blog.sonicwall.com Open in urlscan Pro
107.154.76.50  Public Scan

Form analysis
1 forms found in the DOM

GET https://blog.sonicwall.com/en-us/

<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
  <div>
    <input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello">
    <input type="text" id="s" name="s" value="" placeholder="Search">
  </div>
</form>

Text Content

 * Home
 * Topics
   * All Posts
   * Boundless Cybersecurity
   * BYOD and Mobile Security
   * Cloud Security
   * Education
   * Email Security
   * Government
   * Healthcare
   * Industry News and Events
   * Network Security
   * Partners
   * Retail
   * Small & Medium Businesses
   * SonicWall Community
   * Threat intelligence
   * Wireless Security
 * Authors
 * English
 * Search
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * 
 * Menu

 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss




CRUSHFTP SERVER-SIDE TEMPLATE INJECTION (SSTI)




By Security News
May 1, 2024


OVERVIEW

SonicWall Capture Labs threat research team became aware of a fully
unauthenticated server-side template injection vulnerability within CrushFTP,
assessed its impact, and developed mitigation measures. CrushFTP is an
enterprise file transfer tool. Such tools have seen increased attention from
attackers over the last several years. This vulnerability, CVE-2024-4040, has a
CVSS score of 10.0 and has been reported to be exploited in the wild by CISA.  A
PoC and vulnerability scanner script has been released on GitHub, making it
relatively easy for attackers to leverage. Shodan indicates around 5,200
instances of exposure on the internet at the time of writing. CrushFTP has
released an update to fix this vulnerability and anyone using this software
should update to version 11.1 or newer.


TECHNICAL OVERVIEW

CrushFTP is designed to provide an anonymous or unprivileged session token for
any unauthenticated request to any page with a “/WebInterface” prefix. This
session token can then be used to access other API endpoints. The vulnerability
exists due to an accessible endpoint – ServerSessionAJAX – that allows these
tokens to access its API features. The ServerSessionAJAX API functions as a
server-side templating engine by performing variable replacements. This API is
susceptible to a server-side template injection vulnerability within the
writeResponse function. If an attacker manages to insert data enclosed within %%
or {} symbols in the argument, the server will execute and render the
attacker-specified template. This results in arbitrary file read as root,
authentication bypass for administrator account access, and can lead to theft of
all files stored on the instance. To perform our analysis, we installed CrushFTP
version 10.6 using a docker container hosted on docker hub.


TRIGGERING THE VULNERABILITY

In order to leverage and trigger this vulnerability, an attacker must first
obtain an unprivileged session token by sending a basic GET request to any
endpoint in “/WebInterface,” as seen in Figure 1.



Figure 1: Obtaining a session token

Using a session token, the attacker can attempt to access resources that should
only be accessed by a fully authenticated account, such as an API implemented by
ServerSessionAJAX. In Figure 2, we are trying to access an API feature we
shouldn’t have permission to access — the zip function. Upon trying to access,
an error appears instead of the expected “access denied” message.



Figure 2: Indication of unauthenticated access to API

Through this unauthenticated API, we can send legitimate template commands to
obtain information about the server, which will be returned in the response. The
code allows an extensive list of legitimate commands to be sent into the
request. Figure 3 shows a small subset of the list from the code, including one
that returns the working directory of where the application is running, which is
crucial for exploitation.



Figure 3: change_vars_to_values_static function

Attempting to access this command via an unauthenticated request, as seen in
Figure 4, proves an attacker can effectively leverage the SSTI. Notice that the
working directory is returned in the server’s response when the “working_dir”
template is provided.



Figure 4: Successful template injection


EXPLOITATION

To exploit this vulnerability, an attacker can use this access to obtain an
administrator login or session token. By examining the possible templates that
can be leveraged within the “change_vars_to_values” function, we run across
“INCLUDE” tags among many others, as seen in Figure 5.



Figure 5: Injectable Tags

As demonstrated in Figure 4, it is easy to obtain the working directory of the
application. Within the application’s main directory, a file named sessions.obj
contains all of the session data for the instance, including session tokens.  If
an administrator is logged into the application, their token will be in this
file. An attacker can exploit the SSTI vulnerability using <INCLUDE>, as seen in
Figure 6, to have the file’s contents returned in the response.



