Anyone should be able to do it; even if you have not used ChatGPT; and are new to detection or prompt engineering. The challenge is designed to be accessible to all.
Sections
Background (optional)
Building a CrushFTP lab
Vulnerability discovery
Background
The first installment of this (infinite) series of experiments covered the PaperCut (CVE-2023-27350) vulnerability. The idea is to use GenAI (e.g. ChatGPT) natural language prompts to aid prevention, detection and exploitation code development.
This implies it is both recent and high-risk; an excellent case study for experimentation.
What did Shodan say?
I see you were paying attention. Below is a screenshot of (and search parameters for) Shodan - showing us the total number of CrushFTP (HTTP) servers on the internet:
html:"/WebInterface/Resources/js/login.js"
Ok, now let's get to work,...
Building a CrushFTP lab
Downloading previous vulnerable versions from the vendor was an issue. A quick GitHub search can sometimes do the trick - here is a vulnerable build for your lab.
You can download the installation files, source code and find instructions on this page.
Once installed, I used the following command to access the administration interface:
java -jar CrushFTP.jar
Once you start CrushFTP (HTTP) services you can browse to the console shown below.
Vulnerability discovery
As with the PaperCut vulnerability (we discussed in the first article of this series), to achieve a (Arbitrary File Read) exploit, you leverage multiple vulnerabilities:
Authentication bypass - you can connect to their API endpoint (/WebInterface) and get a higher privileged (CrushAuth) token; and
Server-side template injection (SSTI) - with step 1 complete, you now access the API and inject, your own code, into a template.
Vulnerability analysis
To better understand the vulnerabilities we need to manually exploit them. My recommendation is to use Burp to analyse the web application and API endpoint.
I'm not going to reinvent the wheel on this - Rapid7 did an excellent write up:
Detection engineering
This section simply completes the detection process. The high level process is:
The Nmap NSE script work straight out of the (vi) gates:
So, why and Nmap script specifically? Good question! Neo uses Nmap,... nuff said.
Also (if saving you from the Matrix wasn't enough), it also offers the following:
Portability, it's (still) cross-platform and now highly configurable.
Community, you can contribute your (ChatGPT) script to others.
Standards, we can standardise our approach to testing and tooling.
Detecting CrushFTP CVE-2024-4040
For the detection, we need to manually devise and confirm an approach. So, we look to confirm the vulnerability, and design our test method, with Burp Proxy:
In the screenshot above we can clearly see the "CrushAuth" cookie defined. So, the simplest approach is to ask ChatGPT to confirm the "CrushAuth" cookie is present:
This produced the following NSE (Lua) script.
Again, the Nmap NSE script work straight out of the (vi) gates:
With minimal clean up we can now share our detection script with the community:
Conclusion
Our experiments using GenAI (ChatGPT) to create detection scripts is taking shape. Our next GenAI experiment will include basic exploitation - subscribe to be notified.
As always, if I got anything wrong,...
References
Here is the list of resources that were used to perform the exercise.