Listen to this Post
How the CVE Works
The vulnerability exists within the `FileUploadServlet` endpoint of SolarWinds Web Help Desk. This endpoint accepts HTTP POST requests with multipart form data. An attacker can craft a request containing a malicious serialized Java object within the `fileName` parameter. When the application processes this request, it insecurely deserializes the untrusted data from the parameter using the `readObject()` method on an ObjectInputStream. This deserialization process triggers the execution of a carefully crafted gadget chain, which ultimately leads to the invocation of arbitrary code. Since the endpoint does not require authentication, an unauthenticated remote attacker can exploit this to achieve Remote Code Execution with the privileges of the underlying system account (often SYSTEM/NT AUTHORITY).
Platform: SolarWinds Web Help Desk
Version: Before 12.7.7
Vulnerability: Untrusted Deserialization RCE
Severity: CRITICAL
date: 2021-07-28
Prediction: Patch released (2021-07-28)
What Undercode Say:
curl -X POST http://<target>/helpdesk/FileUploadServlet -F "file=@/dev/null;filename=\"../../../../Program Files (x86)/SolarWinds/Help Desk/attach/{malicious_serialized_payload}\""
// Gadget chain leveraging CommonsBeanutils1 from ysoserial
Object evilPayload = new CommonsBeanutils1().getObject("calc.exe");
// Serialize and encode payload for fileName parameter
How Exploit:
Unathenticated attacker sends malicious serialized object in `fileName` parameter to vulnerable `/helpdesk/FileUploadServlet` endpoint, triggering remote code execution during deserialization.
Protection from this CVE
Apply vendor patch (12.7.7). Implement network segmentation. Use application allowlisting.
Impact:
Remote Code Execution as SYSTEM. Complete host compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

