A Crash, Not a Shell SolarWinds Serv-U CVE-2026-28318

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serev-u-cve-2026-28318
• Blog Title: A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318
• Suggested Section: Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> Special HTTP headers / HTTP Content-Encoding abuse, or a new SolarWinds Serv-U subsection under Network Services/Web

🎯 Content Summary

Bishop Fox analyzed CVE-2026-28318, an unauthenticated denial-of-service vulnerability in SolarWinds Serv-U. The issue affects Serv-U 15.5.4 and earlier; the released detector maps vulnerable builds to <= 15.5.4.108. The fix is Serv-U 15.5.4 Hotfix 1, build 15.5.4.125 or later. SolarWinds rated the issue CVSS 7.5 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, meaning the attack is network-reachable, low-complexity, unauthentic...

🔧 Technical Details

Unsupported request-body encoding as a DoS trigger: when an HTTP service accepts a body with Content-Encoding, unsupported encodings must be rejected before decompression. If rejection logic is incorrectly tied to an unrelated feature flag, such as whether HTTP compression is enabled, attackers may reach decompression code that developers assumed was unreachable. In this case, a POST request with Content-Encoding: deflate and any non-empty body reaches Serv-U's in-memory deflate decompressor and triggers an invalid free(), causing allocator-detected heap corruption and a process abort.

Patch-behavior oracle for safe vulnerability detection: instead of sending the crashing deflate request, identify whether the fix exists by probing for the generic validation gate introduced by the patch. Send a benign unauthenticated POST with a short body and Content-Encoding: identity...

🤖 Agent Actions

Using repo inspection plus source verification to place the content in the most relevant existing HackTricks page.
Done.

Updated:

• src/network-services-pentesting/pentesting-web/special-http-headers.md

Added:

• A new subsection on request-body Content-Encoding abuse
• A safe patch-oracle detection pattern using Content-Encoding: identity
• A concise Serv-U example as an instance of the generic technique
• References to:
  • https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serev-u-cve-2026-28318
  • https://github.com/BishopFox/CVE-2026-28318-check

Why this location:

• The useful takeaway is the header/body processing technique, not the CVE itself.
• Existing HackTricks did not already cover:
  • unsupported request-body encoding reaching decompression paths
  • safe detection via a patched 415 validation gate

I verified the file diff and basic formatting after the edit.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serev-u-cve-2026-28318

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting -> 80,443 - Pentesting Web Methodology -> Special HTTP headers / HTTP Content-Encoding abuse, or a new SolarWinds Serv-U subsection under Network Services/Web".

Repository Maintenance:

• MD Files Formatting: 977 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0