一、 漏洞 CVE-2024-4040 基础信息
漏洞信息
# CrushFTP中的未经认证的任意文件读取和远程代码执行
## 漏洞概述
CrushFTP 10.7.1 和 11.1.0 之前的所有版本存在服务器端模板注入漏洞,该漏洞允许未经过身份验证的远程攻击者读取文件系统中 VFS Sandbox 之外的文件,绕过身份验证以获取管理员访问权限,并在服务器上执行远程代码。
## 影响版本
- 所有版本在 10.7.1 之前的版本
- 所有版本在 11.1.0 之前的版本
## 漏洞细节
该漏洞是由于服务器端模板注入导致的,具体影响如下:
- 未认证的远程攻击者可以读取 VFS Sandbox 之外的文件系统中的文件。
- 未认证的远程攻击者可以绕过身份验证,获得管理员权限。
- 未认证的远程攻击者可以在服务器上执行任意代码。
## 漏洞影响
该漏洞的综合影响如下:
- 安全性受到严重影响,可能导致敏感信息泄露。
- 系统可能被完全控制,包括修改或删除重要数据。
- 未经授权的用户可能获取管理员权限,从而执行任意操作。
神龙判断
是否为 Web 类漏洞: 是
判断理由:
是。这个漏洞允许未认证的远程攻击者通过服务器端模板注入进行文件读取、绕过认证以获得管理权限,以及在服务器上执行远程代码,因此它是一个Web服务的服务端的漏洞。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
Unauthenticated arbitrary file read and remote code execution in CrushFTP
来源:美国国家漏洞数据库 NVD
漏洞描述信息
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
CrushFTP 代码注入漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
CrushFTP是一款文件传输服务器。 CrushFTP 10.7.1 和 11.1.0 之前版本存在安全漏洞,该漏洞源于允许低权限的远程攻击者从 VFS 沙箱之外的文件系统读取文件。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
代码注入
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2024-4040 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | Scanner for CVE-2024-4040 | https://github.com/airbus-cert/CVE-2024-4040 | POC详情 |
| 2 | CVE-2024-4040 (CrushFTP VFS escape) or (CrushFTP unauthenticated RCE) | https://github.com/tr4c3rs/CVE-2024-4040-RCE-POC | POC详情 |
| 3 | Scanner of vulnerability on crushftp instance | https://github.com/tucommenceapousser/CVE-2024-4040-Scanner | POC详情 |
| 4 | None | https://github.com/rbih-boulanouar/CVE-2024-4040 | POC详情 |
| 5 | A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | https://github.com/Mufti22/CVE-2024-4040 | POC详情 |
| 6 | CVE-2024-4040 CrushFTP SSTI LFI & Auth Bypass | Full Server Takeover | Wordlist Support | https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC | POC详情 |
| 7 | Exploit for CVE-2024-4040 affecting CrushFTP server in all versions before 10.7.1 and 11.1.0 on all platforms | https://github.com/Praison001/CVE-2024-4040-CrushFTP-server | POC详情 |
| 8 | Exploit CrushFTP CVE-2024-4040 | https://github.com/Mohammaddvd/CVE-2024-4040 | POC详情 |
| 9 | None | https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability | POC详情 |
| 10 | A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | https://github.com/gotr00t0day/CVE-2024-4040 | POC详情 |
| 11 | A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. | https://github.com/1ncendium/CVE-2024-4040 | POC详情 |
| 12 | CVE-2024-4040 PoC | https://github.com/olebris/CVE-2024-4040 | POC详情 |
| 13 | CVE-2024-4040 PoC | https://github.com/entroychang/CVE-2024-4040 | POC详情 |
| 14 | None | https://github.com/safeer-accuknox/CrushFTP-cve-2024-4040-poc | POC详情 |
| 15 | is a PoC for CVE-2024-4040 tool for exploiting the SSTI vulnerability in CrushFTP | https://github.com/geniuszlyy/GenCrushSSTIExploit | POC详情 |
| 16 | None | https://github.com/rahisec/CVE-2024-4040 | POC详情 |
| 17 | exploit for CVE-2024-4040 | https://github.com/0xN7y/CVE-2024-4040 | POC详情 |
| 18 | is a PoC for CVE-2024-4040 tool for exploiting the SSTI vulnerability in CrushFTP | https://github.com/geniuszly/GenCrushSSTIExploit | POC详情 |
| 19 | VFS Sandbox Escape in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows remote attackers with low privileges to read files from the filesystem outside of VFS Sandbox. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-4040.yaml | POC详情 |
| 20 | Exploit for CVE-2024-4040 – Authentication bypass in CrushFTP via CrushAuth cookie and AWS-style header spoofing. Stealthy Python PoC with secure token generation, SSL bypass, and improved output. | https://github.com/ill-deed/CrushFTP-CVE-2024-4040-illdeed | POC详情 |
| 21 | A Dockerized setup for running a vulnerable CrushFTP 10 server instance (CVE-2024-4040). | https://github.com/juanorts/CrushFTP10-Docker-CVE-2024-4040 | POC详情 |
| 22 | Exploit CrushFTP CVE-2024-4040 | https://github.com/dhammerg/CVE-2024-4040 | POC详情 |
三、漏洞 CVE-2024-4040 的情报信息
标题: Unauthenticated CrushFTP Zero-Day Enables Complete Server Compromise | Rapid7 Blog -- 🔗来源链接
标签:third-party-advisory
- https://github.com/airbus-cert/CVE-2024-4040exploit
标题: Crush11wiki: Update -- 🔗来源链接
标签:vendor-advisory
标题: Crush10wiki: Update -- 🔗来源链接
标签:vendor-advisory
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/third-party-advisory
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/media-coverage
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/related
- https://nvd.nist.gov/vuln/detail/CVE-2024-4040
四、漏洞 CVE-2024-4040 的评论
暂无评论