Threat Research

CrushFTP Server-Side Template Injection (SSTI)

CTI

A fully unauthenticated server-side template injection vulnerability (CVE-2024-4040) affects CrushFTP, enabling an attacker to bypass admin authentication and access or read arbitrary files via the ServerSessionAJAX API. Mitigation includes updating to CrushFTP 11.1+; PoC and scanners are publicly available, and Shodan shows thousands of exposed instances. #CrushFTP #CVE-2024-4040 #CISA #SSTI #ServerSessionAJAX #sessions.obj #DockerHub #Shodan

Keypoints

  • CrushFTP contains an unauthenticated server-side template injection (SSTI) flaw identified as CVE-2024-4040 with a CVSS of 10.0.
  • The vulnerability arises from an accessible ServerSessionAJAX endpoint that uses a server-side templating engine to render templates.
  • An attacker can obtain an unprivileged session token via a GET request to /WebInterface and then access restricted API features.
  • SSTI allows attackers to run attacker-specified templates and perform actions like arbitrary file reads as root and potential admin authentication bypass.
  • A PoC and vulnerability scanner are publicly available on GitHub; CrushFTP released an update to fix the issue (11.1+).
  • Shodan reported roughly 5,200 exposed CrushFTP instances at the time of reporting.

MITRE Techniques

  • [T1221] Template Injection – The ServerSessionAJAX API acts as a server-side templating engine; inserting data enclosed within %% or {} symbols causes the server to execute the attacker-specified template. “The API functions as a server-side templating engine by performing variable replacements. If an attacker manages to insert data enclosed within %% or {} symbols in the argument, the server will execute and render the attacker-specified template.”
  • [T1190] Exploit Public-Facing Application – The vulnerability is described as a “fully unauthenticated server-side template injection vulnerability” exploited in the wild.
  • [T1082] System Information Discovery – Attackers can use unauthenticated requests to trigger commands that reveal the server’s working directory, which is crucial for exploitation. “the working directory of where the application is running” is returned.
  • [T1552.001] Credentials in Files – The sessions.obj file contains all session data, including administrator tokens, enabling credential access if retrieved. “the sessions.obj contains all of the session data for the instance, including session tokens.”
  • [T1078] Valid Accounts – Attacker can use access to obtain an administrator login or session token. “to obtain an administrator login or session token.”

Indicators of Compromise

  • [URL] Public exposure of CrushFTP instances and references – https://www.shodan.io/search?query=html%3A%22%2FWebInterface%2FResources%2Fjs%2Flogin.js%22, https://hub.docker.com/r/netlah/crushftp/tags
  • [URL] PoC and scanner location – https://github.com/airbus-cert/CVE-2024-4040/tree/main
  • [URL] Official update page – https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update
  • [URL] Docker Hub repository for CrushFTP image – https://hub.docker.com/r/netlah/crushftp/tags
  • [URL] CISA Known Exploited Vulnerabilities Catalog reference – https://www.cisa.gov/known-exploited-vulnerabilities-catalog
  • [File] Critical file referenced for tokens – sessions.obj

Read more: https://blog.sonicwall.com/en-us/2024/05/crushftp-server-side-template-injection-ssti/