Overview
SonicWall Capture Labs threat research team became aware of a fully unauthenticated server-side template injection vulnerability within CrushFTP, assessed its impact, and developed mitigation measures. CrushFTP is an enterprise file transfer tool. Such tools have seen increased attention from attackers over the last several years. This vulnerability, CVE-2024-4040, has a CVSS score of 10.0 and has been reported to be exploited in the wild by CISA. A PoC and vulnerability scanner script has been released on GitHub, making it relatively easy for attackers to leverage. Shodan indicates around 5,200 instances of exposure on the internet at the time of writing. CrushFTP has released an update to fix this vulnerability and anyone using this software should update to version 11.1 or newer.
Technical Overview
CrushFTP is designed to provide an anonymous or unprivileged session token for any unauthenticated request to any page with a “/WebInterface” prefix. This session token can then be used to access other API endpoints. The vulnerability exists due to an accessible endpoint – ServerSessionAJAX – that allows these tokens to access its API features. The ServerSessionAJAX API functions as a server-side templating engine by performing variable replacements. This API is susceptible to a server-side template injection vulnerability within the writeResponse function. If an attacker manages to insert data enclosed within %% or {} symbols in the argument, the server will execute and render the attacker-specified template. This results in arbitrary file read as root, authentication bypass for administrator account access, and can lead to theft of all files stored on the instance. To perform our analysis, we installed CrushFTP version 10.6 using a docker container hosted on docker hub.
Triggering the Vulnerability
In order to leverage and trigger this vulnerability, an attacker must first obtain an unprivileged session token by sending a basic GET request to any endpoint in “/WebInterface,” as seen in Figure 1.
Figure 1: Obtaining a session token
Using a session token, the attacker can attempt to access resources that should only be accessed by a fully authenticated account, such as an API implemented by ServerSessionAJAX. In Figure 2, we are trying to access an API feature we shouldn’t have permission to access — the zip function. Upon trying to access, an error appears instead of the expected “access denied” message.
Figure 2: Indication of unauthenticated access to API
Through this unauthenticated API, we can send legitimate template commands to obtain information about the server, which will be returned in the response. The code allows an extensive list of legitimate commands to be sent into the request. Figure 3 shows a small subset of the list from the code, including one that returns the working directory of where the application is running, which is crucial for exploitation.
Figure 3: change_vars_to_values_static function
Attempting to access this command via an unauthenticated request, as seen in Figure 4, proves an attacker can effectively leverage the SSTI. Notice that the working directory is returned in the server’s response when the “working_dir” template is provided.
Figure 4: Successful template injection
Exploitation
To exploit this vulnerability, an attacker can use this access to obtain an administrator login or session token. By examining the possible templates that can be leveraged within the “change_vars_to_values” function, we run across “INCLUDE” tags among many others, as seen in Figure 5.
Figure 5: Injectable Tags
As demonstrated in Figure 4, it is easy to obtain the working directory of the application. Within the application’s main directory, a file named sessions.obj contains all of the session data for the instance, including session tokens. If an administrator is logged into the application, their token will be in this file. An attacker can exploit the SSTI vulnerability using <INCLUDE>, as seen in Figure 6, to have the file’s contents returned in the response.
Figure 6: SSTI using <INCLUDE>
Within the response, it is easy to locate a list of assigned session tokens. In Figure 7, the administrator token is highlighted in yellow. While an attacker may not know which token is dedicated to the administrator, trial and error will eventually allow them to utilize the correct token.
Figure 7: Output of SSTI including the sessions.obj file
SonicWall Protections
To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:
- IPS:4396 CrushFTP Server-Side Template Injection
- IPS:4400 CrushFTP Server-Side Template Injection 2
- IPS:4402 CrushFTP Server-Side Template Injection 3
Remediation Recommendations
CrushFTP has released an update to fix this vulnerability, and anyone using this software is advised to update to version 11.1 or newer.
Relevant Links
Source: Original Post