From 6aa490cad1d7f83a8bb5020c55a9da7d9593775b Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Tue, 16 Jun 2026 20:55:27 +0000 Subject: [PATCH] Add content from: A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318 --- .../pentesting-web/special-http-headers.md | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/src/network-services-pentesting/pentesting-web/special-http-headers.md b/src/network-services-pentesting/pentesting-web/special-http-headers.md index 7307e8db8dc..d2fb7ea950e 100644 --- a/src/network-services-pentesting/pentesting-web/special-http-headers.md +++ b/src/network-services-pentesting/pentesting-web/special-http-headers.md @@ -122,6 +122,51 @@ For example a combination of **`Range`** and **`Etag`** in a HEAD request can le - A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y` +### Request-body `Content-Encoding` abuse + +If the server accepts **request bodies** with a `Content-Encoding` header, test whether **unsupported encodings** are rejected **before** the body reaches any decompressor/parser. A common bug class is tying the rejection logic to an unrelated feature flag (for example, "HTTP compression enabled"). If that gate is wrong, an attacker may be able to reach a code path developers believed was unreachable. + +Generic checks: + +- Send a **POST** with a **non-empty body** and vary `Content-Encoding` across `gzip`, `deflate`, `br`, `compress`, and `identity`. +- Compare behavior when the same endpoint receives the same body **without** `Content-Encoding`. +- Look for crashes, connection resets, allocator aborts, `500` responses, or inconsistent `4xx/5xx` handling. +- Repeat through the **real origin** and through any **reverse proxy/WAF**, because proxies may strip the header, synthesize their own `415`, or hide the backend `Server` header. + +Example probe: + +```http +POST / HTTP/1.1 +Host: target +Content-Encoding: deflate +Content-Length: 4 + +AAAA +``` + +If the target should not support compressed request bodies, the safest behavior is an early **`415 Unsupported Media Type`** (or similar explicit rejection) **before** any decompression attempt. + +### Safe patch-oracle detection with `Content-Encoding: identity` + +When the dangerous value is known to crash the service, look for a **patch behavior oracle** instead of replaying the destructive request. A useful pattern is to send a benign body with `Content-Encoding: identity`: + +```http +POST / HTTP/1.1 +Host: target +Content-Encoding: identity +Content-Length: 10 + +AAAAAAAAAA +``` + +Why this is useful: + +- A **patched** target may reject **any** request that has both a body and a **non-empty** `Content-Encoding` header, often with **`415 Unsupported Media Type`**. +- A **vulnerable** target may still process the `identity` request normally and return app-specific codes such as `200`, `302`, `401`, or `404`. +- If the response still fingerprints the product (for example via `Server`), you can often turn this into a **production-safe vulnerable/patched detector** without ever sending the crashing encoding. + +This pattern was useful in SolarWinds **Serv-U** (`<= 15.5.4.108`), where `POST` + body + `Content-Encoding: deflate` reached an unsafe in-memory deflate decompressor and reliably crashed the process, while the hotfix added a generic `415` gate for requests carrying a body plus any non-empty `Content-Encoding` header. + ## Server Info - `Server: Apache/2.4.1 (Unix)` @@ -306,6 +351,8 @@ The headers reach the `exec` component unfiltered, resulting in remote command e - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers) - [https://web.dev/security-headers/](https://web.dev/security-headers/) - [https://web.dev/articles/security-headers](https://web.dev/articles/security-headers) +- [Bishop Fox - A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318](https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serev-u-cve-2026-28318) +- [BishopFox/CVE-2026-28318-check](https://github.com/BishopFox/CVE-2026-28318-check) {{#include ../../banners/hacktricks-training.md}}