SolarWinds Web Help Desk, Untrusted Deserialization RCE, CVE-2021-35247 (Critical)

Listen to this Post

How the CVE Works

The vulnerability exists within the `FileUploadServlet` endpoint of SolarWinds Web Help Desk. This endpoint accepts HTTP POST requests with multipart form data. An attacker can craft a request containing a malicious serialized Java object within the `fileName` parameter. When the application processes this request, it insecurely deserializes the untrusted data from the parameter using the `readObject()` method on an ObjectInputStream. This deserialization process triggers the execution of a carefully crafted gadget chain, which ultimately leads to the invocation of arbitrary code. Since the endpoint does not require authentication, an unauthenticated remote attacker can exploit this to achieve Remote Code Execution with the privileges of the underlying system account (often SYSTEM/NT AUTHORITY).
Platform: SolarWinds Web Help Desk
Version: Before 12.7.7
Vulnerability: Untrusted Deserialization RCE
Severity: CRITICAL
date: 2021-07-28

Prediction: Patch released (2021-07-28)

What Undercode Say:

curl -X POST http://<target>/helpdesk/FileUploadServlet -F "file=@/dev/null;filename=\"../../../../Program Files (x86)/SolarWinds/Help Desk/attach/{malicious_serialized_payload}\""
// Gadget chain leveraging CommonsBeanutils1 from ysoserial
Object evilPayload = new CommonsBeanutils1().getObject("calc.exe");
// Serialize and encode payload for fileName parameter

How Exploit:

Unathenticated attacker sends malicious serialized object in `fileName` parameter to vulnerable `/helpdesk/FileUploadServlet` endpoint, triggering remote code execution during deserialization.

Protection from this CVE

Apply vendor patch (12.7.7). Implement network segmentation. Use application allowlisting.

Impact:

Remote Code Execution as SYSTEM. Complete host compromise.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top