blog.sonicwall.com
Open in
urlscan Pro
107.154.76.50
Public Scan
URL:
https://blog.sonicwall.com/en-us/2024/05/crushftp-server-side-template-injection-ssti/
Submission: On May 02 via api from TR — Scanned from DE
Submission: On May 02 via api from TR — Scanned from DE
Form analysis
1 forms found in the DOMGET https://blog.sonicwall.com/en-us/
<form action="https://blog.sonicwall.com/en-us/" id="searchform" method="get" class="">
<div>
<input type="submit" value="" id="searchsubmit" class="button avia-font-entypo-fontello">
<input type="text" id="s" name="s" value="" placeholder="Search">
</div>
</form>
Text Content
* Home * Topics * All Posts * Boundless Cybersecurity * BYOD and Mobile Security * Cloud Security * Education * Email Security * Government * Healthcare * Industry News and Events * Network Security * Partners * Retail * Small & Medium Businesses * SonicWall Community * Threat intelligence * Wireless Security * Authors * English * Search * * * * * * * * * * Menu * Facebook * Twitter * Linkedin * Instagram * Mail * Rss CRUSHFTP SERVER-SIDE TEMPLATE INJECTION (SSTI) By Security News May 1, 2024 OVERVIEW SonicWall Capture Labs threat research team became aware of a fully unauthenticated server-side template injection vulnerability within CrushFTP, assessed its impact, and developed mitigation measures. CrushFTP is an enterprise file transfer tool. Such tools have seen increased attention from attackers over the last several years. This vulnerability, CVE-2024-4040, has a CVSS score of 10.0 and has been reported to be exploited in the wild by CISA. A PoC and vulnerability scanner script has been released on GitHub, making it relatively easy for attackers to leverage. Shodan indicates around 5,200 instances of exposure on the internet at the time of writing. CrushFTP has released an update to fix this vulnerability and anyone using this software should update to version 11.1 or newer. TECHNICAL OVERVIEW CrushFTP is designed to provide an anonymous or unprivileged session token for any unauthenticated request to any page with a “/WebInterface” prefix. This session token can then be used to access other API endpoints. The vulnerability exists due to an accessible endpoint – ServerSessionAJAX – that allows these tokens to access its API features. The ServerSessionAJAX API functions as a server-side templating engine by performing variable replacements. This API is susceptible to a server-side template injection vulnerability within the writeResponse function. If an attacker manages to insert data enclosed within %% or {} symbols in the argument, the server will execute and render the attacker-specified template. This results in arbitrary file read as root, authentication bypass for administrator account access, and can lead to theft of all files stored on the instance. To perform our analysis, we installed CrushFTP version 10.6 using a docker container hosted on docker hub. TRIGGERING THE VULNERABILITY In order to leverage and trigger this vulnerability, an attacker must first obtain an unprivileged session token by sending a basic GET request to any endpoint in “/WebInterface,” as seen in Figure 1. Figure 1: Obtaining a session token Using a session token, the attacker can attempt to access resources that should only be accessed by a fully authenticated account, such as an API implemented by ServerSessionAJAX. In Figure 2, we are trying to access an API feature we shouldn’t have permission to access — the zip function. Upon trying to access, an error appears instead of the expected “access denied” message. Figure 2: Indication of unauthenticated access to API Through this unauthenticated API, we can send legitimate template commands to obtain information about the server, which will be returned in the response. The code allows an extensive list of legitimate commands to be sent into the request. Figure 3 shows a small subset of the list from the code, including one that returns the working directory of where the application is running, which is crucial for exploitation. Figure 3: change_vars_to_values_static function Attempting to access this command via an unauthenticated request, as seen in Figure 4, proves an attacker can effectively leverage the SSTI. Notice that the working directory is returned in the server’s response when the “working_dir” template is provided. Figure 4: Successful template injection EXPLOITATION To exploit this vulnerability, an attacker can use this access to obtain an administrator login or session token. By examining the possible