A proof-of-concept exploit was publicly released for a critical remote code execution vulnerability in the CrushFTP enterprise suite, allowing unauthenticated attackers to access files on the server, execute code, and obtain plain-text passwords. The developers released a fix overnight in version CrushFTP 10.5.2. Today, Converge published a proof-of-concept exploit for the CVE-2023-43177 flaw, making it critical for CrushFTP users to install the security updates as soon as possible. Exploiting CrushFTP. The CrushFTP exploit is conducted through an unauthenticated mass-assignment vulnerability, exploiting the AS2 header parsing to control user session properties. The attackers can send payloads to the CrushFTP service on specific ports using web headers, which leave log traces. Next, the attackers overwrite session data using Java's 'putAll()' function, enabling the impersonation of 'administrators,' and leverage the 'drain log()' function to manipulate files as needed to maintain stealthiness. Eventually, the attackers can leverage the 'sessions. Having established admin access, the attacker can exploit flaws in the admin panel's handling of SQL driver loading and database configuration testing to execute arbitrary Java code. Converge has published a demonstration of the video of the PoC exploit in use, as shown below. According to Converge's report, there are roughly 10,000 public-facing CrushFTP instances and likely many more behind corporate firewalls. The attack surface is sizable even though the number of vulnerable instances hasn't been determined. File transfer products like CrushFTP are particularly attractive to ransomware actors, specifically Clop, known for leveraging zero-day vulnerabilities in software like the MOVEit Transfer, GoAnywhere MFT, and Accelion FTA to conduct data theft attacks. The researchers revealed that even applying the patches doesn't secure CrushFTP endpoints against all possible threats. "Converge's threat intelligence indicates that the security patch has been reverse-engineered, and adversaries have developed proofs of concepts. Because of that, upcoming exploitation is likely." - Converge. It's vital to implement these security measures as soon as possible, as the publicly disclosed exploit details of CVE-2023-43177 are likely to be used by hackers in opportunistic attacks. RCE exploit for Wyze Cam v3 publicly released, patch now. Citrix Bleed exploit lets hackers hijack NetScaler accounts. Exploits released for Linux flaw giving root on major distros. Exploit available for critical WS FTP bug exploited in attacks. Fake WinRAR proof-of-concept exploit drops VenomRAT malware.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000