Mass-Assignment Vulnerability in CrushFTP leading to Unauthenticated Remote Code Execution

We discussed this vulnerability during Episode 227 on 27 November 2023

This one starts off with a fun mass-assignment issue. Early on in the processing chain of a HTTP request to CrushFTP’s web interface it will parse all the HTTP headers into a Java Propertiesobject. Bascially a key-value store of header names to their values. Then later on if the as2-to header is sent this enter header map will be merged into the active session’s user_info map object with no consideration for headers potentially clobbering existing values in the user_info map.

This is a problem as the user_info map contains information about the active user. Unfortunately the obvious route of corrupting the user_name or user_number values were not useful for authorization bypass as authorization uses a separate variable. However they were able to make used of some of the other information, particular the user_log_* value.

Specially by setting the user_log_path_custom value, the old log file (specified in user_log_path will be copied into the new path and the old file deleted. As an attacker can clobber both the source (user_log_path) and destination user_log_path_custom they get an arbitrary file copy primitive, and effectively a file deletion primitive.

This can be used for obvious information leak, by copying sensitive files like the local filesystem users.xml file into the webroot which is served statically. Or copying the sessions.obj which contains serialized Java objects containing information about current logins and can be used to hijack a current session. Once they are authenticated as an administrative user, there is an arbitrary class instantiation vulnerability in the admin panel that can be aboves for code execution