templates that can be leveraged within the “change_vars_to_values” function, we run across “INCLUDE” tags among many others, as seen in Figure 5. Figure 5: Injectable Tags As demonstrated in Figure 4, it is easy to obtain the working directory of the application. Within the application’s main directory, a file named sessions.obj contains all of the session data for the instance, including session tokens. If an administrator is logged into the application, their token will be in this file. An attacker can exploit the SSTI vulnerability using <INCLUDE>, as seen in Figure 6, to have the file’s contents returned in the response. Figure 6: SSTI using <INCLUDE> Within the response, it is easy to locate a list of assigned session tokens. In Figure 7, the administrator token is highlighted in yellow. While an attacker may not know which token is dedicated to the administrator, trial and error will eventually allow them to utilize the correct token. Figure 7: Output of SSTI including the sessions.obj file SONICWALL PROTECTIONS To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released: * IPS:4396 CrushFTP Server-Side Template Injection * IPS:4400 CrushFTP Server-Side Template Injection 2 * IPS:4402 CrushFTP Server-Side Template Injection 3 REMEDIATION RECOMMENDATIONS CrushFTP has released an update to fix this vulnerability, and anyone using this software is advised to update to version 11.1 or newer. RELEVANT LINKS * https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update * https://hub.docker.com/r/netlah/crushftp/tags * https://www.cve.org/CVERecord?id=CVE-2024-4040 * https://github.com/airbus-cert/CVE-2024-4040/blob/main/README.md * https://attackerkb.com/topics/20oYjlmfXa/cve-2024-4040/rapid7-analysis * https://www.shodan.io/search?query=html%3A%22%2FWebInterface%2FResources%2Fjs%2Flogin.js%22 * * * * * Security News The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks. Categories: Threat intelligence Tags: Security News SHARE THIS ENTRY * Share on Facebook * Share on Twitter * Share on Google+ * Share on Pinterest * Share on Linkedin * Share on Tumblr * Share on Vk * Share on Reddit * Share by Mail https://d3ik27cqx8s5ub.cloudfront.net/blog/media/uploads/sec-news-header-3.png 500 1200 Security News https://blog.sonicwall.com/wp-content/uploads/images/logo/SonicWall_Registered-Small.png Security News2024-05-01 09:45:552024-05-01 10:08:30CrushFTP Server-Side Template Injection (SSTI) RECOMMENDED CYBER SECURITY STORIES HTTP_PROXY Traffic Redirection IBM IDS librpc.dll Buffer Overflow (Mar 5, 2010) SonicWall MAPP Microsoft SharePoint server flaw CVE-2019-0604 actively being exploited in the wild Cisco ActiveX Control Vulnerability (Aug 8, 2008) Android botnet spreads via game guides Virtumonde windshield malware (Feb 9, 2009) Mail and Browser password stealing Malware (July 5, 2013) Connect with an Expert SEARCH FACEBOOK Recent Tags Recent * CrushFTP Server-Side Template Injection (SSTI)May 1, 2024 - 9:45 am * Fake Windows Explorer Installs a Crypto MinerApril 30, 2024 - 3:39 pm * Vintage Bugs: Data Shows Old Vulnerabilities Still Menace...April 30, 2024 - 1:00 am * Android Remote Access Trojan Equipped to Harvest Creden...April 29, 2024 - 11:32 am Tags 802.11AC Advanced Threats Antivirus Awards Capture Cloud Platform Channel Cloud App Security CRN Cyberattack Cyber Security Cybersecurity cyberthreats DDoS Education Email Security Encrypted Attacks Encrypted Threats Endpoint Protection endpoint security Firewall Industry Awards IoT Malware MSSP Network Security news Next-Gen Firewalls next generation firewalls Phishing Ransomware Real-Time Deep Memory Inspection (RTDMI) Resources Resources RSA Conference SecureFirst Partner Program Secure Mobile Access Security Security News SMB SonicWall Capture ATP SonicWall Capture Client SonicWall WiFi Cloud Manager Threat Intelligence Threat Report zero-day ABOUT SONICWALL About Us Leadership Awards News Press Kit Careers Contact Us PRODUCTS Firewalls Advanced Threat Protection Remote Access Email Security SOLUTIONS Advanced Threats Risk Management Industries Managed Security Use Cases Partner Enabled Services CUSTOMERS How To Buy MySonicWall.com Loyalty & Trade-In Programs SUPPORT Knowledge Base Video Tutorials Technical Documentation Partner Enabled Services Support Services CSSA and CSSP Certification Training Contact Support Community © Copyright 2023 SonicWall. All Rights Reserved. * Facebook * Twitter * Linkedin * Instagram * Mail * Rss Fake Windows Explorer Installs a Crypto Miner PIN IT ON PINTEREST Scroll to top