Vulnerability Overview
CVE-2024-4040 is a critical server-side template injection (SSTI) vulnerability within the CrushFTP web interface that facilitates a full Virtual File System (VFS) sandbox escape. This flaw allows unauthenticated remote attackers to read sensitive files from the underlying host operating system, bypass authentication, and achieve administrative access by manipulating the template rendering engine. The vulnerability is assigned a CVSS v3.1 base score of 9.8, reflecting its high impact on confidentiality, integrity, and availability.
The core of the issue lies in how CrushFTP handles certain user-supplied variables within its template engine. By supplying a specially crafted payload, an attacker can escape the restricted VFS environment—designed to keep users confined to their designated folders—and access the root filesystem of the server. This is not a traditional path traversal via ../ sequences in a URL, but rather a manipulation of the server's internal processing of dynamic content.
Affected Versions and Patch Information
The vulnerability impacts both version 10 and version 11 of the CrushFTP software across all supported platforms (Windows, Linux, macOS). The following table outlines the affected and patched versions:
| Software Branch | Affected Versions | Patched Version |
|---|---|---|
| CrushFTP v10 | Below 10.7.1 | 10.7.1 |
| CrushFTP v11 | Below 11.1.0 | 11.1.0 |
Technical Analysis of the VFS Escape
CrushFTP uses a Virtual File System to manage user access. This abstraction layer is intended to map logical paths to physical locations on the disk. When a user logs in, their session is pinned to a specific VFS root. The vulnerability arises because the web interface's template parsing logic—specifically when handling the current_user context—does not adequately sanitize inputs that are later evaluated by the VFS.getVFS() methods.
The exploitation vector typically involves sending a request to the CrushFTP web server that includes a template tag. In many observed instances, the {userid} or other session-related variables can be abused. The server-side code uses these variables to construct file paths or session metadata. If an attacker can inject a tag like <INCLUDE> or use specific Java-style property accessors, they can force the server to read local files and include them in the HTTP response.
The Role of Template Injection
Unlike standard SSTI where an attacker might aim for Remote Code Execution (RCE) via a language like Velocity or Jinja2, the CrushFTP exploit focuses on the internal XML-based template system. The parser evaluates tags within the context of the user's session. An attacker can use a payload designed to fetch the sessions.obj file or the prefs.xml file. These files contain sensitive information, including session tokens for currently logged-in administrators and encrypted credentials.
Identifying exposed CrushFTP instances across the IPv4 space is a prerequisite for understanding the reach of this zero-day, a task often performed using Zondex to filter for specific server headers and response patterns unique to the CrushFTP WebInterface.
// Conceptual representation of the vulnerable path resolution
String userPath = getTemplateVariable("user_path");
// If userPath contains something like "{path}/../../../../etc/passwd"
// and the template engine evaluates it before the VFS sandbox check
File requestedFile = VFS.resolve(userPath);
Exploitation Walkthrough
The exploit is triggered by an unauthenticated POST or GET request to the /WebInterface/ endpoint. The attacker typically targets the login or preferences logic where the template engine is active. A common payload looks for the sessions.obj file, which is stored in the CrushFTP installation directory. This file is serialized Java data containing the active sessions of all users.
- Reconnaissance: The attacker identifies a CrushFTP instance.
- Payload Delivery: A request is sent containing a crafted template string:
[INCLUDE:/etc/passwd]or a variation targetingusers/MainUsers/groups.xml. - Sandbox Escape: The template engine processes the
INCLUDEdirective. Because the engine runs with the permissions of the CrushFTP service (often SYSTEM or root), it ignores the VFS restrictions imposed on the logical user session. - Data Exfiltration: The server responds with the contents of the requested file embedded in the HTML or as a raw stream.
Once the attacker has read prefs.xml, they gain access to the CrushFTP.License and, more importantly, the administrator credentials (often hashed but sometimes reversible if the encryption key is recovered). If the attacker reads sessions.obj, they can extract a valid CrushAuth cookie for an active administrator session, effectively bypassing the entire authentication mechanism.
Advanced Impact: Session Hijacking and RCE
The transition from a file read to Remote Code Execution is straightforward once administrative access is achieved. An administrator in CrushFTP has the ability to configure "Jobs" or "Events." These features allow for the execution of arbitrary scripts or binaries upon certain triggers (e.g., a file upload). By hijacking an admin session via CVE-2024-4040, the attacker can create a new Job that executes a reverse shell and trigger it immediately.
Security researchers can validate the efficacy of their patches and identify similar injection flaws in other web-facing services by using Secably as part of a continuous security testing pipeline. This helps in identifying if the vulnerability has been reintroduced through configuration changes or if secondary bypasses exist.
Payload Examples and Detection Patterns
Detection of this vulnerability relies on monitoring web server logs for unusual template tags or path traversal attempts within parameters that do not usually accept file paths. Payloads often involve the following patterns:
<INCLUDE>tags targeting system directories.- Encoded null bytes or double-encoded slashes used to confuse the VFS path normalization.
- Requests to
/WebInterface/containing{}or[]characters in the URI or POST body.
# Example log entry showing potential exploitation attempt
POST /WebInterface/login.html - 200 - "user=[INCLUDE:/etc/shadow]&pass=password"
Detection and Mitigation Strategies
Immediate patching is the only definitive resolution for CVE-2024-4040. The patch introduces stricter validation of template variables and prevents the evaluation of the INCLUDE tag and similar directives when they originate from untrusted user input. Furthermore, the updated versions implement better isolation between the template engine and the VFS resolution logic.
Log Analysis and Indicators of Compromise (IoC)
Administrators should inspect their logs/request_history_[date].log files for the following indicators:
- Presence of
<INCLUDE>,<FILE>, or<DIR>tags in HTTP request parameters. - Access attempts to
sessions.obj,prefs.xml, orusers.xmlfrom the WebInterface. - Unusual administrative logins from unexpected IP addresses, suggesting session hijacking.
For organizations managing large fleets of servers, using GProxy can assist in conducting anonymous internal audits of infrastructure to ensure that vulnerability scanners are not being blocked by regional WAF rules, ensuring a comprehensive view of the attack surface.
Configuration Hardening
Beyond patching, several hardening steps can limit the impact of such vulnerabilities:
| Measure | Technical Implementation | Benefit |
|---|---|---|
| Least Privilege | Run CrushFTP service as a dedicated non-privileged user. | Limits the files an attacker can read if they escape the VFS. |
| WAF Filtering | Block strings like <INCLUDE> at the edge. |
Provides a temporary shield while patching is underway. |
| IP Whitelisting | Restrict the /WebInterface/ to known administrative IPs. |
Reduces the attack surface for the unauthenticated exploit. |
The vulnerability underscores the danger of mixing user-controlled input with server-side logic engines. In the case of CrushFTP, the VFS was intended to be a secure container, but the template engine provided a "side-door" that bypassed all logical path constraints. When the template engine parses a tag, it acts as a higher-level instruction to the application, often executing before or outside the scope of the VFS's security checks. This architectural oversight allowed the SSTI to become a potent tool for lateral movement within the host's filesystem.
For those conducting forensic analysis after a suspected breach, the focus should be on the sessions.obj file. If this file was accessed by an unauthorized IP, it is highly likely that every session active at that moment was compromised. In such scenarios, rotating all credentials—not just administrative ones—and invalidating all active session tokens is mandatory.