Exploit for CrushFTP RCE Chain Released, Patch Now

Cyber Security Threat Summary:
A critical vulnerability (CVE-2023-43177) in CrushFTP, allowing hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP. Approximately 10,000 vulnerable instances exist, making them attractive targets for ransomware actors like Clop. Despite patches, the risk persists as attackers may exploit reverse engineered patches. Users must swiftly update their Crust FTP to remain secure.

Security Officer Comments:
The technical details of the CVE-2023-43177 vulnerability in CrushFTP reveal its exploitable nature. Attackers leverage an unauthenticated mass-assignment flaw, using specific web headers to send payloads to CrushFTP services on ports 80,443, 8080 and 9090. By exploiting Java functions like ‘putAll()’ and ‘drain_log()’, attackers gain control over user session properties and manipulate files potentially leading to full system compromise. Moreover, the exploitation allows them to escalate privileges, hijack admin sessions via the ‘sessions.obj’ file, and execute arbitrary java code through flaws in the admin panel’s handling of SQL driver loading and database configuration testing.

Suggested Correction(s):


To effectively mitigate this risk, researchers at Converge recommend the following steps:

  • Update CrushFTP to the latest version.
  • Enable automatic security patch updates.
  • Change the password algorithm to Argon.
  • Audit for unauthorized users and check for recent password changes.
  • Activate the new Limited Server mode for enhanced security.
    • Additional measures that can be implemented to enhance CrushFTP security further include:
      • Using a limited privilege operating system service account for CrushFTP.
      • Deploying Nginx or Apache as a reverse proxy for public-facing servers.
      • Setting firewall rules to limit CrushFTP traffic to trusted IP ranges and hosts.
      Link(s):
      https://www.bleepingcomputer.com/ https://convergetp.com/2023/11/16/crushftp-zero-day-cve-2023-43177-discovered/