一、 漏洞 CVE-2024-4040 基础信息
漏洞信息
# CrushFTP中的未经认证的任意文件读取和远程代码执行
## 漏洞概述
CrushFTP 10.7.1 和 11.1.0 之前的所有版本存在服务器端模板注入漏洞,该漏洞允许未经过身份验证的远程攻击者读取文件系统中 VFS Sandbox 之外的文件,绕过身份验证以获取管理员访问权限,并在服务器上执行远程代码。
## 影响版本
- 所有版本在 10.7.1 之前的版本
- 所有版本在 11.1.0 之前的版本
## 漏洞细节
该漏洞是由于服务器端模板注入导致的,具体影响如下:
- 未认证的远程攻击者可以读取 VFS Sandbox 之外的文件系统中的文件。
- 未认证的远程攻击者可以绕过身份验证,获得管理员权限。
- 未认证的远程攻击者可以在服务器上执行任意代码。
## 漏洞影响
该漏洞的综合影响如下:
- 安全性受到严重影响,可能导致敏感信息泄露。
- 系统可能被完全控制,包括修改或删除重要数据。
- 未经授权的用户可能获取管理员权限,从而执行任意操作。
提示
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
二、漏洞 CVE-2024-4040 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Scanner for CVE-2024-4040 | https://github.com/airbus-cert/CVE-2024-4040 | POC详情 |
| 2 | CVE-2024-4040 (CrushFTP VFS escape) or (CrushFTP unauthenticated RCE) | https://github.com/tr4c3rs/CVE-2024-4040-RCE-POC | POC详情 |
| 3 | Scanner of vulnerability on crushftp instance | https://github.com/tucommenceapousser/CVE-2024-4040-Scanner | POC详情 |
| 4 | None | https://github.com/rbih-boulanouar/CVE-2024-4040 | POC详情 |
| 5 | A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | https://github.com/Mufti22/CVE-2024-4040 | POC详情 |
| 6 | CVE-2024-4040 CrushFTP SSTI LFI & Auth Bypass | Full Server Takeover | Wordlist Support | https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC | POC详情 |
| 7 | Exploit for CVE-2024-4040 affecting CrushFTP server in all versions before 10.7.1 and 11.1.0 on all platforms | https://github.com/Praison001/CVE-2024-4040-CrushFTP-server | POC详情 |
| 8 | Exploit CrushFTP CVE-2024-4040 | https://github.com/Mohammaddvd/CVE-2024-4040 | POC详情 |
| 9 | None | https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability | POC详情 |
| 10 | A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | https://github.com/gotr00t0day/CVE-2024-4040 | POC详情 |
| 11 | A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | https://github.com/1ncendium/CVE-2024-4040 | POC详情 |
| 12 | CVE-2024-4040 PoC | https://github.com/olebris/CVE-2024-4040 | POC详情 |
| 13 | CVE-2024-4040 PoC | https://github.com/entroychang/CVE-2024-4040 | POC详情 |
| 14 | None | https://github.com/safeer-accuknox/CrushFTP-cve-2024-4040-poc | POC详情 |
| 15 | is a PoC for CVE-2024-4040 tool for exploiting the SSTI vulnerability in CrushFTP | https://github.com/geniuszlyy/GenCrushSSTIExploit | POC详情 |
| 16 | None | https://github.com/rahisec/CVE-2024-4040 | POC详情 |
| 17 | exploit for CVE-2024-4040 | https://github.com/0xN7y/CVE-2024-4040 | POC详情 |
| 18 | is a PoC for CVE-2024-4040 tool for exploiting the SSTI vulnerability in CrushFTP | https://github.com/geniuszly/GenCrushSSTIExploit | POC详情 |
| 19 | VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4040.yaml | POC详情 |
三、漏洞 CVE-2024-4040 的情报信息
-
标题: Crush11wiki: Update -- 🔗来源链接
标签: vendor-advisory
-
标题: Crush10wiki: Update -- 🔗来源链接
标签: vendor-advisory
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/ related
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/ media-coverage
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/ third-party-advisory
-
标题: Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise | Rapid7 Blog -- 🔗来源链接
标签: third-party-advisory
- https://github.com/airbus-cert/CVE-2024-4040 exploit
- https://nvd.nist.gov/vuln/detail/CVE-2024-4040