Figure 6: SSTI using <INCLUDE>

Within the response, it is easy to locate a list of assigned session tokens. In
Figure 7, the administrator token is highlighted in yellow. While an attacker
may not know which token is dedicated to the administrator, trial and error will
eventually allow them to utilize the correct token.



Figure 7: Output of SSTI including the sessions.obj file


SONICWALL PROTECTIONS

To ensure SonicWall customers are prepared for any exploitation that may occur
due to this vulnerability, the following signatures have been released:

 * IPS:4396 CrushFTP Server-Side Template Injection
 * IPS:4400 CrushFTP Server-Side Template Injection 2
 * IPS:4402 CrushFTP Server-Side Template Injection 3


REMEDIATION RECOMMENDATIONS

CrushFTP has released an update to fix this vulnerability, and anyone using this
software is advised to update to version 11.1 or newer.


RELEVANT LINKS

 * https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
 * https://hub.docker.com/r/netlah/crushftp/tags
 * https://www.cve.org/CVERecord?id=CVE-2024-4040
 * https://github.com/airbus-cert/CVE-2024-4040/blob/main/README.md
 * https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis
 * https://www.shodan.io/search?query=html%3A%22%2FWebInterface%2FResources%2Fjs%2Flogin.js%22

 

 * 
 * 
 * 
 * 
 * 

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets
cross-vector threat information from the SonicWall Capture Threat network,
consisting of global devices and resources, including more than 1 million
security sensors in nearly 200 countries and territories. The research team
identifies, analyzes, and mitigates critical vulnerabilities and malware daily
through in-depth research, which drives protection for all SonicWall customers.
In addition to safeguarding networks globally, the research team supports the
larger threat intelligence community by releasing weekly deep technical analyses
of the most critical threats to small businesses, providing critical knowledge
that defenders need to protect their networks.
Categories: Threat intelligence
Tags: Security News

SHARE THIS ENTRY

 * Share on Facebook
 * Share on Twitter
 * Share on Google+
 * Share on Pinterest
 * Share on Linkedin
 * Share on Tumblr
 * Share on Vk
 * Share on Reddit
 * Share by Mail



https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png
500 1200 Security News
https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png
Security News2024-05-01 09:45:552024-05-01 10:08:30CrushFTP Server-Side Template
Injection (SSTI)


RECOMMENDED CYBER SECURITY STORIES

HTTP_PROXY Traffic Redirection
IBM IDS librpc.dll Buffer Overflow (Mar 5, 2010)
SonicWall MAPP
Microsoft SharePoint server flaw CVE-2019-0604 actively being exploited in the
wild
Cisco ActiveX Control Vulnerability (Aug 8, 2008)
Android botnet spreads via game guides
Virtumonde windshield malware (Feb 9, 2009)
Mail and Browser password stealing Malware (July 5, 2013)
Connect with an Expert


SEARCH




FACEBOOK


Recent
Tags
Recent
 * CrushFTP Server-Side Template Injection (SSTI)May 1, 2024 - 9:45 am
 * Fake Windows Explorer Installs a Crypto MinerApril 30, 2024 - 3:39 pm
 * Vintage Bugs: Data Shows Old Vulnerabilities Still Menace...April 30, 2024 -
   1:00 am
 * Android Remote Access Trojan Equipped to Harvest Creden...April 29, 2024 -
   11:32 am

Tags
802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud
App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS
Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection
endpoint security Firewall Industry Awards IoT Malware MSSP Network Security
news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time
Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst
Partner Program Secure Mobile Access Security Security News SMB SonicWall
Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat
Intelligence Threat Report zero-day


ABOUT SONICWALL

About Us
Leadership
Awards
News
Press Kit
Careers
Contact Us


PRODUCTS

Firewalls
Advanced Threat Protection
Remote Access
Email Security


SOLUTIONS

Advanced Threats
Risk Management
Industries
Managed Security
Use Cases
Partner Enabled Services


CUSTOMERS

How To Buy
MySonicWall.com
Loyalty & Trade-In Programs


SUPPORT

Knowledge Base
Video Tutorials
Technical Documentation
Partner Enabled Services
Support Services
CSSA and CSSP Certification Training
Contact Support
Community

© Copyright 2023 SonicWall. All Rights Reserved.
 * Facebook
 * Twitter
 * Linkedin
 * Instagram
 * Mail
 * Rss

Fake Windows Explorer Installs a Crypto Miner




PIN IT ON PINTEREST


Scroll to top