[Critical] — CrushFTP Virtual Filesystem Escape Vulnerability
On April 19, 2024, CrushFTP reported a vulnerability in their FTP software where a virtual file system escape could enable users to download system files.
CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files. This has been patched in v11.1.0.
CrushFTP initially characterized the vulnerability as enabling remote attackers with limited privileges to bypass the VFS sandbox and access files beyond their assigned limits. However, subsequent research has shown that this vulnerability can be exploited to perform unauthenticated remote code execution, revealing the issue to be more severe than originally assessed. Consequently, the vulnerability’s CVSS score has been increased from 7.7 to 9.8. With active exploitation of this vulnerability observed in the wild, users are strongly urged to update their systems to the patched versions to ensure protection.
The public advisory from CrushFTP identifies CVE-2024–4040 as a vulnerability that allows a VFS sandbox escape, enabling low-privileged remote attackers to read files beyond the intended confines of the VFS Sandbox in its file transfer software. Further investigation by researchers has demonstrated that this vulnerability can be exploited without authentication and requires minimal technical effort. This allows attackers to not only access root-level files but also to circumvent authentication mechanisms for administrator accounts and execute code remotely. While initially classified as an arbitrary file read, the vulnerability may be more accurately described as a server-side template injection (SSTI). Additionally, there have been confirmed cases of this vulnerability being actively exploited by threat actors in the wild.
Recently, I found this Vulnerability as part of my learning activity. Firstly I fired up the browser to start looking for the Vuln CrushFTP with the following shodan dork:
title:CrushFTP
Similarly, I followed with the google-dorks to list all the possible CrushFTP assets.
inurl:/WebInterface/login.html
After getting enough results from all the possible sources, I started visiting all the URLs one by one.
Just to demonstrate in this write-up I’m showcasing only one Vuln CrushFTP application.
Following is the screenshot of the CrushFTP I found from the shodan.
I immediately clicked the link I found in the dork to check if the application was still active or not.
Now, I used the scan_host.py script which is available in the below github page and the result is “Vulnerable”.
Link: https://github.com/airbus-cert/CVE-2024-4040
After discovering that the application was vulnerable, I crafted a simple HTTP POST request using Python libraries. In the body of the request, I instructed the application to escape its normal operations and search for the ssh_rsa_private key, and to print the result if it was found.
I successfully retrieved the SSH private key as demonstrated.
Happy Hacking! Cheers! 🥂🥂
