This vulnerability enables unauthenticated attackers to bypass authentication in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. The vulnerability stems from how the CrushAuth cookie and AWS4-style Authorization header are processed, allowing attackers to impersonate an administrator by crafting specific values using a valid username. A valid username is required for the attack to succeed, but no password is needed. By default, CrushFTP includes a built-in administrative user named crushadmin. This user is automatically suggested during the initial setup, but administrators may choose a different name. The exploit will only succeed if the username provided exists on the system. Successful exploitation provides full administrative access to the CrushFTP WebInterface. This exploit performs the following steps: 1. Authentication Bypass - Sends a request to the 'getUserList' endpoint (typically at /WebInterface/function/) using a crafted 'CrushAuth' cookie and 'Authorization' header. - If the server returns the list of users, the target is confirmed vulnerable. 2. User Enumeration - Parses the XML response to extract usernames and displays them in the module output. 3. Optional User Creation - If parameters new_username and new_userpass are provided, a new user is created via the setUserItem endpoint.
CVE Link
Product Name