-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auxiliary module for CVE-2024-4040 - CrushFTP arbitrary file read #19147
Conversation
C: 21: 11: [Correctable] Layout/ModuleDescriptionIndentation: Module descriptions should be properly aligned to the 'Description' key, and within %q{ ... } C: 67: 54: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols. C: 81: 18: [Correctable] Style/StringLiterals: Prefer single-quoted strings when you don't need string interpolation or special symbols. C: 87: 40: [Correctable] Style/InverseMethods: Use !~ instead of inverting =~. W: 92: 50: [Correctable] Lint/SafeNavigationChain: Do not chain ordinary method call after safe navigation operator. W:110: 63: [Correctable] Lint/SafeNavigationChain: Do not chain ordinary method call after safe navigation operator. W:127: 54: [Correctable] Lint/RedundantStringCoercion: Redundant use of Object#to_s in interpolation. C:143: 7: [Correctable] Layout/FirstHashElementIndentation: Use 2 spaces for indentation in a hash, relative to the start of the line where the left curly brace is. C:146: 20: [Correctable] Layout/SpaceInsideHashLiteralBraces: Space inside { missing. C:146: 44: [Correctable] Layout/SpaceInsideHashLiteralBraces: Space inside } missing. C:152: 18: [Correctable] Style/RedundantInterpolation: Prefer to_s over string interpolation. C:152: 32: [Correctable] Style/SlicingWithRange: Prefer [-4..] over [-4..-1]. C:153: 9: [Correctable] Layout/FirstHashElementIndentation: Indent the right brace the same as the start of the line where the left brace is.
documentation/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.md
Outdated
Show resolved
Hide resolved
documentation/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.md
Outdated
Show resolved
Hide resolved
Co-authored-by: adfoster-r7 <60357436+adfoster-r7@users.noreply.github.com>
Co-authored-by: adfoster-r7 <60357436+adfoster-r7@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @remmons-r7 for this great module! I tested against version 10.5.0 and it works great! I just left a few comments for you to review when you get a chance. Thanks!
documentation/modules/auxiliary/gather/crushftp_fileread_cve_2024_4040.md
Outdated
Show resolved
Hide resolved
Added multiple API endpoint injection options Added TARGETURI to support different reverse proxy configurations Confirmed that different languages are supported Removed RHOST 0.0.0.0 default Set STORE_LOOT to optional and set default to "false" Added more detail to every check and fail message Moved print_status message after STORE_LOOT
Revise 'Options' section to format each option as a level-3 heading Update to latest module console output in 'Scenarios'
Thanks for updating this @remmons-r7! Everything looks good to me now. I tested against version 10.5.0 and verified The requested file was correctly retrieved. I'll go ahead and land it.
|
946cc3b
Release NotesThis adds an exploit module that leverages an unauthenticated server-side template injection vulnerability in CrushFTP versions prior to 10.7.1 and prior to 11.1.0 (as well as legacy 9.x versions) to read any files on the server file system as root. |
This module leverages an unauthenticated server-side template injection vulnerability in CrushFTP < 10.7.1 and
< 11.1.0 (as well as legacy 9.x versions). Attackers can submit template injection payloads to the web API without
authentication. When attacker payloads are reflected in the server's responses, the payloads are evaluated. The
primary impact of the injection is arbitrary file read as root, which can result in authentication bypass, remote
code execution, and NetNTLMv2 theft (when the host OS is Windows and SMB egress traffic is permitted).
Testing
To set up a test environment:
CRUSH_DIR
incrushftp_init.sh
to point to the correct install directory.java -jar CrushFTP.jar
to show a local client GUI interface that can be used to set up an admin account.sudo crushftp_init.sh start
to launch the software on Linux or Mac. If on Windows, runCrushFTP.exe
as an administrator.Verification
use auxiliary/gather/crushftp_fileread_cve_2024_4040
set RHOSTS <TARGET_IP_ADDRESS>
set RPORT <TARGET_PORT>
set TARGETFILE <TARGET_FILE_TO_READ>
set STORE_LOOT false
if you want to display file on the console instead of storing it as loot.run
Example usage
Thank you!