Auxiliary module for CVE-2024-4040 - CrushFTP arbitrary file read #19147
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
C: 21: 11: [Correctable] Layout/ModuleDescriptionIndentation: Module descriptions should be properly aligned to the 'Description' key, and within %q{ ... }
C: 67: 54: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
C: 81: 18: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols.
C: 87: 40: [Correctable] Style/InverseMethods: Use !~ instead of inverting =~.
W: 92: 50: [Correctable] Lint/SafeNavigationChain: Do not chain ordinary method call after safe navigation operator.
W:110: 63: [Correctable] Lint/SafeNavigationChain: Do not chain ordinary method call after safe navigation operator.
W:127: 54: [Correctable] Lint/RedundantStringCoercion: Redundant use of Object#to_s in interpolation.
C:143: 7: [Correctable] Layout/FirstHashElementIndentation: Use 2 spaces for indentation in a hash, relative to the start of the line where the left curly brace is.
C:146: 20: [Correctable] Layout/SpaceInsideHashLiteralBraces: Space inside { missing.
C:146: 44: [Correctable] Layout/SpaceInsideHashLiteralBraces: Space inside } missing.
C:152: 18: [Correctable] Style/RedundantInterpolation: Prefer to_s over string interpolation.
C:152: 32: [Correctable] Style/SlicingWithRange: Prefer [-4..] over [-4..-1].
C:153: 9: [Correctable] Layout/FirstHashElementIndentation: Indent the right brace the same as the start of the line where the left brace is.
adfoster-r7
reviewed
May 2, 2024
documentation/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.md
Outdated
Show resolved
Hide resolved
jvoisin
reviewed
May 2, 2024
Co-authored-by: adfoster-r7 <60357436+adfoster-r7@users.noreply.github.com>
Co-authored-by: adfoster-r7 <60357436+adfoster-r7@users.noreply.github.com>
There was a problem hiding this comment.
Thanks @remmons-r7 for this great module! I tested against version 10.5.0 and it works great! I just left a few comments for you to review when you get a chance. Thanks!
documentation/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.md
Outdated
Show resolved
Hide resolved
Added multiple API endpoint injection options Added TARGETURI to support different reverse proxy configurations Confirmed that different languages are supported Removed RHOST 0.0.0.0 default Set STORE_LOOT to optional and set default to "false" Added more detail to every check and fail message Moved print_status message after STORE_LOOT
Revise 'Options' section to format each option as a level-3 heading Update to latest module console output in 'Scenarios'
|
Thanks for updating this @remmons-r7! Everything looks good to me now. I tested against version 10.5.0 and verified The requested file was correctly retrieved. I'll go ahead and land it.
|
cdelafuente-r7
added
module
docs
rn-modules
cdelafuente-r7
closed this pull request by merging all changes
into
rapid7:master
in
946cc3b
Release NotesThis adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and
< 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without
authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The
primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote
code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
Testing
To set up a test environment:
CRUSH_DIRincrushftp_init.shto point to the correct install directory.java -jar CrushFTP.jarto show a local client GUI interface that can be used to set up an admin account.sudo crushftp_init.sh startto launch the software on Linux or Mac. If on Windows, runCrushFTP.exeas an administrator.Verification
use auxiliary/gather/crushftp_fileread_cve_2024_4040set RHOSTS <TARGET_IP_ADDRESS>set RPORT <TARGET_PORT>set TARGETFILE <TARGET_FILE_TO_READ>set STORE_LOOT falseif you want to display file on the console instead of storing it as loot.runExample usage
Thank you!