CrushFTP Authentication Bypass Vulnerability in Web Interface

A critical authentication bypass vulnerability has been identified in CrushFTP versions 10.0.0 prior to 10.8.4 and 11.0.0 prior to 11.3.1. This vulnerability allows unauthenticated access to the 'crushadmin' account, or any other user account, through the manipulation of AWS4-HMAC authorization headers. The issue arises from a race condition in the server's authentication process, which can be exploited to gain administrative access and potentially compromise the entire system.

Impact

Exploitation of this vulnerability allows for unauthorized authentication as any user, including administrators, leading to full administrative access on the CrushFTP server. This access can be used to perform any actions permitted to the authenticated user, such as accessing and modifying files, managing user accounts, and potentially executing malicious payloads on the server.

Reproduction

To reproduce this vulnerability, send an HTTP GET request to the CrushFTP server's WebInterface function endpoint. Include a CrushAuth cookie with a randomly generated session token, and an Authorization header formatted for AWS4-HMAC authentication, specifying a username without a tilde. The server will authenticate the session as the specified user, bypassing password verification. This exploitation can be automated with a Nuclei template available on the ProjectDiscovery Cloud platform.

Remediation

Users are advised to update CrushFTP to version 10.8.4 or 11.3.1 and later. If an immediate update is not possible, the DMZ perimeter network option can be enabled as a temporary workaround.