Showing posts with the label Patch Analysis

Serv-U CVE-2019-12181 Patch Analysis

TL;DR 👓 The patch in Serv-U FTP server version 15.1.7 that fixes my vulnerability ( CVE-2019-12181 ), does so properly. Continue reading to for a walkthrough of the patch analysis. This blog post depends on knowledge and context from this blog post, please read it before continuing. Motivation 🧠 I was told by a smart and trusted @yoavalon that failed patches are a norm in our industry, and I should therefore ensure the vulnerability I found is properly fixed in the latest allegedly safe version of the program. Potentially Inadequate Fixes 👎 It is possible (and depending on the security mindset of the company, maybe even probable) to unsuccessfully fix a vulnerability or even introduce a new vulnerability in a patch. For example, if some filtering logic is added to block malicious input from the user, it is worth ensuring the filter can't be bypassed. Analysis Process 🔬 The first thing I did was check if my initial POC code worked on the patched Serv-U 15.1.7