A Crash, Not a Shell SolarWinds Serv-U CVE-2026-28318

src/network-services-pentesting/pentesting-web/special-http-headers.md

@@ -122,6 +122,51 @@ For example a combination of **`Range`** and **`Etag`** in a HEAD request can le
 
 - A request with the header `Range: bytes=20-20` and with a response containing `ETag: W/"1-eoGvPlkaxxP4HqHv6T3PNhV9g3Y"` is leaking that the SHA1 of the byte 20 is `ETag: eoGvPlkaxxP4HqHv6T3PNhV9g3Y`
 
+### Request-body `Content-Encoding` abuse
+
+If the server accepts **request bodies** with a `Content-Encoding` header, test whether **unsupported encodings** are rejected **before** the body reaches any decompressor/parser. A common bug class is tying the rejection logic to an unrelated feature flag (for example, "HTTP compression enabled"). If that gate is wrong, an attacker may be able to reach a code path developers believed was unreachable.
+
+Generic checks:
+
+- Send a **POST** with a **non-empty body** and vary `Content-Encoding` across `gzip`, `deflate`, `br`, `compress`, and `identity`.
+- Compare behavior when the same endpoint receives the same body **without** `Content-Encoding`.
+- Look for crashes, connection resets, allocator aborts, `500` responses, or inconsistent `4xx/5xx` handling.
+- Repeat through the **real origin** and through any **reverse proxy/WAF**, because proxies may strip the header, synthesize their own `415`, or hide the backend `Server` header.
+
+Example probe:
+
+```http
+POST / HTTP/1.1
+Host: target
+Content-Encoding: deflate
+Content-Length: 4
+
+AAAA
+```
+
+If the target should not support compressed request bodies, the safest behavior is an early **`415 Unsupported Media Type`** (or similar explicit rejection) **before** any decompression attempt.
+
+### Safe patch-oracle detection with `Content-Encoding: identity`
+
+When the dangerous value is known to crash the service, look for a **patch behavior oracle** instead of replaying the destructive request. A useful pattern is to send a benign body with `Content-Encoding: identity`:
+
+```http
+POST / HTTP/1.1
+Host: target
+Content-Encoding: identity
+Content-Length: 10
+
+AAAAAAAAAA
+```
+
+Why this is useful:
+
+- A **patched** target may reject **any** request that has both a body and a **non-empty** `Content-Encoding` header, often with **`415 Unsupported Media Type`**.
+- A **vulnerable** target may still process the `identity` request normally and return app-specific codes such as `200`, `302`, `401`, or `404`.
+- If the response still fingerprints the product (for example via `Server`), you can often turn this into a **production-safe vulnerable/patched detector** without ever sending the crashing encoding.
+
+This pattern was useful in SolarWinds **Serv-U** (`<= 15.5.4.108`), where `POST` + body + `Content-Encoding: deflate` reached an unsafe in-memory deflate decompressor and reliably crashed the process, while the hotfix added a generic `415` gate for requests carrying a body plus any non-empty `Content-Encoding` header.
+
 ## Server Info
 
 - `Server: Apache/2.4.1 (Unix)`
@@ -306,6 +351,8 @@ The headers reach the `exec` component unfiltered, resulting in remote command e
 - [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers)
 - [https://web.dev/security-headers/](https://web.dev/security-headers/)
 - [https://web.dev/articles/security-headers](https://web.dev/articles/security-headers)
+- [Bishop Fox - A Crash, Not a Shell: SolarWinds Serv-U CVE-2026-28318](https://bishopfox.com/blog/a-crash-not-a-shell-solarwinds-serev-u-cve-2026-28318)
+- [BishopFox/CVE-2026-28318-check](https://github.com/BishopFox/CVE-2026-28318-check)
 
 {{#include ../../banners/hacktricks-training.md}}