CVE-2024-4040: Navigating the Risks of SSTI in CrushFTP

Exploiting CVEs
October 8, 2024

Overview

CVE-2024-4040 has emerged as a significant vulnerability, highlighting the ongoing challenges in ensuring the security of digital infrastructures. This critical flaw affects CrushFTP, a powerful file transfer server known for its robust feature set and flexibility. Used by organizations worldwide, CrushFTP facilitates secure and efficient file transfers with support for various protocols, including FTP, SFTP, and HTTP/S. The vulnerability affects versions prior to 10.7.1 and 11.1.0, including older 9.x versions. However, the discovery of CVE-2024-4040, which carries a CVSS score of 9.4, exposes millions of systems to exploitation, potentially allowing malicious actors to gain unauthorized access, execute arbitrary code, and disrupt services.

In this blog post, we will delve into the technical specifics of CVE-2024-4040, explore its potential impact, and provide actionable insights on how to protect your systems against this threat. Stay tuned as we unravel the intricacies of this vulnerability and equip you with the knowledge to safeguard your digital assets.

Technical Details

CrushFTP comes with a web interface and the payloads for attack are delivered through HTTP headers while requesting this web interface. CrushFTP’s web interface has both authenticated and unauthenticated endpoints. Generally in web applications, before authentication, no valid session cookies are established. However, certain behaviors in CrushFTP create ambiguity between authenticated and unauthenticated states. If a web request is made to a nonexistent /WebInterface/ endpoint, a 404 response is returned along with a valid session cookie ‘CrushAuth’ for a pseudo-user named "anonymous". Although this user role lacks any privileges, some parts of the CrushFTP codebase check simply for the presence of any username. 

With this cookie, the unauthenticated APIs offered by the web interface can be accessed and hence exploited. 

The underlying issue for the vulnerability resembles very closely to Server-Side template Injection (SSTI). CrushFTP uses a templating engine to generate dynamic content and this CVE arises due to inadequate validation and sanitization of user-provided input in these templates. An attacker can create a malicious payload that, when processed by the engine, injects and executes code on the server.

So CrushFTP allows execution of some function through POST requests to ‘/WebInterface/function/’ endpoint provided by the web-interface and on top of that some of these request can be made using the ‘Auth Cookie’ obtained for the pseudo-user named ‘anonymous’

Some of the other common commands are ‘getUserInfo’ , ‘getServerRoots’, etc. But for exploitation, a command should be used such that it replaces some of the user input in the response. 

The templating engine used by CrushFTP allows some tags like ‘<INCLUDE>’ which trigger some functions like ‘do_include_file_command’ and this specific function consumes the entire response as its argument. What this means is, to extract a file just pass the file path inside the include tag as value of path parameter in the above mentioned HTTP request:
‘<INCLUDE>(/etc/passwd)</INCLUDE>’

And the response will contain the contents of the file /etc/passwd.

Exploitation

First step towards exploitation is to identify an instance running CrushFTP with a version which falls within the range of exploitable versions. Sometimes it might get difficult to identify versions of CrushFTP, but there is a public exploit which also includes a detection script using which one can check whether the given CrushFTP instance is vulnerable to CVE-2024-4040 or not. Below is the link for that public exploit: https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability

Follow below steps for exploitation:

  • Clone above mentioned github repo:

git clone https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability.git

  • Now run the detection script name ‘xdetection.py’:

python3 xdetection.py

  • If the instance is found vulnerable then you can run the exploit:

python3 exploit.py -t  -r /etc/passwd
  • And if it runs successfully you will get the content of file ‘/etc/passwd’:

Mitigation

  • Update your CrushFTP to v11.1.0, v10.7.1, or a later version to remediate this vulnerability.
  • Restrict access to the web interface to trusted IP addresses.
  • Create alerts to be notified of odd file transfers or access patterns.

References

Related posts :

Exploiting CVEs

Exploiting CVEs
July 4, 2024

Unlocking the World of CVEs: CVE Cipher Lab

Start by studying known critical CVEs, understanding their impact, and exploring how they can be exploited. Welcome to CVE Cipher Lab by Enciphers
Read More
Exploiting CVEs
October 8, 2024

CVE-2024-4040: Navigating the Risks of SSTI in CrushFTP

CVE-2024-4040 is a critical vulnerability enabling attackers to exploit improper input validation, risking code execution or system compromise. Organizations should apply patches promptly to avoid breaches and disruptions, emphasizing the need for timely updates.
Read More
Exploiting CVEs
June 30, 2024

Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin

The InfiniteWP Client plugin versions 1.9.4.4 and earlier have a critical authentication bypass vulnerability (CVE-2020-8772) that allows attackers to access and control WordPress sites without proper credentials.
Read More
Web App Security
Web App Security
May 25, 2021

Setting Up Web App Penetration Testing Lab Using ThreadsApp

Introduction With the sheer number of cyber threats which occur every day, a lot of individuals want to tackle that and to …
Read More
Web App Security
April 30, 2018

IDOR to change the email notifications of user

IDOR Hey guys. Welcome to this new post from ENCIPHERS. Recently we have been writing a lot about bypass of different access...
Read More
Web App Security
January 27, 2018

Subdomain Takeover

Hello, everyone. We have talked a lot about the TOP 10 web application vulnerabilities by OWASP in the other posts. This time…
Read More

Mobile App Security

Mobile App Security
April 17, 2022

An analysis of the modern mobile applications for data security

Mobile phones have become an imperative portion of our daily lives. People nowadays prefer to keep every bit of information regarding personal and professional life on their mobile phones.
Read More
Mobile App Security
November 26, 2019

Awesome Android Application Security

Android Application Security This is a write-up of Android Application Security resources and tools which helps in Android...
Read More
Mobile App Security
May 21, 2019

Mobexler : A Mobile Application Security Testing Platform

Mobexler is a Mobile Application Penetration Testing Platform, customised to include all tools required for penetration ...
Read More
An Award-Winning Cyber Security Consulting & Training Company
Email
Headquarter
Enciphers Labs Private Limited,
24th Floor, Tower B, Alphathum, Sector 90, Noida, Uttar Pradesh, India
Company
About usContact UsServicesTrainingBrand Kit
Useful links
Cyber Security PolicyData Protection PolicyResponsible DisclosurePrivacy PolicyHall Of Fame
© 2000-2022, All Rights Reserved

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site usage. View our Privacy Policy for more information.

RejectAccept