Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,493
- Points
- 113
The August patch was not the most reliable measure.
A dangerous bug has been discovered in the popular secure file sharing software CrushFTP, which gives attackers the opportunity to gain full control over the vulnerable server.
In fact, Converge experts discovered the vulnerability CVE-2023-43177 back in August. CrushFTP developers quickly fixed the problem in version 10.5.2. However, Converge recently published technical details and an exploit of the defect, which made it even more dangerous for non-updated systems.
The vulnerability can be exploited remotely, without authentication. Attackers send malicious traffic to ports 80, 443, 8080, or 9090 using special HTTP headers. This allows you to intercept active admin sessions.
Converge estimates that about 10,000 servers with CrushFTP installed are accessible from the Internet and susceptible to attacks. The company urges all users to install the patch urgently and apply additional security measures.
Describing in detail how the vulnerability works, the researchers note that attackers use flaws in the processing of AS2 headers to change the properties of user sessions.
This allows you not only to read and delete files on the server, but also to execute arbitrary code, achieving full control over the system.
To hide from detection tools, hackers manipulate files using the drain_log () function. They also use the sessions.obj function to elevate privileges.
The Converge team released a video with a detailed demonstration of the exploit.
Unfortunately, according to experts, installing patches does not guarantee full protection from threats. Hackers have upgraded their methods to attack even updated systems.
To reduce risks, experts recommend:
1. Update CrushFTP to the latest version.
2. Enable automatic security updates.
3. Change the password algorithm to Argon.
4. Conduct an audit for unauthorized sessions.
5. Activate the new Limited Server mode to strengthen security.
Given the appearance of a working exploit, attacks on vulnerable systems may begin in the very near future. Therefore, it is extremely important to take action as soon as possible.
A dangerous bug has been discovered in the popular secure file sharing software CrushFTP, which gives attackers the opportunity to gain full control over the vulnerable server.
In fact, Converge experts discovered the vulnerability CVE-2023-43177 back in August. CrushFTP developers quickly fixed the problem in version 10.5.2. However, Converge recently published technical details and an exploit of the defect, which made it even more dangerous for non-updated systems.
The vulnerability can be exploited remotely, without authentication. Attackers send malicious traffic to ports 80, 443, 8080, or 9090 using special HTTP headers. This allows you to intercept active admin sessions.
Converge estimates that about 10,000 servers with CrushFTP installed are accessible from the Internet and susceptible to attacks. The company urges all users to install the patch urgently and apply additional security measures.
Describing in detail how the vulnerability works, the researchers note that attackers use flaws in the processing of AS2 headers to change the properties of user sessions.
This allows you not only to read and delete files on the server, but also to execute arbitrary code, achieving full control over the system.
To hide from detection tools, hackers manipulate files using the drain_log () function. They also use the sessions.obj function to elevate privileges.
The Converge team released a video with a detailed demonstration of the exploit.
Unfortunately, according to experts, installing patches does not guarantee full protection from threats. Hackers have upgraded their methods to attack even updated systems.
To reduce risks, experts recommend:
1. Update CrushFTP to the latest version.
2. Enable automatic security updates.
3. Change the password algorithm to Argon.
4. Conduct an audit for unauthorized sessions.
5. Activate the new Limited Server mode to strengthen security.
Given the appearance of a working exploit, attacks on vulnerable systems may begin in the very near future. Therefore, it is extremely important to take action as soon as possible.
