocalAdministrator account in Serv-U allows a local computer user to escalate their privileges on the target computer.
RhinoSoft is aware of this "exploit", however a variety of factors contributes to it being a non-issue. As the report indicates, the LocalAdministrator account is the account used in the "exploit". The LocalAdministrator account is the default account used by the Serv-U Administration program to administer the FTP server. It uses a default username and password to perform these actions. Because of this, the account is only accessible from the loopback IP address of the computer (127.0.0.1). This means that it can only be used when connecting to Serv-U from the same machine it is installed on.
With the LocalAdministrator account only working from the loopback IP Address, anyone trying to exploit this account would have to have full access to the server computer. The published code to demonstrate the "exploit" emulates the native behavior of the Serv-U Administrator program. In fact, since physical access to the server machine is assumed by the "exploit", it would be easier to simply copy the ServUAdmin.exe file to the machine and execute it instead. As stated earlier, with the LocalAdministrator only working from the local system, it is impossible for this to be used to compromise the software or the machine from a remote location. Complete, local access already has to be gained in order for this "exploit" to take place.
Older versions of Serv-U allowed customization of the LocalAdministrator account. However, since this information must be stored locally, it offered very little additional security (especially assuming physical access to the server computer) and only confused system administrators. Consequently, this option is no longer available in current Serv-U versions.