CVE-2024-4040 PoC — Unauthenticated arbitrary file read and remote code execution in CrushFTP

Source

https://github.com/airbus-cert/CVE-2024-4040

Associated Vulnerability

Title:Unauthenticated arbitrary file read and remote code execution in CrushFTP (CVE-2024-4040)
Description:A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server.

Description

Scanner for CVE-2024-4040

Readme

# CVE-2024-4040 - exploit scanners

This repository contains files related to [CVE-2024-4040](https://nvd.nist.gov/vuln/detail/CVE-2024-4040) (CrushFTP VFS escape).

## scan_host.py

This script attempts to use the vulnerability to read files outside the sandbox. If it succeeds, the script writes `Vulnerable` to standard output and returns with exit code 1. If exploiting the vulnerability does not succeed, the script writes `Not vulnerable` and exits with status code 0.

The script depends on the [`requests`](https://requests.readthedocs.io/en/latest/) library.

## scan_logs.py

This script looks for indicators of compromise in a CrushFTP server installation directory. It is basically equivalent to running the following command:

```
$ grep -F -r '<INCLUDE>' /path/to/CrushFTP/logs/
```

For each match, it will attempt to extract the IP which tried to exploit the server.

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!